Overview of security topics
The following topics describe how you can secure your site.
| Topics | |
|---|---|
| What is hacking or hacked content? | Learn what hacked content is and how to fix a hacked site. |
| Malware and unwanted software | Learn what malware and unwanted software is, guidelines for avoiding distribution of unwanted software, and how to fix problems related to unwanted software. |
| Preventing malware infection | This article contains tips and pointers for preventing malware infection. |
| Social Engineering (Phishing and Deceptive Sites) | Learn what social engineering is and how to fix it. |
| Google Safe Browsing Repeat Offenders Policy | Google Safe Browsing helps protect users by showing warnings on dangerous sites or dangerous download files. |
What is hacking or hacked content?
Hacked content is any content placed on your site without your permission as a result of vulnerabilities in your site’s security. In order to protect our users and to maintain the integrity of our search results, Google tries its best to keep hacked content out of our search results. Hacked content gives poor search results to our users and can potentially install malicious content on their machines. We recommend that you keep your site secure, and clean up hacked content when you find it.https://www.youtube.com/embed/_e66dUipkss?origin=https%3A%2F%2Fdevelopers.google.com&video-id=_e66dUipkss&enablejsapi=1&widgetid=1
Learn more about the Search Console Security Issues report
Some examples of hacking include:
- Injected content
When hackers gain access to your website, they might try to inject malicious content into existing pages on your site. This often takes the form of malicious JavaScript injected directly into the site, or into iframes. - Added content
Sometimes, due to security flaws, hackers are able to add new pages to your site that contain spammy or malicious content. These pages are often meant to manipulate search engines. Your existing pages might not show signs of hacking, but these newly-created pages could harm your site’s visitors or your performance in search results. - Hidden content
Hackers might also try to subtly manipulate existing pages on your site. Their goal is to add content to your site that search engines can see but which may be harder for you and your users to spot. This can involve adding hidden links or hidden text to a page by using CSS or HTML, or it can involve more complex changes like cloaking. - Redirects
Hackers might inject malicious code to your website that redirects some users to harmful or spammy pages. The kind of redirect sometimes depends on referrer, user agent, or device. For example, clicking a URL in Google search results could redirect you to a suspicious page, but there is no redirect when you visit the same URL directly from a browser.
Fixing hacked sites
Here are our tips on fixing hacked sites and avoiding being hacked.
If you’re a Search Console user and are having trouble with persistent or unfixable security issues on your site, you can let us know.
Malware and unwanted software
Google checks websites to see whether they host software or downloadable executables that negatively affect the user experience. Malware and unwanted software are either downloadable binaries or applications that run on a website and affect site visitors. You can see a list of any suspected files hosted on your site in the Security Issues report.
What is malware?
Malware is any software or mobile application specifically designed to harm a computer, a mobile device, the software it’s running, or its users. Malware exhibits malicious behavior that can include installing software without user consent and installing harmful software such as viruses. Website owners sometimes don’t realize that their downloadable files are considered malware, so these binaries might be hosted inadvertently.
- For more on how Google helps protect users from malicious downloads, see Protecting users from malicious downloads in our Google Online Security Blog.
- For our criteria for safe software on the web, see our Unwanted Software Policy.
What is unwanted software?
Unwanted software is an executable file or mobile application that engages in behavior that is deceptive, unexpected, or that negatively affects the user’s browsing or computing experience. Examples include software that switches your homepage or other browser settings to ones you don’t want, or apps that leak private and personal information without proper disclosure.
For more on how Google helps protect users from unwanted software, see That’s not the download you’re looking for… in our Google Online Security Blog.In the Security Issues report, “Malware” refers to web-based malware that operates without explicit user action. “Harmful downloads” refers to malware or unwanted software downloads that must be explicitly downloaded by the user.
Fixing the problem
Ensure that your site or application follows the guidelines, then you can request a review in the Security Issues report.
If your mobile application is showing warnings, you can file an appeal.
