Making Sense of Google Analytics with Annotations

Making Sense of Google Analytics with Annotations

As I mentioned in the article on tracking traffic with Google Analytics, measuring and monitoring your blog performance is important. The goal is to do more of what does work and less of what doesn’t. However, the amount of blog traffic isn’t always about how your site ranks in search for certain keywords, people find your site and your business in different ways. There are also other factors beyond SEO efforts that influence rankings themselves.

So how do you know what exactly is bringing traffic to your site? Obviously, you can dig into Analytics extensive reporting and analyze what exactly is going on; however, sometimes we want to see the answer more quickly than that and very often, the answer should be obvious. For example, in the case of filtering blog referral spam out of Google Analytics reporting, if your site has been under attack by GA spammers, the drop in reported traffic will be very obvious if the filter is set up correctly. However, as I mentioned in the other article, the filter only applies to traffic reported after it is in place, not prior to. So you have to wait to see the true reports.

Let’s say you go back several months later and you see this drop and you start wondering, “What happened there?” You might wonder if you lost positions in search or if there was a functional problem with your web site. If you are keeping some sort of site journal tracking each change in your web site, you could go back through the history and see if you can tell what cause the fluctuation in traffic. However, there is an easier way to record this, annotations in Google Analytics

What Are Annotations

So what are annotations? An annotation in general is described as “a metadata (a comment, explanation, presentational markup) attached to text, image, or other data.” Put most simply, an annotation is a note that explains data. Google Analytics offers the ability to add an annotation, a note or comment, to any specific date in a reporting period. So, for example, if you add a filter to Google Analytics to block the referral spam, also add an annotation to the date it is done so that someone can quickly see what that change was at any future point in time.

How to Create Annotations in Google Analytics

Adding an annotation in Google Analytics is a simple and straightforward process.

Step 1 Log into your Google Analytics account and go to the Dashboard for the site you will be editing.

adding annotations to Google Analytics Step 2
Step 2 Under the main traffic dashboard, click the arrowhead underneath the traffic graph.

adding annotations to Google Analytics Step 3
Step 3 Click “create new annotation.”

adding annotations to Google Analytics Step 4
Step 4 Click in the date field to select the date to annotation, enter the description of the event and click save.

adding annotations to Google Analytics
The traffic graph will now be marked indication the annotation for that date. If you use multiple annotations and want to draw attention to one particular (or more) date, you can star the annotation and a star will display next to the comment indicator.

When to Use Annotations in Google Analytics

When should you use Google Annotations? Anytime you make a significant change to your site or there is a significant event related to your business that has the potention to impact traffic to your web site. This might not be something web related. Maybe you ran an ad with a link to your site. (This could also be tracking using custom urls and campaigns.) Maybe your business was mentioned on the news or another media channel with a wide reach. Maybe you had a piece of content that went viral. Anything that is outside of your regular business practice or normal site promotion efforts and growth. Here are a few suggestions for when to annotate in Google Analytics:

  • Any changes that filter traffic or reporting on your site.
  • Changes in url structure of your web site
  • Launching a new site or a web site redesign.
  • Any major change in site keywords and targeting.
  • When your business has an event or a promotion that is outside of your standard operations.
  • When a piece of content goes viral across any channel. Even if the content is being shared across a social media channel, there should be residual traffic to your site.
  • When your business receives promotion that is out of your standard process, such as by a major news source or by an industry leader. This would be a good time if you aren’t do so already to set up a report tracking the average traffic and noting how much of that new traffic is retained after the major spike.

What other ways do you use annotations?

Google Analytics Referral Spam & Your Site

Google Analytics Referral Spam & Your Site

If you have a blog or a web site that you’ve been working on for any amount of time, one of the first things you learn is how to measure the traffic on your site. Without measuring performance, all the money, time and effort can be a little discouraging if you don’t see results. There are few things more aggravating than seeing an increase in site traffic and then realizing that it is nothing more than spammers artificially increasing your site stats.

