Alerting webmasters to webserver vulnerabilities

I’m really happy about a new experiment that we’re trying that has the potential to help a ton of site owners. A new blog post on the Google webmaster blog (you are subscribed to the webmaster blog, right? You’ll find at least as much good SEO and search-related info on that blog as on my blog) mentions that we’re alerting webmasters to vulnerable webserver software.

There’s been a recent trend of spammers hacking websites, and most of the time that happens because the webmaster or site owner didn’t update a piece of software that runs their website. If you think you can install a piece of software on the web in 2008 and run it forever without upgrading, I’m sorry to say that your website will be at much higher risk of getting hacked.

If you log in to the webmaster console and we think your website is running WordPress 2.1.1, you’ll soon see a message that looks like this:

Hackable site warning

I just want to emphasize that I have absolutely nothing against WordPress (I run it myself, like it a lot, and newer WordPress versions are much more secure than previous versions). We had to start somewhere, and this was just a natural first step so that we could try the experiment and see how well it works.

36 Responses to Alerting webmasters to webserver vulnerabilities (Leave a comment)

  1. I got a message, all it said was:

    Dear Site Owner,
    You are running Microsoft Windows Server.
    Best Wishes,
    Google Search Quality Team

    I kid, I kid.

  2. Nice. My hosting company sends emails if they detect older software too which is very nice. On the subject of WordPress… a lot of people seem to be reluctant to upgrade WP on a live site for fear of messing something up and having the site down. I’ve used the WordPress Automatic Upgrade plugin on several client sites and it’s worked very well:

    The only caveat I’ve got on it is that plugsin which store CSS or other settings in the plugin folder can be overwritten if you’ve modified the file there so, as always, backup, backup, backup.

  3. I think this is an excellent idea, and I agree that WordPress is a great place to start. I think I do a good job of keeping my software up-to-date, but I’m not perfect — if something slips out of date, I certainly wouldn’t object to a notification about it.

    Nice move, Google.

  4. Should we assume that if the generator tag has been removed we would not get such notices? I think it was at a wordcamp I heard someone suggest doing so in order to keep hackers from finding the blog using automated tools.

  5. rick, do you mind if I ask your webhost? That’s pretty cool that they send you emails about outdated software.

    Michael D, I think we do look at the generator tag.

  6. Hello Matt,

    I think this is a very good step Google has taken. I was wondering about my sites being hacked when I saw your hacking relating post[I think you posted it on 3rd of October, 2008]. I was worried about my sites and it seems like any site can be hacked.

    I think this is just the first step. It will be nice if Google can even provide more features helping webmasters to fight against hackers.

    Thank You Matt for the Info, and thank you Google for this new feature,

  7. If I receive such a email, my first thought will be that this is a fishing. Embedded links to the download sites should not be in the email.

  8. Matt,

    It’s Lunarpages. They allow a fair number of scripts to be installed via Fantastico and I think they ran into issues with older scripts getting hacked, so they are being proactive and telling you when you’re running something that’s not updated. They phrase it well too, explaining that older versions might be a problem and why, not ‘omg you’re going to be hacked if you don’t update right now!’

  9. WordPress is a good place to start since it is one of the most popular blogging software used. Will there be a way for users or vendors to submit new software so it can be tracked for updates as well? WordPress is popular so that’s a given, but what about the less popular software which Google may not know about or is there a way software developers can optimize the code to inform Google about their software?

  10. @rick – Matt is right…it IS pretty cool that your hosting company alerts you to outdated software alerts. I’ve not heard of any others doing that. Kudos to Lunarpages!

    I, too, use the WordPress Automatic Upgrade plugin and have never had issue with it…at least not yet! ๐Ÿ™‚ As far as the caveat regarding backing up, that should always be standard operating procedure whether using WPAU or manually upgrading…better safe than sorry! Not backing up your data is just asking for trouble, in my opinion.

    @Michael D – I also recall having read recommendations to remove the “generator” META tag to help lessen the potential to easily identify an older version of WordPress. It’s something I removed from most of my WordPress sites some time ago, despite the fact that I typically upgrade ASAP after a new release anyway. Again…a better safe than sorry situation.