Guidelines
Be sure that you don’t violate the Unwanted Software Policy, and follow the guidelines given here. Though this list isn’t comprehensive, these behaviors can cause apps and websites to display warnings to users upon downloading and visiting. You can see a list of any suspected files hosted on your site in the Security Issues report.
Don’t misrepresent yourself
- Accurately inform users of a software’s purpose and intent. Users must be able to download the software intentionally, with accurate knowledge of what will be downloaded, by clicking on an accurate advertisement that clearly informs the user of what will be downloaded. Advertisements leading the user to the download must not be deceptive or inaccurate, such as:
- An ad that only contains the words “Download” or “Play” without identifying the software it advertises for.
- A “Play” button that leads to a download.
- An ad that mimics the look and feel of the publisher’s website and pretends to offer content (for example, a movie) but instead leads to unrelated software.
- Read about Social Engineering in our Online Security Blog.
- Behave as advertised. Make sure your program is clear about its functionality and intentions. If your program collects user data or injects ads into a user’s browser, package these behaviors in clear language and don’t frame them as insignificant features.
- Explicitly and clearly explain to the user what browser and system changes will be made by your software. Allow users to review and approve all significant installation options and changes. Your program’s main UI must clearly disclose the binary’s components and their primary functionality. The binary must offer an easy way for the user to skip the installation of bundled components. For example, hiding these options or using barely visible text is not good disclosure.
- Use endorsements only when authorized. Don’t use other companies’ logos in an unauthorized way to legitimize or endorse a product. Don’t use government logos without authorization.
- Don’t scare the user. Software must not misrepresent the state of the user’s machine to the user, for example by claiming the system is in a critical security state or infected with viruses. Software must not claim to provide a service (for example, “speed up your PC”) that it does not or cannot provide. For example, “free” computer cleaners and optimizers must not be advertised as such unless advertised services and components require no payment.
Software guidelines
- Use the Google Settings API if your program changes Chrome settings. Any changes to the user’s default search settings, startup page, or new tab page must be made via the Chrome Settings Override API, which requires the use of a Chrome extension, as well as compliant extension installation flow.
- Allow browser and operating system dialogues to alert the user as intended. Don’t suppress alerts to the user from the browser or from the operating system, notably those which inform the user of changes to their browser or OS.
- We recommend that you sign your code. While an unsigned binary isn’t a reason for flagging your binary as unwanted software, we recommend programs have a valid and verified code signature issued by a code-signing authority that presents verifiable publisher information.
- Don’t degrade the security and protection measures provided by TLS/SSL connections. An application may not install a root certificate-authority certificate. It may not intercept SSL/TLS connections unless designed for experts to debug or investigate software. For more details, see the related Google Security Blog post.
- Protect user data. Software, including mobile apps, must only transmit private user data to servers as it is related to the functionality of the app, and these transmissions must be both disclosed to the user and encrypted.
- Do no harm. Your binary must respect and not harm the user’s browsing experience. Make sure that your downloadable binaries adhere to the following common policies:
- Don’t break the browser’s reset functionality. Read about the reset browser settings button in Chrome.
- Don’t bypass or suppress the browser’s or operating system’s UI control for setting changes. Your program must provide users proper notice and control over settings changes that occur in the browser. Use the Settings API to change Chrome settings (see this Chromium Blog post).
- Use an extension to change Google Chrome functionality, rather than causing browser behavior change via other programmatic means. For example, your program must not use DLLs (dynamically linked libraries) to inject ads in the browser, must not deploy proxies that intercept traffic, must not use a Layered Service Provider to intercept user actions, or insert new UI into every web page by patching the Chrome binary.
- Your product and component descriptions must not scare the user and/or make false, misleading, claims. For example, your product must not make false claims about how the system is in a critical security state or infected with viruses. Programs like registry cleaners must not show alarming messages about the state of a user’s computer or device, and claim they can optimize the user’s PC.
- Make the uninstallation process findable, simple, and non-threatening. You program must have clearly-labeled instructions for returning the browser and/or system to its previous settings. The uninstaller must remove all components and not deter the user from continuing the uninstall process, for instance by claiming potential negative effects on the user’s system or privacy if the software is uninstalled.
