How To Lose All Your Google Traffic
I’ve twittered about this but that’s largely preaching to the converted, so this post is a more mainstream warning. It’s for other bloggers. Of the WordPress variety.
How to lose all your Google traffic.
Admitting to having your blog compromised and filled with spam links is akin to admitting you have contracted an STD. And then you have the gall to advise others to have safe blog sex. Well that’s me.
Unlike Irish KC, my other blog, American Hell uses a very simple theme with very few files. I knew it was running an old version of WordPress - 2.0 - but as I saw no need for any more functionality for my simple site I ignored all notices about newer versions of WordPress and upgrading to them.
That reasoning isn’t just lazy - it’s insane.
I don’t ignore updates to windows. Or anything else when the word security or patch is attached to that of release. So why did I leave my baby exposed?
Maybe because I’d never had the security of any blog compromised badly before. Oh yes every day is a fight against comment spam and trackback spam, but never since I first started blogging back in 2000/2001 have I had a blog hurt the way I’ve had email hurt or an operating system hurt. Any damage my blogs have ever suffered have always been self-inflicted. Until now.
The traffic to American Hell has been growing steadily since I first launched it just over a year ago. It even grew when it was all but dormant during my move back to Ireland from America. That growth has largely been due to its performance on Google. I write next to nothing on American Hell, with almost all posted content consisting of just images, including the words.
Those images perform well on Google’s Image search, and unlike other times where I’ve had images do well in search results, the American Hell images convert searchers to genuine traffic. Probably because each image is a self-contained full post complete with text and maybe the searcher has found a cartoon that pricks their interest in reading more.
Whatever the reason, American Hell was averaging about 350 pages a day being clicked on, with about 80% of that traffic coming from Google. I know that makes it a small website but now it’s even smaller. Because about a week ago the Google traffic disappeared completely.
Not long ago I would have known why. Every day I used to read dozens of tech sites, dozens of marketing sites, and dozens of SEO sites. So the reason would have been on my radar. Instead I was just philosophical and assumed Google had tweaked their Image Search algorithm. Had I looked closer I would have seen that it was all Google searches, not just the image searches, that had stopped.
A couple of days later an email from Technorati told me why. American Hell was running a version of Wordpress that may be suffering from a security vulnerability. Blogs are being compromised via this vulnerability on a widespread scale. The most common symptom of such a compromised blog is the presence of hidden links to spam web sites.
American Hell was running 2.0 and the current version of WordPress is 2.5 but there’s been a few in between. Anything older than 2.3.3 may have this security vulnerability.
While the website looked fine, a quick look at the source code and there indeed were hundreds of links to spam sites.
Cue horror and embarassment. I don’t know exactly when they were put there but Google and the other major search engines - rightly - don’t tolerate them so poof went my traffic. Technically speaking I wasn’t kicked out of google’s index, I was just penalised. So even if you know American Hell exists and search for it using its name, no longer will you find it listed at #1; in fact you won’t find it at all - or at least not in the top 200 search results.
Anyway I dropped everything and immediately in this order:
1) Replaced xmlrpc.php with the fixed version
2) Deleted the spam links
3) Upgraded to WordPress 2.5
And then I filed a reinclusion request with Google, which is now called a reconsideration request because if you have “only” suffered a penalty and not been kicked out of the index you cannot be reincluded in something you are not excluded from.
The responsibility for not letting my site get stuffed with spam links was mine entirely, not Google’s, Yahoo’s, or Technorati’s so I’m grateful to Ian Kallen for the email and for blogging about it.
Irish KC gets a consistent 95% of its unique visitors from Google - converting into about 1,000 pages a day clicked on that originated from Google. And Irish KC runs WordPress 2.3.2, which is not the magic number.
Unlike American Hell, the WordPress theme on this site is heavily customised - or butchered if you prefer - and ever since an unsuccessful attempt to install the anti-spam WordPress plugin Akismet caused me to spend 3 days fixing the damage, I’ve been nervous about upgrading WP on Irish KC. The upgrade to 2.5 on American Hell wasn’t entirely smooth either.
But compared with the risk of losing all Google traffic? I’m upgrading. Now.
UPDATE: Just 6 days after the reinclusion request Google has reinstated American Hell.
Read More About This Risk:
• Vulnerable WordPress Blogs Not Being Indexed
• Irish Internet Association’s Nasty Infection
• The WordPress Security Cancer
Eolaí gan Fhéile:
I think you hit the reason at that I avoid upgrading Word Press. It’s not streamlined, it pretty close to reinstalling and hoping the backup reloads right, and your plugin’s aren’t devistated.
It’s not easy.
Well, good to hear my post provided some impetus — although it sounds like a pretty unpleasant experience all-round
[…] Seriously now. If you don’t upgrade buggypress you’ll get blacklisted by Google. […]
[…] corruption of UTF-8 characters but the comments were still there. Attempting to get to 2.5 to avoid spam attacks left me with no comments at all. They were still there in the database but weren’t being […]
Upgrading is a lot more of a crapshoot than it needs to be. I tend to wait for the anguished howling to die down before I make the leap, so I can learn from other people’s mistakes.
What can I say! I didn’t know spam sites could do that to your source code… shows what little I know! I recently upgraded and it made a mess of my site. On the other hand, if you don’t upgrade… seems your damned if you do and damned if you don’t! I would love to know more about how you went about checking your source code… Maybe you could email me some info on how I would go about doing it myself? Great post by the way!
Thanks for the warning, I have a similar situation with a photoblog, that is telling me to update because my Wordpress is out of date, guess I better do it.
Mat - Yep, we obviously complicate things when we use plug-ins. I don’t know if there’s a solution to that if plugins are to be kept as plugins and not incorporated into the main product.
Justin - Thanks for your post. It alerted me to the lack of publicity the problem was getting and made me feel guilty for not having initially publicised my experience.
emordino - I generally take the same approach, but the impact of not updating here was worse I’d venture. That said I was quite a few versions behind, and I can hardly criticise a community that has created a rather powerful piece of software that I don’t volunteer my own time to.
Patrick - thanks - there wasn’t a whole to it really, at least nothing I can take any credit for - once alerted to the existence of the problem, a quick View Source showed a million spam links, and my WP theme only has 7 or 8 main files to look at - but I’ll drop you a note.
Tim - I’ve ignored such warnings repeatedly myself, but I don’t see me doin it again after this.