Saturday, May 30, 2015

Safeguard your AdSense Account Against Hackers

Every AdSense publisher is responsible for keeping their own AdSense account safe, and for protecting themselves (and their own websites) against hackers. AdSense will not protect your account for you (beyond the safeguards given in your account). So the question is, how do you keep your accounts (and yourself) safe from hackers?

Regardless of what anyone else tells you or what you might read on blogs or websites, there is no 100% foolproof method to protect yourself. You can do everything "right" and still may (at some point in your life) find yourself the unhappy host for something you don't want.

That doesn't mean you can't or shouldn't take the steps required to protect yourself. The more protections you set up, the harder you make it for someone to get into your accounts. Don't offer them an open door, which so many people seem to do because they haven't thought much about protection, until they really need it..

Where to Begin - the Google Account

The first place you begin is with your Google Account, because your Google Account is your access to every other Google Product you use - it opens the door to all of your products: your Blogger, your Gmail, your YouTube channel, your Adsense account ... anywhere you use your Google login, can be accessed by signing into your Google Account.

  1. Choose your username carefully.
  2. Make your password hard to guess. If there's room, use as many as 20-25 characters for your password. Use a random choice of lower case letters, upper case letters, numbers, and characters (like a # sign, $ sign, ! sign, etc.) Not only are these harder to guess, they also take much longer for crypto program algorithms to find the correct set of characters.  Since you choose these randomly, they're also very hard for YOU to remember, so write it down on paper. Don't lose it. 
  3. Don't store it on your computer, or in your phone or mobile device. 
  4. Don't let your browser save it. 
  5. Don't use the same password anywhere else. 
  6. Change your password weekly. 
  7. Don't use the same password twice when changing it (don't don't alternate between 2 or 3 different passwords).
  8. Enable 2-step login verification. If you have a security key, use it.
  9. Don't login to your Google Account from anywhere except your own devices.
  10. Remember to log out when finished.
  11. Don't share your password or login information with ANYONE, even if you trust them.
  12. Don't share screenshots from your accounts in public forums unless you blank out your personal information.
  13. Don't invite other users to your accounts.
  14. If you must invite others, and they are not YOUR own other accounts, do NOT make them Administrators. Making anyone else an admin. means they can lock you out of your own account.

Since your Google account is your login for your AdSense account, taking these steps will also protect your AdSense account - at least as much as it is possible to protect an account.

All of the above are simply common sense. It really doesn't take a rocket scientist to understand the importance of keeping intruders out of your account.

But, there are other ways a hacker can get your information, and you need to be aware of these as well.

Learning What Not to Click, and What Not to Trust

Everyday, most of us will receive some sort of spam or email with the enticement to "click here" for something ... whether it's to change your password, or to login to another account, or to claim a prize or ... well anyone of a hundred different things.

DO_NOT_CLICK any link in any email from ANYONE without checking it out.

In Gmail, the first step is for you to check the email headers. Use the curved arrow at the right side of the page, and choose the option to "show original". This will open in a new page. Check for the domain authentication. If it was really sent from that sender, and not just spoofed, the authentication will usually show as a "permitted sender". If it's spoofed (ie: looks like it comes from a real person or a business your recognize but really doesn't), it will usually show that as non-permitted, or not allowed sender.

That's just the first clue though, and may not always be reliable.

If there's a link in the email, check it first. DO NOT click on the link.  Just hover over it. Look at the status bar at the bottom of your screen.

It shows you (usually) where that link will lead. If it's fake, it won't lead where you think it should.

The next safety check is to search for that URL on the link. Highlight the link from your email, and select "copy link" or "copy URL". Paste that URL into a blank notepad. Most of the time, there will be a domain name in that link. Go to "" to search for the domain - don't go there directly, not yet.

Check the search results for the domain on the link you copied. See what the web has to say about it. If it looks legit, visit one of the pages using a cached page view.  Make sure your browser is using security before visiting. use a popup blocker; use a tracker blocker like ghostery; use an adblocker; use a anti-phishing plugin/extension, and make sure your browser is protected by an antivirus.