    @MattCutts – is there anything that can be done to alert those of us who have taken the extra step of removing the “generator” META tag or are we on our own? ๐Ÿ˜‰

  11. Hi everyone!
    I have 2 blogs and one of them running on the older version of wordpress 2.1.1
    After the spammers attack, I closed old blog from commenting and opened a new which is fully spammers protected. I hope ๐Ÿ™‚
    Now the first blog is like rarity for me.

    It’s nice to hear about new google services!

  12. After WordPress I hope you’ve got Joomla 2nd on your list. I’ve experienced a few hacked Joomla sites now and it’s never pretty.

  13. After having one of my WP sites hacked and de-listed by Google . Can I request that Google sends a message, especially if you are using Google Webmaster tools, to alert you to the fact that the site is about to be de-listed with a link to the problem pages. In this case they were buried deep down in the directory structure and in fact it was only my host who eventually located the problem files.

  14. It would be nice if it sent you e-mail. Especially when you get automatically flagged in the Google Index. It sucks to learn about that the hard way. My WordPress got a bunch of web spam injected into it via a vulnerability, and I only learned about it when someone sent me an e-mail saying that Google had flagged parts of my web site. Removing the crud isn’t enough: you have to track down this form and fill it in, then they’ll take the flag off after a few days, but I don’t think they tell you that you’re in the clear either.

    At least they’re looking.


  15. I also run Fanstastico on my VPS that tells me when scripts have been updated, but realise that this is far from the norm for most bloggers.

    WordPress have been much more pro-active, as you probably know, in letting blog owners know that their version is out of date from within the admin area. But it is good to see that Google is also being proactive.

    I have removed the Generator Meta-Tag from my WordPress blog some time ago in case this was being used for nefarious purposes – i take it that this tag is what Google uses to identify the out-of-date software?

  16. WordPress mentioned they worked with Google to notify webmasters in Google’s database of this vulnerability and the need to upgrade. How might other software vendors/projects work with Webmaster Tools in the same way? phpBB immediately comes to mind.

    The generator element in Atom seems like another good way to detect software packages used to author the consumed content. Atom is a supported sitemap type, which should make it easier for Webmaster Tools to start paying attention to its specialized markup for this purpose.

  17. The way I see it unless this hi jacking can be stopped, a black-hat competitor could knock out all of his competition.

  18. Dave (original)

    My host also sent out emails about outadated software when I was on a shared server, now I have a dedicated one, they don’t bother ๐Ÿ™

  19. I think this is a fantastic idea. Hopefully it should help a lot of webmasters and reduce complaints that Google has “banned” their sites!

  20. Hi Matt!

    That-s awsome that Google sends e-mails warning about things.
    Maybe in the next future we can get some e-mails about how algorithm works from Google..hehe ๐Ÿ˜€

  21. Hi Matts, thats a good experiment from Google. I hope that this will expand to other software.

    I work at INS in Germany, a company that is a manufacturer of several software modules like blog, CMS, shop and so on. From this I have a question: How can a software manufacturer tell Google (in a secure way) which “old” versions of its own software should be reported like the example above in the google webmaster tools?

    Thanks a lot

  22. Donโ€™t get me wrong I know it is not up to Google to secure peoples sites, but it would be useful if they warned a person if the site was penalised for hidden links on their site.

    What I would love to see is an addition to the links section of WMT showing the outgoing links to a site as seen by Google and possibly if they are nofollowed or not.

    So if Google is seeing a link pointing to a dodgy porn site it will tell me, and I can try and resolve the issue before facing a penalty. Google wouldnโ€™t even have to warn me that I may face a penalty, if I put the link there myself it is my own fault, and if I didnโ€™t do it then I would know I have a security issue.

  23. Its amazing how much “test stuff” I have installed and forgotten about over the years, so Google helping me not to infect other machines is appreciated. That said I do concur that I wish that they would contact you quickly to enable you to fix the problem as quickly as possible …

    Anyone else rememeber the days when the internet was a safe place to take your kids ….

  24. I hope you decide to extend this to other popular software, and to send out emails where possible. Running old versions of software has to be the most common reason sites get hacked.

    It used to be mostly confined to dodgy areas of the web, now malware is everywhere. When I do a manual check on my links I’m removing more and more for this reason.

