Sunday, January 3, 2016

Updated! Public Service Announcement: keep a close eye on your blog gadgets & icons! (Hijack attacks, security)

Today I Learned about browser hijackers. Boo! Hiss!

After writing my lengthy 2016 New Year's intention post, I posted a link to it on Facebook, in keeping with Intention bullet point 4. :) A few minutes later, my friend Robin (Getting Grounded) commented that when she clicked on my link, she was redirected to a completely different website, and wondered if my garden blog had been hacked. Aaugh!, I replied, and went to work trying to figure out the problem.

First, I went to my MacBook Pro (Apple laptop), and tried accessing my blog from the Facebook link I posted, using three different browsers: Safari, Chrome, and Firefox. I found no problems - the link took me straight to my blog post on each browser. Meanwhile, my friend Rachel commented on my Facebook post that she wasn't having any problems at all, like me. The plot thickens. Is the problem with my post, the Facebook link, or something on Robin's end?

Then Robin said she was on her iPad. A ha! I asked Jack if I could borrow his iPad to troubleshoot the issue. Sure enough, when I clicked on my Facebook link from Jack's iPad, I was redirected to a video game for sale in Apple's App Store. Robin said she'd been redirected there too; on another attempt, she was redirected to a known browser hijacker's website. Oh, for the love of Pete. I had just listed a number of factors in my Intention post that made blogging a real drag: glitchy blogging platforms, comment spam, blog scrapers... so now we can add browser hijackers to the list, too, Big Noisy Sigh.

Where was the hijack happening and how could I stop it? I continued to search the Internet for answers and came across a couple of informative webpages. I found the first on a link posted on the Blogger Help Forum: Don't Make Your Blog Vulnerable to Strategic Malware. Malware? Yes, malware. According to this article, adding third-party gadgets, even those listed on Blogger, make your blog more vulnerable to redirect or hijack attacks. The page recommended deleting any and all third-party gadgets to reduce the risk.

I only had two non-Blogger gadgets on my page. One was a Real-Time Earth and Moon Phase widget by a third-party developer (Albino Blacksheep) that uses experimental CSS3 code to work; this gadget is listed on Blogger's Add a Gadget feature under More Gadgets in the Layout or Design section of the Dashboard. The other gadget was a weather sticker from that lists temperature, wind speed and precipitation information for my specific neighborhood; I added this gadget myself using Blogger's HTML/JavaScript function. I've had both of these gadgets on my home page for years. No matter, says the author: these third-party gadgets are all vulnerable to redirect attacks at any time. Simply delete the gadgets from your blog to fix the problem. But... but... I really like those two gadgets... sniff...

The second helpful webpage I found, titled Removing a Malware Warning Blogspot (Blogger) site, gave detailed information for troubleshooting both my Blogger template and all the gadgets on my Blogger home page to look for problems. Happily, these issues are almost never caused by someone hacking into the template itself and rewriting it to add malicious code (whew!). In the author's experience, the hijack/redirect access point is always a third-party gadget or icon on the blog's home page. Good to know!

So I deleted the moon-phase gadget and the weather sticker from my blog home page, and voila, the redirect problem was fixed. I don't know which one was the problem - Robin was redirected to two different sites, so maybe they both were - but since the gadgets can be hacked at any time, I decided to delete them both, asap. Sadly, I really liked those two gadgets, and Blogger has no Google-designed moon-phase or weather gadgets to replace them, and with the marketed decline in blogging in recent years, I don't expect Blogger to add new gadgets - but I can't have my visitors being redirected to spammy sites. Not acceptable!

While I was battening down the hatches, so to speak, I decided to turn on HTTPS Availability on my blog. This allows visitors to view my blog over an encrypted connection by adding https:// before my URL. I then had to go into my blog template to make sure all the content was HTTPS compatible. A Blogger Help article titled Fix mixed content on your blog helped me work through three fairly simple steps.

The first step is to back up the existing template (yes, I had to reinstall my template once during this process! Don't skip this step! It's important! Do it!).

The second step is to edit the template to change every http:// to https://. Preview the new template to make sure everything works/looks right, then save the changes. (I had five http:// in my template to which I added five s's: not hard!) If you change something by accident and something doesn't look right, upload your old template (the one you backed up), and try again, carefully. (I accidentally deleted the Search box at the top of my blog. Uploading my old template restored it. Yay for backups!)