Never just click a link in your email without first checking it. Doing so can take you to a site or page that can gather your personal information, including login data from your browser.

Protecting your Website Against Intruders 

Fairly often we see frantic publishers in the AdSense forum whose websites have been hacked and taken over by others. While it isn't always possible to protect against every type of attack on a website, there are simple common sense things you can do if you are using paid hosting, but what's available on paid hosting can depend on what type of hosting you have, and what type of website you've developed. self-hosted sites are usually the most prolific and widely used, and there are many ways to protect against unwanted take overs, but none are perfect. Most will work, unless someone really wants in. If you aren't using any protection, you need to.

  1. Set your "login attempts" plugin to really low allowances. Allow no more than 2 login attempts, without lockouts after that. Set the lockout to last for an hour. After two lockouts, they can't try again for 24 hours. Also note that this will make it difficult for you login if you enter a wrong password, so make sure you know your password.
  2. Make your login username different than the name you show on your blog as the person posting. For example, if you write a post and it says "posted by admin"  do not use "admin" as your login name (also don't use administrator).
  3. Don't use your own name as your login.
  4. Don't use your site name as a login.
  5. Don't use a name that can be associated with you in any way as your own user login.
  6. Make your password long, with 20 or more characters. 
  7. Don't use common phrases in your password (for example, don't use things like "4U" together).
  8. Don't use the name of your site, don't use your own name, birthdate, address, phone number or any other sort of personal information as part of your password.
  9. Don't use the same password as your Google account uses, in fact, don't use the same password anywhere else.
  10. If you host multiple sites under your hosting plan, make sure you use different logins and passwords for each of your websites.
  11. Install security for your website. Sites built on wordpress have multiple plugins you can use (WordFence, and Simple Firewall are just two). Before installing any plugins, check them out. Make sure the developer is trustworthy and the reviews are reasonably good.
  12. Follow the suggestions used above: don't login to your admin account unless using your own devices. Logout when you're done. 
  13. Don't share your login with anyone. 
  14. Don't let your browser store your logins. 
  15. Change your password once a month - more frequently if you see people trying to access your admin account. 
  16. Don't store your login/password anywhere online.
  17. If you can avoid it, don't post to your site using a mobile device. Turn off that option.
  18. Be careful how you set up your FTP accounts.
  19. If your hosting allows it, use an .htaccess file to block suspect IP addresses and web spiders you don't trust.
Note that blocking an individual IP address is not the most effective way to prevent problems, particularly if that's all you've been doing for protection. Many (if not all) hackers don't use their own IP addresses, and use one of the hundreds of proxy sites which assign random IP addresses. That means you could block thousands of IPs that don't necessarily belong to an actual hacker. Using other methods will provide more protection than just blocking a bunch of IP address, or even a range of IPs.  So yes, you can block the IPs, but one shouldn't count on just that  to do the trick.


  1. Hello Gracey,
    You've talked about taking security measures while running a hosted site on Wordpress. What if we have a Blogger blog? Do we still need to take all these security measures, and if not which of these should we count on?

    1. Hosting a site blogger means there isn't much you can do for additional security.

      All of the information that relates to a Google Account also relates to a blogger account, because a Google Account is usually what one would use to login to their account on Blogger.

      If you take the steps outlined for protecting your Google account, then you've done most of what you can do to protect your blogger account.

      Other options would be to use a separate and distinct Google Account and Gmail account for your blogger. If that's a separate Google Account with different password and email, it can add a layer of security, albeit a small one.

      If someone were to hack your blogger account, they wouldn't automatically have access to your Adsense account if the logins are different.

      This would also mean that you would need to avoid using the blogger AdSense gadgets and automatic ad places, and not link to your adsense account through the earnings tab, and instead, copy and paste ad code directly from your AdSense account into an html gadget.

      Your ads would still show, you'd still get credit for the earnings, but your adsense account and your blogger account would be separate.


Please do not drop links here using monetized URL shorteners or the comments will be marked as spam.

If you want help with an actual blog or website, please just post for help in the Adsense forum, or leave your G+ profile link. I will not publish comments with blog/website or channel links.