Submit video topics and webmaster questions

I’m planning to record some new webmaster questions next week. I made a Google Moderator page where you can submit topics and vote for different questions.

Please ask your questions in on the Google Moderator page, not in the comments here. When the comments are in Moderator, people can vote them up and down.

“Why did our PageRank go down?”

Recently a newspaper contacted me. Their PageRank had dropped from 7 to 3, and they wanted to know why. They genuinely didn’t seem know what the issue was, so I took some time to write them an in-depth reply. Part of the motivation for my blog is to provide information in more scalable ways, so I figured I’d strip any identifying information from my email and post it. Here’s what I wrote:

Hi, the usual reason why a site’s PageRank drops by 30-50% like this is because the site violates our quality guidelines by selling links that pass PageRank. Here’s our documentation on that: and here’s a video I made about this common case: (it’s about 1:30 into the video). is a good recent article about paid reviews. In Google’s world, we take paid links that pass PageRank as seriously as Amazon would take paid reviews without disclosure or as your newspaper would treat a reporter who was paid to link to a website in an article without disclosing the payment.

In particular, earlier this year on [website] we saw links labeled as sponsored that passed PageRank, such as a link like [example link]. That’s a clear violation of Google’s quality guidelines, and it’s the reason that [website]‘s PageRank as well as our trust in the website has declined.

In fact, we received a outside spam report about your site. The spam report passed on an email from a link seller offering to sell links on multiple pages on [website] based on their PageRank. Some pages mentioned in that email continue to have unusual links to this day. For example [example url] has a section labeled “PARTNER LINKS” which links to [linkbuyer].

So my advice would be to investigate how paid links that pass PageRank ended up on [website]: who put them there, are any still up, and to investigate whether someone at the [newspaper] received money to post paid links that pass PageRank without disclosing that payment, e.g. using ambiguous labeling such as “Partner links.” That’s definitely where I would dig.

After that investigation is complete and any paid links that pass PageRank are removed, the site’s webmaster can do a reconsideration request using Google’s free webmaster tools console at I would include as much detail as you can about what you found out about the paid links. That will help us assess how things look going forward.


That’s about it. This case was interesting because we also had an external spam report about the newspaper selling links.

Please turn on two-factor authentication

You should read Mat Honan’s heartbreaking tale of a hack attack and the ensuing discussion on Techmeme. Much of the story is about Amazon or Apple’s security practices, but I would still advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked.

Two-factor authentication means “something you know” (like a password) and “something you have,” which can be an object like a phone. Here’s a simple video about how it works:

I often hear the same questions or objections when I recommend two-factor authentication. Jeff Atwood has done a good job of debunking common misperceptions–check out his post, which even has pictures. But here are some misconceptions that I hear, along with the reality:

Myth #1: But what if my cell phone doesn’t have SMS/signal, or I’m in a foreign country?
Reality: You can install a standalone app called Google Authenticator (it’s also available in the App Store), so your cell phone doesn’t need a signal.

Myth #2: Okay, but what about if my cell phone runs out of power, or my phone is stolen?
Reality: You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone.

Myth #3: Don’t I have to fiddle with an extra PIN every time I log in?
Reality: You can tell Google to trust your computer for 30 days and sometimes even longer.

Myth #4: I heard two-factor authentication doesn’t work with POP and IMAP?
Reality: You can still use two-factor authentication even with POP and IMAP. You create a special “application-specific password” that your mail client can use instead of your regular password. You can revoke application-specific passwords at any time.

Myth #5: Okay, but what if I want to verify how secure Google Authenticator is?
Reality: Google Authenticator is free, open-source, and based on open standards.

