Google has announced that it will begin blocking web pages with mixed content in its Chrome web browser starting December of this year. Considering that Chrome is used by more than half of all internet users, this could be a major issue that you may not even know is lurking on your site.

What is Mixed Content?

Mixed content refers to when secure webpages using the HTTPS security protocol include scripts, styles, images, or other content that is delivered through the less secure HTTP protocol.

Even linking to sites still using HTTP can be seen as delivering mixed content on your site.

As Google explains:

“Mixed content degrades the security and user experience of your HTTPS site …Using these resources, an attacker can often take complete control over the page, not just the compromised resource.”

How Google Chrome Will Handle Mixed Content

When the next update for Chrome is released in December, Google will begin doing one of two things when it encounters sites with mixed content:

  1. If an HTTPS version of that resource exists, Google will automatically upgrade that content to the newer secure version.
  2. When no such resource exists, Google will soft block the page. This will include a warning about the security risks of mixed content and an option to access the page despite the risk.

The warning screen may not deter all of your potential customers, but it can disrupt a significant chunk of your traffic, leads, and sales.

Beginning in January of 2020, Google will start taking an even stronger stance by removing the unblock option and completely blocking webpages with insecure content.

How To Check Your Site for Mixed Content

Depending on the size of your site and what platform it is built on, there are a number of free and paid options for scanning your site for mixed content.

JitBit SSL Checker

JitBit SSL Checker is a free online tool that can review up to 400 pages of your site for mixed content.

WordPress Tools

If your site is built on WordPress, you can use the Really Simple SSL Plugin to migrate your content to SSL while also checking for and fixing mixed content.

For those who have already migrated their site to SSL, there is also the SSL Insecure Content Fixer WordPress Plugin. This can scan your site for insecure resources while providing suggestions for fixing these problems.

Tools for Large Sites

Websites with a large number of pages will likely have to use paid tools to check their site. One option is Screaming Frog, which can crawl massive sites and provide insights to a wide variety of issues. One drawback, however, is that while it can pinpoint potential problems on your site, it can not directly assist you in fixing them.

Google is kicking off October – which just so happens to be Cybersecurity Awareness Month – by announcing three new ways for users to hide or delete their personal activity data when using Google products like Maps, YouTube, and Google Assistant. 

Incognito Mode For Maps

Incognito mode has been allowing people to browse the web while preventing data from being saved to their Google account or computer since 2008. Earlier this year, the company expanded the feature to YouTube, and soon it will be coming to Maps.

Once it is live, you’ll be able to quickly toggle incognito mode on and off by selecting it in the menu that appears when choosing accounts.

 

 

While the feature is coming to Android within the month, the company could only say it would be coming to iOS “soon”. 

Auto-Delete YouTube History

Google is also introducing a way for users to automatically delete their YouTube activity after a set amount of time. Specifically, you can select to keep data for 3 months, 18 months, or until you manually clear your history. 

A similar feature was introduced earlier this year for users’ location history and web activity and is expected to launch for YouTube this month. 

Managing Google Assistant Data

The search engine has introduced a way for people to control their Google Assistant activity using simple voice commands. 

For example, users could ask the Assistant to clear their history for the last week by saying “Hey Google, delete everything I said to you last week.”

 

This will be available to all Google Assistant users next week.

GoDaddy is one of the most popular hosting providers for small businesses, but it appears the hosting service may also be making changes to sites on its platform which could significantly slow or break sites entirely.

The service is injecting a piece of JavaScript code as part of its Real User Metrics (RUM) technology, which allows the service to track and measure the performance of websites. However, none of this information is provided to the sites on GoDaddy’s service in the form of analytics but is instead used solely by the company to improve systems and server configurations.

With this in mind, it is hard to see any benefit to continue allowing GoDaddy to install code for RUM on your site.

All US GoDaddy customers agree to opt-in to using RUM as part of the terms of service and the company does little to inform you of how it uses the technology. In a help document, the company also concedes it may have a negative impact on websites:

“Most customers won’t experience issues when opted-in to RUM, but the javascript used may cause issues including slower site performance, or a broken/inoperable website.

If you’re using Google’s AMP, you have pages ending with multiple ending tags, or your site performance is slower, you may want to opt-out of RUM.”

Considering how important site speed is to both search engines and actual consumers, it is highly likely RUM could be costing you traffic AND conversions.

Thankfully it is easy to opt-out of the RUM service if GoDaddy is your hosting provider. Just follow these steps:

  • Access your cPanel hosting account by going logging in to your cPanel and clicking on your hosting account.
  • Click the three-dot menu button, and then click “Help us.”
  • Click “Opt out.”

Once this is done, the code will be immediately removed from your site.