What is the Point of Referral Spam?

So what is the point of someone spamming your site statistics? I think a screenshot of some of the referrals makes it obvious. What is supposed to show in this field is a list of sites that have sent your site traffic. Unsuspecting webmasters, thinking that one of these sites is linking to them will click on the site, generating traffic for the spammer. Sometimes it is traffic only and the spammer benefits by CPM ad revenue. Sometimes the link is to a malicious site. Sometimes, it is a product or service provider hoping that someone will be interested in their service. And of course, sometimes it is the ultimate source of spam, it is a link to a porn site.

example of referral spam

By the way, this happens to be a site that already has been filtered for spam referrals. These are new spam domains that have been added in the past couple of months. Obviously, the person with the domain was hoping for click throughs to take advantage of the Black Friday specials. Will the majority of people visit the spam site? No, but through the sheer mass volume of spam referrals, the slight percentage that will make it worthwhile to the spammers.

Why is Referral Spam a Problem?

So someone is messing with your site statistics. Why is this a problem? For sites with a large amount of traffic, it may not be much of an issue as the the percentage of spam versus actual traffic may be miniscule. However, the referral spam has become such a nuisance, that I believe over time it can distort the picture of site traffic and growth even for large sites.

It is a problem particularly for sites that are new and sites without a large amount of traffic. I have seen referral spam that record 200 to 300 visits per month to a single domain for a site. For some small business sites, this completely obscures the true measure of actual site growth. The sites with low traffic volume are also more likely to be inexperienced webmasters that won’t realize that it is spam and will actually visit the potentially malicious site.

How Referral Spam Works

A few months ago, I spent quite a bit of time researching how to get rid of this nuisance. Referral spam has been an issue almost as long as the internet has been around; however, this particular type of spamming is fairly new. Before, spammers would ping your server with a referral, spoofing an actual visit. This would not only generate a bogus referral link (bogus in that an actual person did not visit your site from that referral) but it would also add to your site bandwidth. You would notice it through the bandwidth spike as well as the referral log. Once identified, the spam referral could be blocked through the .htaccess file of the site.

This referral spam is different. There is no actual interaction between the spammer and your site at all. Instead, the spammer interacts directly with Google Analytics, triggering a referral for your site. They do this by obtaining your Google Analytics ID by crawling the code of the web site. Once they have that ID, they use it to tell Google that there has been a visit to your site from theirs. Since there is no interaction with your site, the referral spam can’t be blocked on a site level at all.

How do you know if you are dealing with Google Analytics referral spam versus the old style that jacked up your bandwidth? The problem is so pervasive at this point that I think if any site is using Google Analytics and has any sort of web presence at all, you are probably getting hit. However, you can confirm this by looking at the referrals in Google Analytics and comparing it to the referral log in the stats for your hosting account.

How to Block Referral Spam in Google Analytics

As people came to grips with combating this issue, there was a lot of different advice for blocking it. Some of it was wrong. Some said to block it in the .htaccess file, which doesn’t work. Some methods simply kept the referring domain name from being viewed but still counted the spam referral as real traffic. Not only does it not help at all, but it makes the problem worse.  Your traffic is still inflated but you aren’t seen the source of it, even if it is false.

What I have tried that actually works is creating a filter in Google Analytics to block campaigns referring from spam domains from showing as a referral source as well as being counting in the site traffic.

block google analytics referral spam

  1. On the admin tab of your domain account in Google Analytics:
  2. Click filters.
  3. Click Add Filter
  4. Enter a name for the filter
  5. Select “Custom” for filter type
  6. Select “Campaign Source” for filter field
  7. In the filter pattern, enter the domain names. Domain names should be separated by pipes (|) and periods escaped by “/”
  8. Add the views the filter should apply to. This is an account level filter and you may have multiple domains tracking under that account. Select all domains or unique views that you would like the filter applied to.

block google analytics referral spam

These are the filter patterns I have right now:

Filter #1


Filter #2


Here’s the bummer, there is a character limit to the filter pattern so depending on how many domains that need to be blocked, you may need to create multiple filters. The other thing is that this filter will need to continue to be updated because spammers never sleep. Well they do, but they automate all this so it’s running, creating work for you, while they go off and have coffee.

