If you’re a site owner running a WordPress site with a Google Webmaster Tools Search Console account attached to it, or an SEO taking care of one or a few sites like this, you’re sure to have been spammed by received a message like this from Google recently:
Now, you may have not touched anything server side recently and if that’s the case you may be wondering what happened and why. Have you been hacked????
Thankfully, not – quite the opposite. WordPress has just released a security update to patch a serious vulnerability:
WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site.
If your WordPress is version 3.7 or above, WordPress updates are applied automatically without the site owner needing to do anything. Apparently, the security fixes included adding the disallow rule for directories like /wp-includes/ to robots.txt. It makes perfect sense from the security perspective, as often hackers search for vulnerabilities using footprints like certain files on your server known to be associated with vulnerable plugins or themes. Problem is, /wp-includes/ also contains javascript and css files:
But Google has been insisting on letting it index CSS and Javascript since 2012. Both CSS and Javascript can be (and have been, and still are) used for many things Google isn’t particularly happy about, like cloaking, redirects or hidden content. Recently though, their excuse for extorting CSS and JS out of site owners is to make sure a site is mobile friendly (see this post but it’s better explained in this comment than the post itself).
So you’re left with a choice between site security and potential rankings drop… What should you do?
Before you make a decision, here are a few facts:
- WordPress is an extremely popular CMS used by millions of sites;
- As such, it often becomes a target of hackers – after all, it’s better ROI to find a vulnerability that’s common to millions of sites than something unique to a few sites only;
- Only in the last 7 days, 7 vulnerabilities affecting either core WordPress or its plugins have been made public knowledge – how many more exist that are not widely known of is anyone’s guess;
- If your site gets hacked, you’re pretty much on your own – Google makes it your responsibility to clean it up:
Engage in good practices like the following:
– Monitoring your site for hacking and removing hacked content as soon as it appears
– Preventing and removing user-generated spam on your site - Has Google been doing anything helpful about the hacking issue? Why sure, as of February they have been “slowly rolling out a new hacked page classifier” only it’s full of issues and can misclassify your site any time and then it’s up to you to report it and spend your time trying to sort it out;
- A hacked site can not only affect your rankings negatively and disrupt traffic to your site, it may destroy your business regardless of the source of traffic and make you lose even your already existing customers.
With all that in mind, feel free to sort out your priorities. Is it your own/your client’s business – or is it the business of a cheeky search engine failing to find safe, effective and mutually suitable solutions to ITS business’ problems but rather scaring everyone into compliance instead?
If any open-minded enough Google engineer happens to read this post, here is my suggestion to you. Step out of your ivory tower and into the real world. Think about how your decisions affect people’s businesses and lives. Think about the choice between security and traffic you are forcing them to make. That’s really inefficient and steps like this will eventually lead to the demise of your search engine.