  25. This is funny because I opened my email this morning and had 41 emails from different names trying to sell me offshore drugs. Also received lots of returned emails that I didn’t send out. I’m going to have to hunt down what’s happening. Thanks for the heads up on this one.

  26. Definately a step in the right direction in my opinion. Good stuff google keep it coming!

  27. Stats, what Joomla versions have you seen be hacked?

    Niall Kennedy, we’d definitely be interested in hearing from any other software makers. The main tests in my mind would be a) is it easy to tell the version number of the software from scanning the web page, and b) is there a list of known-vulnerable versions.

  28. Dave (original)

    Matt, in relation to

    IF Google knows the page/site has been hacked, why do you punish the the victim and NOT the perpetrator?

  29. @Dave (original)

    Because if you don’t punish everyone it would be “evil”? ๐Ÿ™‚

    “Spread the wealth around” I think senator government, I mean Karl Marx would agree with that theory.

  30. Hi Matt, what do u think about First Click Free feature?

  31. Very good idea indeed

    I am still waiting for reconsideration request for my website after massive Chinese hacker attacks ๐Ÿ™

    The delay in answering the request is very high unfortunately and we are losing a lot of business

    What would be great is that we get the answer of the reconsideration request inside the message center as reply to the original reconsideration request

    Also view all files potentially affected by the malware (now we get access to just a sample of the pages)

  32. Nice step Google and great post Matt. Thanks ๐Ÿ™‚

  33. Is it possible to determine the vulnerability if the Web site is using the customized CMS?

  34. It’s already been mentioned in a comment or two above, but it’s true that most don’t like to upgrade because you either lose stuff or features get destroyed and take hours, days, or years to fix. if you are slammed busy like a lot of us all you have are a few minutes a day to play around, not hours to do upgrades.
    An upgrade also doesn’t feel like you are moving forward. It just feels like you are having to fix something that should of been right the first time.
    I get your point tho…

  35. quote:
    Dave (original) Said,
    October 17, 2008 @ 6:56 pm
    Matt, in relation to
    IF Google knows the page/site has been hacked, why do you punish the the victim and NOT the perpetrator?
    Next to this quote : about 4/5 months ago, a hacker entered my website by frontdoor of the hosting-entry (!), regarding to the loginfiles, placed a few adresses in scripted files, yes, malware sites.

    Got a mail from Google: they found out, there were malware scripts on my websites, not a particular page. And I will stress this : they offered help !
    How nice, indeed.

    Within 30 minutes I ‘ve found all the malware scripts, deleted and sent a message to Google. Receiving mail, deleting malware, sending mail to Google all on a friday at about 18:00 hrs my time.

    Guess what : for 2 months banned by Google : all pages in de SERP’s holding the message : your pc can be dameged by visiting this website. Plus a warning from a ( by Google sponsored ) website in the usa, with a list read from browsers as FF.
    They never sent help as they offered, they never sent an appologize, they never make mistakes, isn’t it?

    Clearly the victim punished and no help.
    After that, my opinion about Google is decreased from 200% to 20%.

    I think, mr. Matt Cutts, you will not give any reaktion on this, as I can ever never get a mailaddress. And yes, I have sent a letter, indeed, no answer.
    Disappointing. ๐Ÿ™

  36. I Second @Yossarian

    So if Google is seeing a link pointing to a dodgy porn site it will tell me, and I can try and resolve the issue before facing a penalty. Google wouldnโ€™t even have to warn me that I may face a penalty, if I put the link there myself it is my own fault, and if I didnโ€™t do it then I would know I have a security issue.

    A Cool thing will be to notify webmasters if it(Google’s System) sees their sites are pointing to a Porn site(I mean basically Sites which are known to inject code or hack others’ sites) or something..

    In My Case, The Cases I am dealing with, Someone gets the hold of our FTP Passwords, Downloads all (index|login|home).(php|html|htm|etc) files and injects a code..

    These injected code are either an iFrame or a Script which includes one at run time or something…

    In Both Case, They point to an outside Url… and they are the ones which in my case all happened to be porn sites… even with the words like f*** and all….

    @rungss on Twitter