- Keep good company. If your software bundles other software components, you are responsible for making sure that none of these components violate any of the recommendations.
Chrome extension guidelines
- All extensions need to be disclosed and installed in Chrome to be policy-compliant. Extensions must be hosted in the Chrome Web Store, disabled by default, and compliant with Chrome Web Store policies (including the single-purpose policy). Extensions installed from a program must use the authorized Chrome Extensions installation flow, which will prompt the user to enable them within Chrome. Extensions may not suppress Chrome dialogues alerting the user to settings changes.
- Instruct users on how to remove a Chrome Extension. A good user experience is when a user uninstalls a program, everything that was installed along with it gets removed too. The uninstallation flow includes instructions for the user to disable and delete the extension themselves.
- If your binary installs a browser add-on or changes default browser settings, it must follow the browser-supported installation flow and API. For example, if the binary installs a Chrome extension, it must be hosted in the Chrome Web Store and adhere to the Chrome Developer Program Policies. Your binary will be identified as malware if it installs a Chrome extension in violation of the Chrome Alternative Extension Distribution Options policy.
- Read about silent installs in the Chromium Blog and in our Online Security Blog.
- Read how to publish extensions in the Chrome Web Store.
Mobile application guidelines
- Inform users of your intent to collect their data. Provide users an opportunity to agree to the collection of their data before you start collecting and sending it from the device, including data about third-party accounts, email, phone number, installed apps, and files on the mobile device. Make sure you securely handle any personal or sensitive user data that you collect, including being transmitted using modern cryptography (for example, over HTTPS). For non-Play apps, you must disclose your data collection to the user in the app. For Google Play apps, disclosure must adhere to Play policy. Don’t collect data that goes beyond the published use of your application.
- Don’t impersonate another brand or app. Don’t use improper or unauthorized imagery or design similar to another brand or app in a way that is likely to confuse the user.
- Keep all content within the context of the app. Apps must not interfere with other apps and the usability of the device. Apps must not display ads or additional content to the user outside of the context or function of the app itself without getting informed consent from the user and including clear attribution of the ads’ source wherever those ads appear.
- The app must deliver on promises made to the user. All advertised functionality must be available to the user in the app. Apps may update app content but must not download additional apps without getting informed consent from the user.
- Keep behavior transparent. Apps must not uninstall or replace other apps or their shortcuts, unless that is the app’s stated purpose. Uninstall must be clear and complete. Apps must not mimic prompts from the device OS or other apps.
Apps distributed via Google Play must comply with the Developer Program Policies and Developer Distribution Agreement, which have additional requirements.
If you’re a Search Console user and are having trouble with persistent or unfixable security issues on your site, you can let us know.
Preventing malware infection
The price of freedom from malware is eternal vigilance. This article contains tips and pointers for preventing malware infection. However, it is by no means exhaustive, and Google encourages website owners to conduct more thorough research as well.
Monitoring your site health
Many of the features of Search Console can help you identify potential problems. For example:
- Try a search on Google with the
site:search operator to see what pages Google has found on your site. It’s always a good idea to do this periodically to see whether anyone has snuck unexpected pages or content on your site. If you see unknown pages on your site, or topics that you didn’t write, you may have been hacked. If you’re not already familiar with thesite:search operator, it’s a way for you to restrict your search to a specific site. For example, the searchsite:developers.google.comwill return results only from the Google Developers site. - The Security Issues report shows any hacked pages that Google has identified on your site, and instructions on how to fix the problem.
- If Google detects malware on your site, you’ll see a notification in the message panel in Search Console. To ensure that you’re notified quickly, you can have your messages forwarded to your email account.
Security checklist
In addition to monitoring your site regularly, we also recommend the following:
All website owners
- Choose good passwords. The Google account guidelines are helpful.
- Pick third-party content providers very carefully. Make sure that third-party apps and ads on your site are from trusted and legitimate sources. A trusted and legitimate source provides support and contact information on their website.
- Contact your hosting company or publishing platform for support. Most companies have helpful and responsive support groups and/or security pages. If a security page or site has an RSS feed, subscribe to it to make sure you stay up to date.
