WebProNews

Google's noteworthy antispam engineer Matt Cutts discussed the issue of cross-site scripting (XSS) flaws, as vulnerable sites have infected pages popping up in the dominant search engine's results pages. Failing to sanitize input properly with one's web application could lead to XSS exploits on the pages displayed by your website. These pages also find their way into search engines like Google, potentially exposing them to an even broader audience.

When that happens, visitors to those pages may be connected to malware downloads. Such malware may steal personal information from the corrupted machine, or make it a node on a botnet for the purpose of attacking or spamming others.

XSS is bad juju, folks, Cutts said so too, as he called for webmasters to look at their text boxes, especially search boxes, for possible problems:

If you’ve noticed that your rankings in Google seem to be affected, you might consider a few searches on your site to see if anyone has injected spammy or porn content on your site. If your domain was example.com, you might want to run a few queries such as [site:example.com porn] or [site:example.com biaxin] or [site:example.com viagra] to see whether you run across unexpected results.

Cutts also suggested the upgrade process for site applications, like the WordPress blog platform purely as an example, should be accompanied by an admin password change. "Sometimes hackers are smart enough to save your password and come back even after you’ve fully patched your system," he said.

A strong password means more than letters and numbers. But computational power available on the market means a strong password is not enough. We suggest the old standby of making a new admin account with a different name than a default like "root" or "admin" and giving it administrative rights with a strong password, and make the old admin name a user account with no significant rights in the system.