I remained appalled at how poorly this program is administered. After I fixed all the problems and requested a review, Google insisted that my site still had ‘badware’, claiming to have done a scan of my website that very day. This continued for a week (with daily checks on my part — nope, still no badware — daily requests for review, and daily ‘Badware found’ designations from Google) until suddenly the ‘badware’ designation vanished yesterday (May 1st). I credit that largely to having posted a message in the Google Webmaster Groups forum the day before (Apr 30th), though no reply was made directly to that posting or to me via e-mail.

Given the disproportionate impact that Google can have on a website’s traffic — thus for sites with ads, the site’s income — and the difficulties that most people appear to encounter in getting Google to lift that badware designation even after fixing the problem (browse through these search results), I’m surprised that Google’s legal department hasn’t urged more caution and diligence on how this ‘Badware’ initiative is administered.  ..bruce w..

Last Monday (4/21), I brought up the SiteMeter statistics page for this blog and noted in passing that the traffic seemed a bit light that morning. I chalked it up to the usual variations in site flow and didn’t think much of it.

But then I happened to click on one of the incoming Google searches (as I often do) just to see what other sites that search brings up and where my blog ranks in the results. I was startled — and dismayed — to see something that looked like this:

I was rather dumbfounded, to say the least. I clicked on the ‘This site may harm your computer’ link and found myself at Google Webmaster, having their “StopBadware” initiative explained to me. Since this blog (along with all my others) is hosted on a dedicated remote server, I fired off an e-mail to the support staff, as well as to my co-blogger Bruce Henderson. In the meantime, I brought up CuteFTP and started searching through the blog’s files.

I quickly encountered some files that weren’t part of the WordPress installation — they had been recently created, and most of them started with the prefix “fx_” (as in “fx_wp-cron.php”). Henderson found them as well; he also found reports that this problem was related to a known WordPress exploit. I had not yet upgraded the blog to WP 2.5, since I’m always a bit leery of new major releases, so I got caught in the exploit as well.

I then proceeded to spend a full day cleaning up the mess. I backed up the blog’s contents as an XML file (to avoid copying out any PHP files), relocated the image files, then deleted the entire WordPress installation, including the database, leaving little more than an bare-bones index.html (‘PLEASE STAND BY…”) file. I then did a clean installation of WordPress 2.5 and upgraded it with the security-related portions of WordPress 2.5.1. I then restored the blog’s content by importing the XML file (broken up into three smaller chunks, since WordPress will only import XML files < 2MB). I restored the image files and requested a new review of the website by Google.

Google told me that the site still had “badware” — but the section that was supposed to inform me where the badware was, was completely blank. Aargh. I requested a new review and noted in the comments that Google was telling me there was a problem with my website without giving me any information about what it was. This process continued for several days.

Today, I checked Google again and saw that this blog was still listed as ‘harmful’ — but now it pointed me specifically to the (current) third page of the blog. A cursory review of that page didn’t uncover anything. I then did some more online research and found a post talking about iFrame injections. I did a ‘view source’ on the 3rd page of this blog, searched for ‘iFrame’ — and bingo! There it was, embedded in my post on HP Lovecraft. I deleted it from that post, but to be sure, I exported the entire blog out to XML again, opened that file in UltraEdit, and did a search on ‘iFrame’. I found two legit uses of iFrame (some of Henderson’s Google maps during last fall’s San Diego fires), but found another iFrame exploit in an old post on ‘Time Traveller Day’. I deleted that one, then did a resubmit to Google.

Through all this, my site traffic had declined sharply, down to less than a third of what it had been averaging each day:

There was a brief spike on the 25th-26th, but that mostly Digg traffic on the ‘rainbow’ photo that Henderson posted.

I have profoundly mixed feelings about the Google ‘Stop Badware’ initiative. On the one hand, it sure brought the problem to my attention in a hurry — but only because I happened to backtrack on a Google search that landed at my site. (Google claims to notify via a variety of e-mail addresses, but I enabled several of those for this blog, with forwarding, back on the 21st and have yet to receive a single e-mail since then, despite several ‘Request review’ requests.) What’s more, Google has never provided any information about what the alleged ‘badware’ is that it found on my blog, and it is has been for the most part vague and unhelpful in letting me know where the alleged badware is.

In the meantime, for a full week now anyone using Google who hits my site sees that “This site may harm your computer” phrase. I can only cross my fingers and hope that Google in Its Inscrutable Wisdom decides that my site is OK now. Henderson and I have spent nearly two years building the blog’s traffic to its current level, only to see that drop by 60% in a single day and mostly stay there for the past week. We’re not alone in this mess; a Google search on “Google site may harm computer” yields 649,000 hits.

Have you checked what Google is saying about your blog? ..bruce w..