Google has given webmasters their final warning to convert their sites to HTTPS or be branded as “Not Secure” with a prominent message in the browser bar of all Chrome and all Chrome-based browsers after October of this year.

Why is Google doing this?

Google has been urging webmasters to switch their sites to the more secure HTTPS security protocol for years, using increasingly drastic measures. Currently, Google is denoting sites that are secure using a green icon in the browser bar. Since so many sites have now adopted the protocol, Google is taking this a step further with a prominent red warning for sites that are not secure.

What does this mean for you?

Internet users don’t give up their information easily. They have to trust that you won’t let their data be breached or misuse their information. If they see that your site is specifically “Not Secure”, they simply aren’t going to trust you with anything.

That could mean increasing bounce-rates for your website, fewer e-commerce sales, fewer newsletter sign-ups, or fewer internet-driven leads for your business.

Two-Stage Roll Out

Rather than “switching on” the security warnings all at once, Google will be rolling out the change in two steps.

First, Chrome will remove the green icon signifying safe websites from browser bars. In its place, they will temporarily leave the small lock icon in its place.

Then, beginning in October, Google will introduce the official red icon identifying sites that are “Not Secure.”

This latest warning from Google gives webmasters plenty of time to make the switch, but I advise taking action sooner rather than later. You can get started right now with Google’s HTTPS set-up guides here.

Days before Facebook CEO Mark Zuckerberg is set to testify to Congress about the social network’s role in allowing Cambridge Analytica to exploit user data, Facebook is working to make it easy to see if your information was shared with the scandal-plagued analytics firm.

Facebook has published a new section within its help center called “How can I tell if my info was shared with Cambridge Analytica.” You can also quickly find the page by simply searching “Cambridge or Cambridge Analytica” in the Facebook search bar.

If you’re logged into your Facebook account, this page will automatically inform you whether your data was potentially breached by the “This is your digital life” app.

Since information has come to light about how Cambridge Analytica has been potentially misusing user data, the company’s relationship with Facebook has come under scrutiny. In response, the social network has taken several steps to attempt to re-win the public’s trust – such as launching this latest page. It has also introduced a data abuse bounty program that allows users to report app developers that may be misusing data.

Questions will likely remain long after Mark Zuckerberg’s testimony tomorrow, but at least you can now personally check to see whether your personal account details are safe or have been exploited.

Do you have a search box or form on your website? Are you still using HTTP for your site? If so, you may want to begin the process of switching to HTTPS sooner rather than later.

Google says it is preparing to launch new efforts within their Chrome browser to encourage webmasters to migrate to HTTPS, the newer, more secure security certificate for websites. Beginning I October, the browser will begin showing warning messages to visitors on pages with search boxes or forms.

As Google says, “[in] October 2017, Chrome will show the ‘Not secure’ warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.”

You can preview what the warning will look like in the gif below:

 

The warnings are just the latest effort by Google to encourage the adoption of HTTPS. Just recently, Chrome warned webmasters that pages with logins are now required to use HTTPS.

The end goal for Google is to mark any web page using HTTP as insecure, but it could be a lengthy process.

HTTPS
Between the countless public hacks, identity thieves, and an increasing awareness of how vulnerable personal information is, protecting customer’s personal data has become a hot-button topic over the past year.

Perhaps this may be why an increasing number of sites are switching to the more secure HTTPS web security protocol. In fact, a new report from Moz suggests the more than half of first page listings on Google are using HTTPS.

While Google has suggested site security could potentially influence a website’s ranking, Moz says the steady growth of HTTPS suggests the rise is more likely attributed to sites making the switch – not an algorithm update. Google has also stated that it has no plans to increase the weight of HTTPS on rankings in the future.

To verify the findings, Moz worked with Rank Ranger who produced almost the exact same results using its system.

Dr. Pete Meyers, who reported the findings for Moz, believes up to 65% of front page results on Google could be using HTTPS by the end of the year. This is entirely possible, given that Chrome is set to begin marking non-HTTPS pages as non-secure if they ask for personal information such as a password or credit card information.

Interestingly, the growth of HTTPS appears to be fairly equal across markets. The results suggest approximately half of the biggest names in Google search results have adopted the security protocol, while newer pages are using HTTPS because it is inexpensive and easy to use.

As part of its #NoHacked campaign to raise awareness and prevent site hacking, Google released its latest annual review of hacked sites this week. As the data shows, site hacks will continue to be a major issue for webmasters for the foreseeable future.

From 2015 to 2016, the number of hacked sites grew by 32%. According to Google, hackers are becoming more aggressive but many webmasters are also letting down their guards. Instead of proactively keeping their site and security up to date, a significant number of webmasters are letting their sites become vulnerable and outdated. These sites are easy targets for hackers.