- Keep all of your computers safe. Especially when working on a website, make sure that your local workstation has up-to-date software, is clean from viruses, trojans, or similar malware and has recently updated anti-virus software installed.
Website owners with server access
- Check your server configuration. Apache has some security configuration tips on their site and Microsoft has some tech center resources for IIS on theirs. Some of these tips include information on directory permissions, server-side includes, authentication, and encryption.
- Make a backup copy of your
.htaccessfile (or other access control mechanisms depending on your website platform). Use your backup file to recover if the following fails. Be sure to delete the backup file once you are finished. - Stay up-to-date with the latest software updates and patches. There are lots of tools that make building a website easy, but each one adds some risk of being exploited. A common pitfall for many website owners is to install a forum or blog on their website and then forget about it. Much like taking your car in for a tune-up, it’s important to make sure you have all the latest updates for any software program you have installed. Make a list of all the software and plug-ins used for your website, and keep track of the version numbers and updates. Even if you’re diligent and keep all your website components updated, you may still be vulnerable if your web hoster has not installed the most recent operating system patches. This problem affects not only small sites; there have been warnings on the websites of banks, sports teams, and corporate and government websites.
- Keep an eye on your log files. Making this a habit has many great benefits, one of which is added security. For example, unfamiliar URL parameters (like
=http:or=//) or spikes in traffic to redirect URLs on your site may indicate that a hacker is exploiting open redirects. Also, bear in mind that hackers often try to alter log files. Take measures to protect these files from attack. For example, you can move these files from their default location, making it harder for hackers to find them. - Check your site for common vulnerabilities. Avoid having directories with open permissions. This is like leaving the front door to your home wide open.Also check for any XSS (cross-site scripting) and SQL injection vulnerabilities.
- Use secure protocols. Google recommends using SSH and SFTP for data transfer, rather than plain text protocols such as telnet or FTP. SSH and SFTP use encryption and are much safer.
- Keep up to date on the latest security news. The Google Security Blog provides useful information about online security and safety, as well as pointers to other resources. The government site US-CERT (United States Computer Emergency Readiness Team) provides technical security alerts and tips.
If you’re a Search Console user and are having trouble with persistent or unfixable security issues on your site, you can let us know.
Social engineering (phishing and deceptive sites)
Social engineering is content that tricks visitors into doing something dangerous, such as revealing confidential information or downloading software. If Google detects that your website contains social engineering content, the Chrome browser may display a “Deceptive site ahead” warning when visitors view your site. You can check if any pages on your site are suspected of containing social engineering attacks by visiting the Security Issues report.
Open the Security Issues Report
What is social engineering?
A social engineering attack is when a web user is tricked into doing something dangerous online.
There are different types of social engineering attacks:
- Phishing: The site tricks users into revealing their personal information (for example, passwords, phone numbers, or social security numbers). In this case, the content pretends to act, or looks and feels, like a trusted entity — for example, a browser, operating system, bank, or government.
- Deceptive content: The content tries to trick you into doing something you’d only do for a trusted entity — for example, sharing a password, calling tech support, downloading software, or the content contains an ad that falsely claims that device software is out-of-date, prompting users into installing unwanted software.
- Insufficiently labeled third-party services: A third-party service is someone that operates a site or service on behalf of another entity. If you (third party) operate a site on behalf of another (first) party without making the relationship clear, that might be flagged as social engineering. For example, if you (first party) run a charity website that uses a donation management website (third party) to handle collections for your site, the donation site must clearly identify that it is a third-party platform acting on behalf of that charity site, or else it could be considered social engineering.
Google Safe Browsing protects web users by warning users before they visit pages that consistently engage in social engineering.
Web pages are considered social engineering when they either:
- Pretend to act, or look and feel, like a trusted entity, like your own device or browser, or the website itself, or
- Try to trick you into doing something you’d only do for a trusted entity, like sharing a password, or calling a tech support number, or downloading software.
Social engineering in embedded content
Social engineering can also show up in content that is embedded in otherwise benign websites, usually in ads. Embedded social engineering content is a policy violation for the host page.