Easy Way to Block Google Analytics Referral Spam

After all of this, here is the simplest way to block referral spam which I discovered when revisiting all the information to write this article. As I mentioned, this is a headache that continually has to be addressed. Stijlbreuk created a service that automatically updates your Google Analytics filter for you. The why from their site:

Referrer spam blocker started as a friday-afternoon project here at Stijlbreuk. We were tired of manually updating the spam filters and created a tool that did this automatically to make our lives easier. We showed some people in our network and because they were enthusiastic we decided to spend a “little bit more time” on it to make it more user friendly.

We thought about possible business models before making the app public, but we decided that making money of the spam issue just didn’t feel right. We see the tool as our “digitale visitekaartje” or “digital business card” in english. We hope that some companies will notice the quality of the tool and get in touch for similar projects. If you like what you see, please contact us here.

referral spam blocker service

So rather than going back to constantly update your filters,

  1. Log into your Google Analytics account
  2. Visit the Referral Spam Blocker site
  3. Click Authenticate now
  4. Click “Allow” to give the Referral Spam Blocker app
  5. Select the accounts you would like the filters applied to
  6. Click the “Let’s Do This” button at the bottom

But wait, that sounds too easy and it’s free? Yes, it’s free, but here’s the downside. Currently their service has a limit of 2000 calls to Google’s API. To block referrers for one site, they have to make approximately 30 calls to the API, meaning only 66 sites can be added to the service a day. If you visit and their quota is exhausted, try back the next day or follow the instructions to add the filters manually yourself as noted above.

Where to Go From Here

Now that you’ve blocked all the spam referrers from showing up in your web site stats, now what do you do next? First, it doesn’t filter referrals previously recorded so if you view your statistics as most people do for the month, it will take a full month before you are looking at “clean” statistics. If you are in the process of growing your site, be prepared for a drop in traffic numbers. It might be a little discouraging, but remember, they were never actual visitors in the first place.

Need Help Analyzing Your Site?

Need help with your making sense what is or is not going on with your web site?  Contact us for a strategy session.

Further Resources on Blocking Google Analytics Referral Spam

  • Definitive Guide to Removing Google Analytics Spam from Analytics Edge: This has a good overview of the history of the different spam tactics
  • Guide to Removing Referrer Spam in Google Analytics from Analytics Toolkit: Screenshots of how to set up your filters in Google Analytics, but you have to scroll down to see the most recent solution.
  • How to Stop Referrer Spam from Raven Tools: This is another play by play in the search for a solution; however, again scroll down to the bottom of the article for the most current solution.
  • Filtering Domain Referrals from Google:  (Added June 2016) Since writing this article, Google has added a resource to their knowledge base for eliminating Analytics spam that uses the method above.
  • Guide to Removing Analytics Spam from O How Digital Marketing:  (Added June 2016) In this guide from O How Digital Marketing, they provide steps for providing multiple data views for your site.  They also outline four different steps for eliminating false traffic from your Google Analytics account by 1) eliminating ghost traffic using an include filter for valid hostnames, 2) filtering for crawler spam using the method I describe above, 3) enabling bot filtering in the view setting (I forget this sometimes,) and 4) excluding the IP addresses of web administrators and team members.  The issue with #1 is that first your site has to have enough history to have a record of valid hostnames beyond your own domain name.  The second is that with the proliferation of social media and accounts on other properties, with this method you must remember to add any new referrers to the view as only the hostnames within the filter will display.  As they recommend creating unfiltered master views, the filtered views can be compared; however, I think it would be very easy to forget.  Third, you can only have include one hostname filter for your account which, like all filters, is limited to 255 characters.  If you have one web property on one Analytics account, this may not be an issue.  If not, the 255 character limitation can quickly become an issue.
How to Respond to Shady People

How to Respond to Shady People

In SEO, there are different strategies for building search ranking.  One way to classify these strategies is by how ethical these activities are considered to be, such as “white hat” and, conversely, “black hat.” Within each of these classifications there is a range.

