Today I Learned about browser hijackers. Boo! Hiss!
After writing my lengthy 2016 New Year's intention post, I posted a link to it on Facebook, in keeping with Intention bullet point 4. :) A few minutes later, my friend Robin (Getting Grounded) commented that when she clicked on my link, she was redirected to a completely different website, and wondered if my garden blog had been hacked. Aaugh!, I replied, and went to work trying to figure out the problem.
First, I went to my MacBook Pro (Apple laptop), and tried accessing my blog from the Facebook link I posted, using three different browsers: Safari, Chrome, and Firefox. I found no problems - the link took me straight to my blog post on each browser. Meanwhile, my friend Rachel commented on my Facebook post that she wasn't having any problems at all, like me. The plot thickens. Is the problem with my post, the Facebook link, or something on Robin's end?
Then Robin said she was on her iPad. A ha! I asked Jack if I could borrow his iPad to troubleshoot the issue. Sure enough, when I clicked on my Facebook link from Jack's iPad, I was redirected to a video game for sale in Apple's App Store. Robin said she'd been redirected there too; on another attempt, she was redirected to a known browser hijacker's website. Oh, for the love of Pete. I had just listed a number of factors in my Intention post that made blogging a real drag: glitchy blogging platforms, comment spam, blog scrapers... so now we can add browser hijackers to the list, too, Big Noisy Sigh.
Where was the hijack happening and how could I stop it? I continued to search the Internet for answers and came across a couple of informative webpages. I found the first on a link posted on the Blogger Help Forum: Don't Make Your Blog Vulnerable to Strategic Malware. Malware? Yes, malware. According to this article, adding third-party gadgets, even those listed on Blogger, make your blog more vulnerable to redirect or hijack attacks. The page recommended deleting any and all third-party gadgets to reduce the risk.
The second helpful webpage I found, titled Removing a Malware Warning Blogspot (Blogger) site, gave detailed information for troubleshooting both my Blogger template and all the gadgets on my Blogger home page to look for problems. Happily, these issues are almost never caused by someone hacking into the template itself and rewriting it to add malicious code (whew!). In the author's experience, the hijack/redirect access point is always a third-party gadget or icon on the blog's home page. Good to know!
So I deleted the moon-phase gadget and the weather sticker from my blog home page, and voila, the redirect problem was fixed. I don't know which one was the problem - Robin was redirected to two different sites, so maybe they both were - but since the gadgets can be hacked at any time, I decided to delete them both, asap. Sadly, I really liked those two gadgets, and Blogger has no Google-designed moon-phase or weather gadgets to replace them, and with the marketed decline in blogging in recent years, I don't expect Blogger to add new gadgets - but I can't have my visitors being redirected to spammy sites. Not acceptable!
While I was battening down the hatches, so to speak, I decided to turn on HTTPS Availability on my blog. This allows visitors to view my blog over an encrypted connection by adding https:// before my URL. I then had to go into my blog template to make sure all the content was HTTPS compatible. A Blogger Help article titled Fix mixed content on your blog helped me work through three fairly simple steps.
The first step is to back up the existing template (yes, I had to reinstall my template once during this process! Don't skip this step! It's important! Do it!).
The second step is to edit the template to change every http:// to https://. Preview the new template to make sure everything works/looks right, then save the changes. (I had five http:// in my template to which I added five s's: not hard!) If you change something by accident and something doesn't look right, upload your old template (the one you backed up), and try again, carefully. (I accidentally deleted the Search box at the top of my blog. Uploading my old template restored it. Yay for backups!)
In fact, probably the easiest way to deal with the mixed content error issue is to upgrade my blog template to something more modern. My clean and classic template is seven years old, which means its code is seven years old, too. This article on forced SSL, canonical URLs and protocol relative URLs is a little over my head, but suffice to say, encryption is a choice, forcing HTTPS on folks causes broken links, pages and websites, and using a modern template should ensure that anyone can read my blog whether the reader is accessing it through an HTTP or an HTTPS connection. But that's a tidy-up task for another day, and one that will require me to download my entire blog - shudder!
HTTPS activated and hijackable gadgets deleted: that's two blog tidy-up tasks completed! Like weeding a garden, we bloggers have to be diligent at keeping malicious content out of our blogs, or they'll run roughshod over our blogging communities like Bermuda grass over a raised bed. Dormant blogs, blogs with old outdated templates, the Internet Explorer browser and Android devices seem to be hot hacker targets at the moment, but all of us are vulnerable. As Elvis used to say, we gotta TCB - Take Care of Business! If you aren't at all tech-savvy, increasing the security on your blog may seem like a burden, but if I can do it, you can, too - or find a tech-savvy person to help you with it. Don't forget to install software updates on your devices, too - they often contain patches to solve specific known security problems.
I really appreciate Robin for letting me know she was getting redirected to a spammy website. If you ever have problems accessing my blog, please let me know and I will try to work with you to sort it out!
Words and photos © 2009-2016 Caroline Homer for "The Shovel-Ready Garden". Unauthorized reproduction is prohibited.