How to avoid your website getting blacklisted (and what to do if it happens)

If you’ve never heard of a website getting blacklisted then you’ve been pretty lucky. Sadly, it’s the kind of thing you don’t normally hear about until it happens to you and then you’re left wondering what exactly is going on.

In the meantime, your traffic takes a hit and your online profits tumble. And then you have the pleasure of diagnosing the issue that got you blacklisted in the first place and trying to fix it. That’s assuming there is an issue, of course, and you haven’t been wrongfully blacklisted to start with. Sounds like a major headache, right?

What Is Blacklisting and Why Should I Care?

Because the web is rife with security threats, your friendly neighborhood tech giants take it upon themselves to protect people from online villains. Don’t be too grateful, though, because they make a tidy profit and collateral damage is all too common.

There are software and service providers that protect users from visiting ‘dangerous’ websites. Some blacklist programs will simply warn people they’re about to visit a suspicious site while others will completely block access to websites that are deemed a threat.

warning-picture

Sounds good, right? Well, in principle yes – but not if you’re the owner of that website and you wake up one day to a huge drop in traffic, online revenue, and a tarnished reputation. Needless to say, getting blacklisted is an expensive problem to have on your hands and something you don’t want to get involved in as a website owner.

Why Would I Get Blacklisted?

In theory, the services that run the blacklists are there to protect people from malicious websites, spam, and online fraud. Which is great, because all of those things make the internet a worse place. So if you find your site has been blacklisted then it means you’re considered to pose one of those threats to people online.

The worrying thing is your website has the potential to become a haven for spammers, hackers and other no-do-gooders unless you firmly secure it. And it is your responsibility to keep your website in check and protect the people who choose to pay a visit.

Vulnerabilities (and reasons for being blacklisted) can include the following:

  • You don’t handle user data securely
  • Your site is vulnerable to malicious code
  • Excessive popups and overuse of cookies or other scripts
  • Links pointing to questionable sites
  • Your website has been hacked
  • Your email strategy is spammy or compromised
  • Your server has a bad reputation (think shared hosting)

There are numerous other threats you’re susceptible to as a website owner. The key point, though, is you alone are responsible for protecting yourself and your users from these threats. If you get blacklisted because your site has been compromised (or you’re up to no good) then you can’t really complain – that’s just blacklisters doing their job.

The problem is many blacklisting services have a reputation for flagging perfectly sound websites with warning signs. Some of them will even block access to your site entirely – and that really stings when it’s a mistake on their part. Getting falsely flagged is an absolute business killer and the harsh reality is it happens all too often.

Introducing McAfee SiteAdvisor

One of the most common blacklist providers is McAfee, whose SiteAdvisor software is used by millions of people all over the world. The free browser extension promises to keep people safe by warning them about websites that pose a potential threat.

The great thing about SiteAdvisor – both for users and website owners – is it doesn’t block access to websites. Instead, it places a status badge next to search results and at the top of the browser.

mcafee-screenshot

So, essentially, McAfee sticks a badge on your website to give users an idea of how safe it is. Fair enough. But this is where the controversies begin.

SiteAdvisor Criticism

SiteAdvisor has picked up a number of criticisms since its initial release in April 2005. Not all of these are specific to the McAfee software, though, but rather concerns with blacklisting tools in general.

False Positives
False positives are when a blacklisting service inaccurately flags a website with security warnings. SiteAdvisor has been heavily criticised for such inaccuracies, although it’s not the only provider to suffer bad press on this front.

False Negatives
At the other end of the spectrum, we have false negatives – where sites are given a green rating they don’t deserve. SiteAdvisor and other platforms often leave long periods between tests, increasing the chances of their listings being out of date and of little use.

The problem here is that blacklisting software sells itself as offering a kind of protection it can rarely deliver – and people buy into it.

Communication and Fixes
For website owners, McAfee has become somewhat notorious for offering no resolution system for blacklisted websites. You don’t get notified if your site is hit and you certainly won’t get any indication of why you may have been compromised, let alone how to fix it.

You have to contact them and hope to get a response. Fixes can take anywhere between 10 days and a year, with many fixes only coming after the threat of legal action.

Weak Testing Systems
Like many blacklisting tools, SiteAdvisor only grades websites based on spam and malware. It doesn’t take business practices into consideration, user reviews, or reputations. This not only means reputable businesses can get flagged with a security warning, but unscrupulous firms can also pass 100% – purely because they don’t contain malware.

McAfee Secure

mc-secureThe really worrying thing about SiteAdvisor is the McAfee Secure option that allows website owners to buy a certified green rating. This will set you back $360 a year and protect you from blacklisting in the future.

The troubling part is any website owner can buy this certificate – no test needed – which completely contradicts the whole purpose of the software. This works on two levels: dodgy sites can pay up for the green light while wrongly flagged website owners are held to ransom.

The case went pretty public after a condemning Reddit user posted his ordeal:

“McAfee is running a scam. SiteAdvisor.com is just a ploy by McAfee to sell expensive $360/year hacker safe badges to webmasters (details inside). I need your advice reddit. What are my options when dealing with such a big company?” – posted by supersan.

It was only after a fairly sizeable campaign from Reddit users and tech magazines that supersan got his site back in the green, without paying for the $360/year badge.

Note: McAfee doesn’t currently list a price for the paid version of Secure Certification Pro on its website.