For example, some people feel that “white hat” means no effort at promotion.  They believe that any form of promotion or effort at gaining ground in search is “beneath,” them, that their articles/products are so awesome that people should just recognize that awesomeness and success will naturally come.  Other people view “white hat,” as those forms of link building and site promotion strategies that have been deemed acceptable.

As the largest delivery system of search traffic, it is usually Google that determines what those “acceptable” practices are . . . and that can change.  But that is a topic for another day.

Then there are “black hat” techniques which can be destructive, such as hacking sites and phishing through them (I just had a call about this today:) injecting links through insecure extensions; deceptive ads or posts that cloak the target page or hijack traffic, or simply bulk spamming forum, forms, and pages.

In between these two extremes, no promotion and straight up illegal practices, is a wide range of gray.

There may be strategies that aren’t technically “black hat,” but they are certainly a dark gray.  They usually take advantage of a hole or a weakness in a social media platform or search engine and exploit it.  It’s shady.

One that comes immediately to mind is Google Analytics referral spam, which has been the bane of my existence for the past couple of months.

Encountering Shady People

I’ve been talking so far about SEO strategies, but it’s not just about search.  Those tactics are simply a reflection of the mindset of the people behind them.  If someone will cut corners and use questionable practices in one area of their lives, I can guarantee you they will do something similar in other areas as well.

As Mark Ritchie so eloquently puts it in his upcoming book, “My Trading Bible,” (pg 39.)

“A shortage of integrity always expands.” Click to Tweet


This is true . . . always.

It is true in search.  It is true in life. It is true in business.

If you are in business, it is guaranteed that you will come up against people with “a shortage of integrity.”

Shady Takes Advantage of Confusion

In a meeting a few months ago, a client pointed out a couple of things that their closest competitor was doing that my client thought was unethical.  The competitor was trying to capitalize and rank on a phrase that was part of my client’s business name.  It was something that if the competitor was confronted about, they could probably find an excuse for, but it was lame.  It was shady.

After looking at the situation, I told my client that, while it was lame, it was possible that it was coming solely from whomever was managing the competitor’s web site and maybe they were just trying to rank for that phrase.  I thought there was a possibility that the business owner wasn’t even aware of it.  I would look at the competitor’s site occasionally and half the time it was down.  If the owner didn’t even realize their own site was down all the time, there was a strong possibility they didn’t realize how it was being promoted and presented.

Looking again today, the attempt to hijack and latch on to my client’s business name is even more obvious and blatant.

There is no way to confuse the two businesses, but if someone happened to be searching for my client’s business information and if they didn’t already have a strong relationship with them, the competitor might be able to grab a little bit of business that wouldn’t have come to them otherwise.

Is this illegal? I’m not an attorney so I don’t know if what they are doing is enough for trademark infringement.  Some people may even argue it’s fair game, they are just trying to get business.

It depends on what standards someone has and what they think is acceptable in an effort to get a buck in their till.

I don’t think anyone could argue that it is shady.  I have a hard time believing anyone who saw what the competitor is doing and understood what was going on could walk away without thinking it was unethical and even a little pathetic.

This is the thing to understand about the unethical and the shady, most of the time they won’t lie outright, but they take every advantage of confusion.  They may not present all the facts or not acknowledge or give credit to sources. There are a lot of ways that people lie by omission or even use the truth to tell the lie.

In the situation I just mentioned, the competitor has begun to create confusion for the search engine on who someone is looking for when they search for that particular phrase.

Try not to become a man of success, but rather try to become a man of value. Albert Einstein

Countering Shady People

The way to counter shady people, and businesses, is to remove the confusion.

Be very clear about who you are and what you do, and continue the conversation.

