Tips on how to make sure your site isn’t vulnerable to being hacked,,5651830,00.jpgThe team over at Google in charge of the Webmaster tools and Web spam prevention, put out a good post tonight about how to prevent from falling for fake spam profiles online and keeping your site safe as well. They focused on sites, like Facebook and other social media sites, where spammers can setup bogus accounts. They also made a very strong point saying that just because your site isn’t big and important like the “big dogs” it is still a target for spammers.

Here are some tips the Googlers gave to make sure you site is safe:

What can you do?

This isn’t an easy problem to solve – the bad guys are attacking a wide range of sites and seem to be able to adapt their scripts to get around countermeasures. Google is constantly under attack by spammers trying to create fake accounts and generate spam profiles on our sites, and despite all of our efforts some have managed to slip through. Here are some things you can do to make their lives more difficult and keep your site clean and useful:

  • Make sure you have standard security features in place, including CAPTCHAs, to make it harder for spammers to create accounts en masse. Watch out for unlikely behavior – thousands of new user accounts created from the same IP address, new users sending out thousands of friend requests, etc. There is no simple solution to this problem, but often some simple checks will catch most of the worst spam.
  • Use a blacklist to prevent repetitive spamming attempts. We often see large numbers of fake profiles on one innocent site all linking to the same domain, so once you find one, you should make it simple to remove all of them.
  • Watch out for cross-site scripting (XSS) vulnerabilities and other security holes that allow spammers to inject questionable code onto their profile pages. We’ve seen techniques such as JavaScript used to redirect users to other sites, iframes that attempt to give users malware, and custom CSS code used to cover over your page with spammy content.
  • Consider nofollowing the links on untrusted user profile pages. This makes your site less attractive to anyone trying to pass PageRank from your site to their spammy site. Spammers seem to go after the low-hanging fruit, so even just nofollowing new profiles with few signals of trustworthiness will go a long way toward mitigating the problem. On the flip side, you could also consider manually or automatically lifting the nofollow attribute on links created by community members that are likely more trustworthy, such as those who have contributed substantive content over time.
  • Consider noindexing profile pages for new, not yet trustworthy users. You may even want to make initial profile pages completely private, especially if the bulk of the content on your site is in blogs, forums, or other types of pages.
  • Add a “report spam” feature to user profiles and friend invitations. Let your users help you solve the problem – they care about your community and are annoyed by spam too.
  • Monitor your site for spammy pages. One of the best tools for this is Google Alerts – set up a site: query along with commercial or adult keywords that you wouldn’t expect to see on your site. This is also a great tool to help detect hacked pages. You can also check ‘Keywords’ data in Webmaster Tools for strange, volatile vocabulary.
  • Watch for spikes in traffic from suspicious queries. It’s always great to see the line on your pageviews chart head upward, but pay attention to commercial or adult queries that don’t fit your site’s content. In cases like this where a spammer has abused your site, that traffic will provide little if any benefit while introducing users to your site as “the place that redirected me to that virus.”

Has your site ever been hacked? Have you ever fallen for a fake profile? (You can admit it, we won’t tease you.) Share your experience in the comments.

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Skip to content