Sometimes embedded social engineering content will be visible to users on the host page, as shown in the examples. In other cases, the host site does not contain any visible ads, but leads users to social engineering pages via pop-ups, pop-unders, or other types of redirection. In both cases, this type of embedded social engineering content will result in a policy violation for the host page.
But I don’t engage in social engineering!
Deceptive social engineering content may be included via resources embedded in the page, such as images, other third-party components, or ads. Such deceptive content may trick site visitors into downloading unwanted software.
Additionally, hackers can take control of innocent sites and use them to host or distribute social engineering content. The hacker could change the content of the site or add additional pages to the site, often with the intent of tricking visitors into parting with personal information such as credit card numbers. You can find out if your site has been identified as a site that hosts or distributes social engineering content by checking the Security Issues report in Search Console.
See our Help for Hacked Sites if you believe that your site has been hacked.
Examples of social engineering violations
Deceptive content examples
Here are some examples of pages that engage in social engineering practices:
Note the deceptive URL. Other phishing sites like this could trick you into giving up other personal information such as credit card information. Phishing sites may look exactly like the real site—so be sure to look at the address bar to check that the URL is correct, and also check to see that the website begins with https://.
Deceptive ad examples
Here are some examples of deceptive content inside embedded ads. These ads appear to be part of the page interface rather than ads.
Fixing the problem
If your site is flagged for containing social engineering (deceptive content), ensure that your page doesn’t engage in any of the practices, and then follow these steps:
- Check in with Search Console.
- Verify that you own your site in Search Console and that no new, suspicious owners have been added.
- Check the Security Issues report to see if your site is listed as containing deceptive content (the reporting term for social engineering). Visit some sample flagged URLs listed in the report, but use a computer that’s not inside the network that is serving your website (clever hackers can disable their attacks if they think the visitor is a website owner).
- Remove deceptive content. Ensure that none of your site’s pages contain deceptive content. If you believe Safe Browsing has classified a web page in error, report it.
- Check the third-party resources included in your site. Ensure that any ads, images, or other embedded third-party resources on your site’s pages are not deceptive.
- Note that ad networks may rotate the ads shown on your site’s pages. Therefore, you might need to refresh a page a few times before you’re able to see any social engineering ads appear.
- Some ads may appear differently on mobile devices and desktop computers. You can use the URL Inspection tool to view your site in both mobile and desktop views.
- Follow the third-party service guidelines for any third-party services, such as payment services, that you use in your site.
- Request a review. After you remove all social engineering content from your site, you can request a security review in the Security Issues report. A review can take several days to complete.
Third-party service guidelines
If you include a third-party service in your site, we recommend that you meet the following conditions in order to avoid being labeled as social engineering:
- On every page, the third-party site clearly includes the third-party brand in a way that ensures users understand who is operating the site. For example, by including the third-party brand at the top of the page.
- On every page that contains first-party branding, explicitly state the relationship between the first and third party, and provide a link for more information. For example, a statement like this:This service is hosted by Example.com on behalf of Example.charities.com. More information.
A good usability guideline is whether a user viewing the page in isolation understands which site they are on, and the relationship between the first and third party at all times.Best practice: If you need a third party to perform a basic support service for your site, a best practice is to use an industry standard third party for that service. For example, to manage user authentication on your site, use OAuth rather than managing authentication yourself.
If you’re a Search Console user and are having trouble with persistent or unfixable security issues on your site, you can let us know.
Google Safe Browsing Repeat Offenders Policy
Google Safe Browsing helps protect users by showing warnings on dangerous sites or dangerous download files. Safe Browsing also notifies website owners when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.
Sites that repeatedly switch between compliant and noncompliant behavior within a short window of time will be classified as Repeat Offenders.
When a site is established as a Repeat Offender, the website owner will be notified via email to their registered Search Console email address. Once Safe Browsing has designated a site as a Repeat Offender, the website owner will be unable to request additional reviews via Search Console. Repeat Offender status persists for 30 days, after which the website owner will be able to request a review.