Ten years ago, I wrote an article about focusing on your business.  What I talked about in that article is still true today.  There will always be people whose idea of a “marketing strategy” is copying whatever their most successful competitor does.

While there may be short terms gains doing this, it isn’t a strategy that will result in long term success.  Just as with the black hat SEO strategies that ended up with the promoted site being banned, delisted, and eventually discarded, trying to latch on to someone else’s strategy will result in confusion and ineffectual results in your own business.

Creating Clarity

There are times when it may be necessary to directly confront someone depending on how egregious their actions are.  Part of the responsibility of holding a copyright or trademark is the willingness to defend it.

There may come a point in this particular situation where my client has to seek legal recourse.  That part of the equation is not my concern.  My job is to make sure it is very clear in the minds of my client’s current and potential customers that there is no substitute for what they sell combined with the service they offer.

For each one of us with a business, that is the goal.  Communicate clearly the benefit of buying from or working with you versus your competitor.  Sometimes that is about the product or service itself.  Other times it has more to do with who you, the person who directs the ship, are as a person and how your business operates.

As someone said to me once, “I wanted to know you were a real person.”

There are a lot of fakes out there.  Operating a business with integrity has value.


10 Must Have Joomla Extensions – 2015 Edition

10 Must Have Joomla Extensions – 2015 Edition

One of the most time consuming tasks when developing a web site on Joomla is choosing which extensions to use.  The Joomla Extension directory is full of helpful plugins, which ones are the best to use?

Below are my top ten extensions to use with a Joomla site on the 3.4 version.


1. Template from Joostrap

Before Joomla switched to the Bootstrap framework for the stock front end and administration templates in version 3, Joostrap published Boostrap based templates for version 2.5 (you can read more on mobile site options here).  They are my go-to for a starting template.  I usually start with a simple theme with no styling and create the design for the site from there.

They also publish several extensions that are compatible with their Bootstrap templates.  This is an important feature, as I mentioned previously, the most frequent issue I’ve run into while developing sites in the past year on Joomla have been conflicts between jquery and css in different extensions and Bootstrap.

If you are looking for responsive themes that have specific styles, Bow Themes and Theme Forest are both good places to start.  I haven’t used a theme from Bow Themes; ; however, I have used several of their extensions which they often incorporate with their themes.  Theme Forest is part of the Envato marketplace that connects developers and users across the world.  There is a wide selection of responsive themes for Joomla designed, both generic and those designed for specific industries.


jce editor for joomla

2. JCE Editor for Joomla

This is an absolute must have for every Joomla web site.  JCE is an extension that adds a WYSIWYG editor that is highly configurable.  There are two main features that make this editor stand out above the rest.

The first is the ease of linking to other content within your Joomla site.  If you’ve worked for any amount of time with a Joomla site without it, you know exactly how tedious this can be.  The standard editor will insert hyperlinks, but doesn’t have an easy way to link between content.  Inserting a link as it displays on your site with the SEF url is doable, but an extra step.  Also, if for any reason you change the format of your url, you will have to go back and manually change every occurrence in your site that is linking to it.

JCE Editor stands out by allowing you to link to content on your site by searching for and article (helpful in large site) or listing content sections with categories and then the articles beneath it.  It also lists menu items that you can link to from within your articles.  There are a number of extensions that are compatible with JCE; however, if one is not, you can still make frequently used content within it easily accessible from within JCE by creating menu items which will display in the link selection dialogue box.

The other helpful feature in JCE is the ability to allow different options in the WYSIWYG  editor based on the user group or role.  Read more on how to configure user groups in JCE here.


sh404sef for joomal

3. sh404SEF

Back in the day, Joomla did not have a native option for configuring search engine friendly urls (something like:  and a third party extension was needed to add this functionality.  Joomla soon made SEF urls part of the core platform; however, at this point there were several third party extensions that had not only gained a following, but added options to the SEF components beyond url rewriting.

sh404SEF was one of these components and this, along with JCE, are absolute must-haves for any Joomla site I develop.  If an extension is not compatible with either one, it is not even up for consideration.