Your Fault or Not, it’s Definitely Your Problem

Whether you deserve to get blacklisted or not, it’s definitely your problem when it happens – and nobody’s going to sort it out for you out of the goodness of their heart. No matter how you weigh it up, your traffic is going to take a hit and this means losing potential leads or sales.

You won’t even want to think about how many first-time visitors are put off your website for life because of a red flag – especially when you didn’t deserve it in the first place. So, instead of dwelling on it, let’s take a look at how you can avoid getting blacklisted before it happens.

How to Avoid Getting Blacklisted in the First Place

Unfortunately, there’s no quick fix or easy answer to this question, but at the very least you need to start taking security seriously. This isn’t just for the sake of avoiding the dreaded blacklists either – you owe this to yourself as we website owner and every person that visits your site.

Here are some quick security tips:

  • Update everything – CMS platforms, plugins, software, scripts, etc. And do it regularly.
  • Understand passwords – Yours aren’t as secure as you think.
  • Stick to one site per host plan – Don’t leave multiple sites vulnerable to a single attack.
  • Protect people’s data – Data entry is a security minefield. It’s okay to ask for it, but you must be sure you can protect it (and your site from malicious entries).
  • Understand the security concerns of CMSs – CMS platforms are fine, as long as you understand their vulnerabilities.
  • Choose plugins and extensions carefully – Stick to trusted sources, keep them to a minimum and stay updated.
  • Backup, backup, backup – Regularly. And don’t store them on your server. Check out these tips from Sucuri.
  • Know your server configuration files – Or get a webmaster on board who does.
  • Use SSL/HTTPS – This is essential for any website that accepts personal data from users (eg: login forms). This doesn’t protect your site in any way, it protects individual users from ‘man in the middle’ attacks.

Those tips will get you off to a good start, but the whole picture on website security gets pretty deep. So, if you’re not too hot on the tech side of things, you’ll have a lot to gain from the piece of mind that comes with hiring a webmaster to keep things in check.

If you’re using WordPress then you can find a number of dedicated webmaster services to look after your site – WP Muze being one of them. You’ll also find similar options for Joomla, Shopify and Magento, so consider your options based on the platform you go for.

If you’re hosting a custom website then you’ll find similar webmaster services – even if you take the freelancer route on sites like Elance (just think about quality, rather than price alone).

How to Get Your Site off the Dreaded Blacklist

If the worst happens and your site gets blacklisted then you have the task off getting yourself the green light again. This isn’t always the easiest of tasks, but the first thing to do is check your site is still clean.

You’ll need to take the initiative to do this yourself because you can’t expect much help from those who run the blacklists. You’ll also need to check whether your site is blocked by other blacklisters or if it’s isolated to one service provider.

Take a look at these guidelines from Google for a push in the right direction or this guide (PDF) from APWG for more detail (recommended by Google).

apwg-screenshot

If you haven’t been hacked and there’s some sort of other problem, you’re faced with the often fruitless task of asking whoever blacklisted your site for a review. You’ll get mixed results from this (Google is way quicker than McAfee, for example) so summon your patience before you submit for a review.

What if I Have Been Hacked Though?

If you have been hacked then the first thing to do is get in touch with your web host. This is where it pays to have a provider who takes security seriously. First of all, because your chances of getting hacked are greatly reduced – but also because they can help rectify the issue.

Aside from fixing the initial problem, it’s important you pinpoint why (or how) your site got hacked. You need to know this so you can prevent repeat problems. Generally speaking, the route cause will be a vulnerability on your website or devices and connections you use to access and maintain your site.

Whichever proves to be the case, it’s a good idea to reassess your security on both fronts. So, even once you’ve diagnosed the issue, run through the web security measures we covered earlier and make sure your devices and website are both free of viruses and malware.

Once you know your website and devices are free of security issues, you’ll have to revert to the submitting for review tactic. It’s not the ideal solution, sadly, but there’s no happy ending to this particular story I’m afraid.

So What’s the Answer to Getting Blacklisted?

It’s one of those doctor moments where prevention is the best cure. It starts with understanding your obligations as a website owner – and they’re very real in terms of security. It’s not a visitor’s fault if you can’t protect your site or hardware from external attacks, but the damage caused to them can be huge.

If your host provider happens to fall victim to vulnerabilities then you’re one of the unlucky few – but at least you have a point of contact and responsibility who can resolve the issue.

The really frustrating thing is when you get blacklisted for no reason at all. That’s not your fault, and through no fault of your own you suddenly become the victim of a heavy-handed online security precaution – one with very little on offer in the way of resolutions. Which only reinforces the need to have someone technical on board, who can minimise your risk, and knows how to react if the worst happens.

So don’t let your website become vulnerable to security threats – that should be standard. But also keep a keen eye on the big blacklisting firms and regularly check your site. Because you don’t want to get hit by one of these when you haven’t done anything to deserve it. And if you do, the sooner you notice, the sooner you can fix the problem.

Have you ever had any experiences of being blacklisted? Was your site posing a threat to your visitors or was it a false flag? How do you plan to monitor this issue going forward? Please share your thought in the comments below.

About Dan Meza

Dan Meza is the founder of WP Muze and Muze Web Development Partners. He specializes in project management, strategy, hosting, and development solutions for WordPress projects.