Myth #6: So Google Authenticator is a free and open-source, but does anyone else use it?
Reality: Yes! You can use Google Authenticator to do two-factor authentication with LastPass, WordPress, Dropbox, Gandi, Amazon Web Services, Drupal, Stripe, Tumblr and DreamHost, GitHub, Evernote, or even use a YubiKey device. There’s even a Pluggable Authentication Module (PAM) so you can add two-factor authentication to any PAM-enabled application. That means you can use Google Authenticator to add two-factor authentication to SSH, for example.

One last tip: use a different password on Gmail/Google than on other services. If you reuse a password and a hacker cracks into one company, they can use the same password to crack into your Google account.

Please don’t wait to turn on 2-step verification. It’s not that hard, and it will really protect your account. Why not set up two-step authentication right now?

Added August 26, 2012: Dropbox added support, so I included a link above.

“Fetch as Googlebot” tool helps to debug hacked sites

One of the most tenacious blackhat webspam techniques we continue to see is hacked sites. I wanted to remind site owners that our free “Fetch as Google” tool can be a really helpful way to see whether you’ve successfully cleaned up a hacked site.

For example, recently a well-known musician’s website was hacked. The management firm for the musician wrote in to say that the site was clean now. Here’s the reply I sent back:

Unfortunately when our engineers checked this morning, the site was still hacked. I know the page looks clean to you, but when we send Googlebot to fetch www.[domain].com this morning, we see

<title>Generic synthroid bad you :: Canadian Pharmacy</title>

on the page. What the hackers are doing is sneaky but unfortunately pretty common. When you surf directly to the website, you see normal content. But when a search engine (or a visitor from a search engine) visits the website, they see hacked drug-related content. The reason that the hackers do it this way is so that the hacked content is harder to find/remove and so that hacked content stays up longer.

The fix in this case is to go deeper to clean the hack out of your system. See for some tips on how to do this, but every website is different.

One important tool Google provides to help in assessing whether a site is cleaned up is our “Fetch as Googlebot” feature in our free webmaster console at . That tool lets you actually send Googlebot to your website and see exactly what we see when we fetch the page. That tool would have let you known that the website was still hacked.

I hope that helps give an idea of where to go next.

Something I love about “Fetch as Googlebot” is that it’s self-service–you don’t even need to talk to anyone at Google to diagnose whether your hacked site looks clean.

Example email to a hacked site

Beyond clear-cut blackhat webspam, the second-biggest category of spam that Google deals with is hacked sites. The most common reaction we hear from webmasters is “The problem is with the Google search. There is nothing wrong with our website.” That’s a real quote from an email one site owner recently sent us. Sadly, it turns out that the site is almost always really hacked.

The single best piece of advice I can give to prevent website hacking is “keep your web server software up-to-date and fully patched.” That prevention is much better than the hassle of cleaning up a hack. Here’s an example email I just sent to a site owner with the identifying details removed:

Hi xxxxxxx, I’m the head of Google’s webspam team. Unfortunately, really has been hacked by people trying to sell pills. I’m attaching an image to show the page that we’re seeing.

We don’t have the resources to give full 1:1 help to every hacked website (thousands of websites get hacked every day–we’d spend all day trying to help websites clean up instead of doing our regular work), so you’ll have to consult with the tech person for your website. However, we do provide advice and resources to help clean up hacked websites, for example

We also provide additional assistance for hacked sites in our webmaster support forum at!forum/webmasters . I hope that helps.

Matt Cutts

P.S. If you visit a page like and don’t see the pill links, that means the hackers are being extra-sneaky and only showing the spammy pill links to Google. We provide a free tool for that situation as well. It’s called “Fetch as Googlebot” and it lets you send Google to your website and will show you exactly what we see. I would recommend this blog post describing how to use that tool, because your situation looks quite similar.

Anyway, just a reminder for site owners to keep their web server software up-to-date, because hacked sites are a real pain. Most Google searchers and even website owners don’t think about hacked sites much, but on our side have to spend a fair amount of effort writing classifiers to catch this illegal activity, helping the victims of hacked sites, adapting when the hackers change their techniques, etc.