What sh404SEF does beyond url rewriting:

  • Allows for highly custom configuration of the structure of the urls, including making it compatible for submission to Google News
  • Allows the customization of urls
  • Generates short urls
  • Generates 404 reports and allows you to specify existing content for those 404’s to be redirected to
  • Allows you to set the meta description and keywords for each page on the entire site from one screen.
  • Integrates with Google Analytics
  • Allows you to custom urls for components and items such as web links
  • Has an option to manage template switching for mobile (this isn’t necessary if the site is responsive)
  • Social SEO options with configuration for Google authorship, Twitter cards, Opengraph, and social sharing
  • Multiple security features

For years, the sales and support of the extension were handled by Anything Digital.  However rhe original developer recently moved the support and download page to his own site at Weeblr.


akeeba backup for joomla

4. Akeeba Backup

Akeeba Backup is another absolute must-have extension.  This extension allows one click backups of your entire Joomla site or you can create profiles to only back up specific areas.  In addition to backing up the site, the Kickstart program allows you to easily reinstall, clone or move a web site to another server.


5. Sitemap Extension

This is one that is currently up in the air.   For years, the defacto extension for generating XML sitemaps on Joomla was Xmap.   It wasn’t updated all that often, but it wasn’t really necessary either.  The end of last year, Xmap was discontinued and the project taken down.  You can read more about the saga here.

However, the extension still worked through Joomla 3.3.6.  Taking the jump to 3.4.1 was a problem.  So far, I’ve tried mapX, which picks up Xmap where it left off, and OSmap, another Xmap derivative.  The problem is OSmap doesn’t generate an HTML site map, at all.  Both extensions have to be excluded from sh404SEF to work.  MapX will generate an HTML site, although occasionally it will run into a PHP memory issue.  It will also create an XML sitemap; however, some of the plugins that added the urls for particular components doesn’t work with MapX.  The sitemap for Google News doesn’t work on either of them.


The five above are extensions I use regardless of the type of site.  Since migrating to Joomla 3, I find that much fewer third party extensions are needed.  The next five extensions are handy to have in the day to day use of your site.


Better Preview from NoNumber

6. Page Preview from NoNumber

The one basic feature that WordPress has that is not part of the Joomla core is a preview function for articles.  For business web sites that have set company information, this isn’t an issue.  For news portals or active blogs where content is published on a continual basis, this is a critical feature.  At least for me anyway, I want to see what it looks like before it goes live.

Page Preview is a plugin that adds a preview button to the article publishing screen that is accessible after the article is saved.  Either save the article as “unpublished” or schedule it for a future date as published and then view.


mini frontpage for joomla

7. Mini Frontpage

What can you do with this module?  Pretty much whatever you want.  It allows you to specify which content you want to display and how and place it wherever you want.  This page is an example.


snippets for joomla

8. Snippets from NoNumber

This is extension is a component and plugin.  It allows you to create text, html, or scripts identified by a snippet label.  That content can then be displayed in any article by placing {snippet label} where you would like it display.  Need to change it?  Just update the content in the Snippet component and it will be changed sitewide.


related items extended for joomla

9. Related Items Extended

Joomla has a core feature that will display related items to the current article; however, this module offers a little more control over the display.


improved ajax login for joomla

10. Improved Ajax Login and Register

Every stock Joomla site has a login module.  It has always been part of the core since the days of Mambo.  However, it’s a little boring and sometimes you don’t want a huge block taking up space in your page layout.  This extension has several display options as well as integration with social media logins.


Critical Site Update for WordPress 4.2 with Scripting Vulnerability

Critical Site Update for WordPress 4.2 with Scripting Vulnerability

Combine a popular web site platform (WordPress) with a user base where a good percentage lacks technical expertise and add to that malicious intent.  The result? A wide swath of sites that are vulnerable to attack.