While the number of sites getting hacked is on the rise, Google is willing to show forgiveness to those affected. The company says it approved 84% of reconsiderations requests from webmasters who have cleaned up their site from any hacking. However, Google also says it was unable to inform over half (61%) of affected site owners because their sites were not verified in Search Console.

What To Do If Your Site Has Been Hacked

In addition to the report, Google has also released several new documents aimed at educating webmasters about what to do if your site gets hacked and how to protect yourself.

These new help documents recently released by Google include:

The company has also released help documents focused on specific types of common site hacks, such as Gibberish Hacks, Japanese Keyword Hacks, and Cloaked Keywords Hacks.

How To Prevent Site Hacks

As always, an ounce of prevention is worth a pound of cure. Google’s top recommendation for facing the epidemic of site hacking is to avoid letting it happen in the first place. Specifically, they suggest keeping all software and plug-ins on your site up-to-date and keeping an eye on any announcements from your Content Management System (CMS) provider.

Also, be sure your site is verified in Search Console so Google can notify you in the event your website does get hacked.

Giving your visitors a place to comment on content or in a forum on your site is a great way to encourage interaction and build a bond with potential customers. But, it can be a headache trying to keep any sort of open comment area clean from spammers, trolls, and other sorts of nogoodniks.

This creates two different problems. If visitors see your pages and blog posts are followed by nothing but spam and other types of website vandalism, they’re likely to think less of your brand and potentially move on to someone else. Additionally, you can even get penalized by search engines like Google if it detects an abundance of spam or malicious links or code on your site.

So what can you do to keep your forums and blog comments clean of those seeking to use the opportunity for their own ends without shutting it all down? Google recently offered a few tips to make sure the only comments and posts your visitors see are from real humans interested in building a valuable discussion around your brand and products:

  • Keep your forum software updated and patched. Take the time to keep your software up-to-date and pay special attention to important security updates. Spammers take advantage of security issues in older versions of blogs, bulletin boards, and other content management systems.
  • Add a CAPTCHA. CAPTCHAs require users to confirm that they are not robots in order to prove they’re a human being and not an automated script. One way to do this is to use a service like reCAPTCHA, Securimage and  Jcaptcha .
  • Block suspicious behavior. Many forums allow you to set time limits between posts, and you can often find plugins to look for excessive traffic from individual IP addresses or proxies and other activity more common to bots than human beings. For example, phpBB, Simple Machines, myBB, and many other forum platforms enable such configurations.
  • Check your forum’s top posters on a daily basis. If a user joined recently and has an excessive amount of posts, then you probably should review their profile and make sure that their posts and threads are not spammy.
  • Consider disabling some types of comments. For example, It’s a good practice to close some very old forum threads that are unlikely to get legitimate replies.
  • If you plan on not monitoring your forum going forward and users are no longer interacting with it, turning off posting completely may prevent spammers from abusing it.
  • Make good use of moderation capabilities. Consider enabling features in moderation that require users to have a certain reputation before links can be posted or where comments with links require moderation.
  • If possible, change your settings so that you disallow anonymous posting and make posts from new users require approval before they’re publicly visible.
  • Moderators, together with your friends/colleagues and some other trusted users can help you review and approve posts while spreading the workload. Keep an eye on your forum’s new users by looking on their posts and activities on your forum.
  • Consider blacklisting obviously spammy terms. Block obviously inappropriate comments with a blacklist of spammy terms (e.g. Illegal streaming or pharma related terms) . Add inappropriate and off-topic terms that are only used by spammers, learn from the spam posts that you often see on your forum or other forums. Built-in features or plugins can delete or mark comments as spam for you.
  • Use the “nofollow” attribute for links in the comment field. This will deter spammers from targeting your site. By default, many blogging sites (such as Blogger) automatically add this attribute to any posted comments.
  • Use automated systems to defend your site.  Comprehensive systems like Akismet, which has plugins for many blogs and forum systems are easy to install and do most of the work for you.

Google HTTPS Warning

Google is making some changes to protect users’ sensitive information online, and it could lead to your site being marked as non-secure by Google’s web browser at the end of this month.

Google released a warning that as of the end of January 2017, Chrome will mark sites without HTTPS as non-secure if they collect private information like passwords or credit cards.

Google #NoHacked HTTPS

“Enabling HTTPS on your whole site is important, but if your site collects passwords, payment info, or any other personal information, it’s critical to use HTTPS.”

The company has encouraged implementing HTTPS in the past by making it a (very minor) search ranking signal. Now, from the sound of the alert, the company says an entire site will need to be HTTPS if any pages collect payment or sensitive information.

Switching over to HTTPS is an easy process, but you should begin preparing to make the switch now if your site fits the criteria. Otherwise, you are likely to be flagged as non-secure in February and lose a large amount of your web traffic.