The next step is to view the blog home page itself through JavaScript Console and look for mixed content errors. (See the Mixed Content article above for detailed instructions) I found a boatload of errors related to the tiny little icons located next to each blog listed on the blog rolls on my right sidebar. Most of these icons merely indicate what platform each blogger uses, e.g., Blogger blogs have a little orange-and-white Blogger icon, WordPress blogs have a little blue-and-white WP icon, and so on; some bloggers design a custom icon (called a favicon) as part of their personal online branding. Since apparently these icons can be used by ne'er-do-wells to launch redirect or hijack attacks (seriously? yes, seriously) at worst, and make viewing a blog problematic over an encrypted connection at best, I edited all my blog rolls (Austin, Texas, National, and Other) to turn off all the icons - and voila, all my mixed content errors went away.

Uncheck the Icon box (shaded) next to Show
and click the orange Save button.

Because I activated HTTPS, when I add hyperlinks to future blog posts, I now have to make sure the hyperlink includes https://, not http://. Now a little message pops up whenever I start a blog post, to remind me.
Edit - um, no, that's not how it works. Today I Learned that https:// hyperlinks only work if the linked web page or blog has turned on HTTPS availability, otherwise the link goes nowhere, i.e., it becomes a broken link. And hardly anyone has turned on HTTPS availability, because HTTPS support is new for Blogger blogs, and isn't yet supported for blogs with custom domain names (like the author of the malware article above). So strike adding https hyperlinks as a general rule. But turning on HTTPS availability is helpful, as explained on this Google Product forum post.

In fact, probably the easiest way to deal with the mixed content error issue is to upgrade my blog template to something more modern. My clean and classic template is seven years old, which means its code is seven years old, too. This article on forced SSL, canonical URLs and protocol relative URLs is a little over my head, but suffice to say, encryption is a choice, forcing HTTPS on folks causes broken links, pages and websites, and using a modern template should ensure that anyone can read my blog whether the reader is accessing it through an HTTP or an HTTPS connection. But that's a tidy-up task for another day, and one that will require me to download my entire blog - shudder!

HTTPS activated and hijackable gadgets deleted: that's two blog tidy-up tasks completed! Like weeding a garden, we bloggers have to be diligent at keeping malicious content out of our blogs, or they'll run roughshod over our blogging communities like Bermuda grass over a raised bed. Dormant blogs, blogs with old outdated templates, the Internet Explorer browser and Android devices seem to be hot hacker targets at the moment, but all of us are vulnerable. As Elvis used to say, we gotta TCB - Take Care of Business! If you aren't at all tech-savvy, increasing the security on your blog may seem like a burden, but if I can do it, you can, too - or find a tech-savvy person to help you with it. Don't forget to install software updates on your devices, too - they often contain patches to solve specific known security problems.

I really appreciate Robin for letting me know she was getting redirected to a spammy website. If you ever have problems accessing my blog, please let me know and I will try to work with you to sort it out!

Words and photos © 2009-2016 Caroline Homer for "The Shovel-Ready Garden". Unauthorized reproduction is prohibited.


  1. Good grief! Those hackers stay busy and keep us busy too, don't they? I really appreciate your sharing all this, Caroline. You are right on with the weeding analogy. Blogs aren't maintenance free any more than a garden is. But if you stay on top of it, it's manageable, and having help like your post makes it even easier.

    1. Keeping us on our toes, those hackers! What will they come up with next? Thank goodness Robin said something or I would have never known! Happy to hear you found the post was helpful.

  2. Thanks for this info.
    Guess I need to check my blog out. I've been neglecting it a lot lately.

    1. Posting a link to a blog post on Facebook is a great way to see if you have a problem, ha ha ha! Just be sure to download your template before you change anything, so you can upload/restore it if anything goes wrong. And if you're going to change the whole template to something more modern, download your whole blog first!

  3. This makes my heart sink, and I appreciate you sharing it! I need to read it about 6 more times before I can grasp it. Wanna host a webinar for all of us? We can pay you in plants! ;-)

    1. Yeah, about halfway into this post, I realized I was way in over my head, yet I'm writing the post like I actually know what I'm talking about, ha ha ha sob. Hence, the edit. I don't know enough to host a webinar but I'd be happy to sit in a room with y'all and demonstrate what I did to fix the immediate issues Robin was experiencing.