This is the situation with WordPress.  The official site boasts corporate and celebrity users such as People, Motley Crue, and CNN.  This is true.  There are many multi-million dollar corporations, publications, and applications that run on the WordPress platform.

However, it is also true that a lot of users of the self hosted version of WordPress are casual users.  The ease of use of the platform, as well as the familiarity through the free sites on, drew a wide range of users.  Beyond the hobby bloggers, there are small businesses that had a site built on WordPress based on their developer/designer’s recommendation and then never looked at it again.

This chart by Built With shows almost half of the sites on the internet are using WordPress.

sites using wordpress

This chart by W3Techs shows the percentage of WordPress installations using each platform.  As you can see, a little over 30 percent of the installations are still running on version 3 or lower.

wordpress versions usage


What this tells me is that an awful lot of those 14 million sites are sitting out there unmanaged and wide open for attack.

I’ve mentioned before that outside of content and design, if you don’t have someone on staff that manages and maintains your web site, a web site maintenance service plan is often a good idea.  An excerpt of a previous article.

Open Source platforms like WordPress, Joomla, and Drupal are wonderful in that they allow the individual blogger and small business person to have world class sites. The downside to that is that since the code is open to all, it is also open to those who explore it to find vulnerabilities to maliciously hack your site.

When people contact me to recover their site after it’s been hacked, most of the time it is because they didn’t keep the platform up-to-date. There can be occasions when someone purposely tries to take a site down and overcomes security measures.

But the reality is for most of our web sites, hackers just don’t care that much about coming after you specifically. They are just looking for opportunity to do damage and most of the times are choosing the path of least resistance to do so.

Not keeping your site up-to-date or monitoring add-ons for security issues is like driving your car to the center of town, leaving the keys in the ignition, the doors, open, and blaring the words “Come take me.”

This past week has been a good illustration of this.

Last week, security notifications went out on a vulnerability in WordPress 4.1.1 and earlier  that allowed cross site scripting.

The issue was not only with the WordPress core platform, but the vulnerability was also found in plugins and themes.  Envato Marketplace sent out an email on Saturday warning their users of the possible exploit.  They encouraged all their vendors to check for vulnerability in extensions and to modify and patch them.  I received emails from theme and plugin developers warning of the problem.

Version 4.2 came out to patch that vulnerability.  Almost immediately, another vulnerability was discovered in the update that fixed the previous one.

The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server. Attack code has been released that targets one of the latest versions of WordPress, making it a zero-day exploit that could touch off a series of site hijackings throughout the Internet.

Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs. They allow an attacker to inject code into the HTML content received by administrators who maintain the website. Both attacks work by embedding malicious code into the comments section that appear by default at the bottom of a WordPress blog or article post. From there, attackers can change passwords, add new administrators, or take just about any other action legitimate admins can perform. The most serious of the two vulnerabilities is in WordPress version 4.2 because as of press time there is no patch.

“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” Jouko Pynnönen, a researcher with Finland-based security firm Klikki Oy, wrote in a blog post published Sunday evening. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”

A nightmare waiting to happen ranking right up there with the experience of my friend Stephanie after someone went after her attempting to hijack her accounts and succeeded with her Facebook page.

An update to WordPress 4.2.1 that fixed this vulnerability was released hours ago.  If the automatic updates are set on your site will have already updated.


WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.

WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.1 or venture over to Dashboard ? Updates and simply click “Update Now”.

The danger is for those who don’t have a system in place for back-ups and updates and who maybe haven’t checked their site in awhile.

Next Steps

If you’re reading this and asking yourself, “What do I do now?”

  1. Back up your web site.  It is a good idea to keep a series of back ups on hand in case it is necessary to take your site back to a previous version.
  2. Update WordPress
  3. Update the installed plugins and themes.
  4. Research any plugin that an update wasn’t prompted after updating to the latest version of WordPress for vulnerability issues.  Plugins that are outdated or where the development has been abandoned can be a huge issue.

If you need help with your site, either or update or recovery or an ongoing WordPress maintenance service plan, contact us.


Pin It on Pinterest