Today I was sick and tired of getting beaten on some rankings I was working hard for, so I decided to dive a bit deeper and see why GoDaddy was ranking as well as they were. When I looked into the link profile for those high ranking pages, I found a lot of homepages linking to these landing pages with highly optimized anchor text. These were anchor texts like "ssl", "bulk email", "web hosting", "web hosting companies" etc. Stuff like that just doesn't happen by accident, so there had to be a reason for those. I was baffled when I found what they were doing.

Want a Website Tonight, anyone?

You see, GoDaddy offers a service called "Website Tonight"; this service allows you to quite easily create a website by offering you an editor and all sorts of widgets. Not exactly the power of WordPress, but nothing wrong with it from the users perspective. What is wrong is what I found when I created such a website: when you create such a website it has an image in the footer by default saying "Powered by Website Tonight". It's possible to turn this image off, but most people don't bother as in the editor it looks rather harmless, like this:

Now, if it were just that, I don't think I'd be all that bothered (not the border is because the image is selected). The issue is, that on the live test site I created, it looks like this:

That link wasn't there in the preview... That's called deceiving your customer. Note that by default, the image is black, you can switch it to white or you can switch it off, but in the editor it'll always show. This is probably the reason why some people choose to use the white version, as they think they can't disable it and want a version that's less ugly on their design.

Example time

Ok it's time I show you some real live examples of these I guess, these websites all have ugly links like that in their footer:

• http://www.motorinsurancee.com/
• http://www.universalhealthinfo.com/
• http://www.autoinsurancecoinc.com/
• http://handson3rd.com/
• http://www.onemilerunner.com/
• http://www.trophyshowroom.com/

But those links don't work, right? Wrong.

Google has been telling us for quite a while now that footer links etc. are not that important. Well guess what, that's not true if you have enough of them. Using SearchMetrics I ran a report for the top keywords they rank in the top 3 for. Each and every keyword in there that is not their brand name, from website hosting to webhosting to website builder, to domain name registration and more: all of those landing pages have exact match anchor text links pointing to them. All coming from these types of domains, thousands if not tens of thousands of clients who are paying for a service, are unknowingly also helping GoDaddy's business by helping it rank.

These links are on by default. They are not editorial. It's not the first time this happened, Hostgator has been caught adding links to their clients websites in the same way, I mention that in my WordPress hosting article. The issue is that Google rewards these kinds of practices with top rankings, which they shouldn't.

How well this works, well by my estimate they started doing this more aggressively in September / October of this year, see how their visibility according to SearchMetrics almost doubled:

This would correlate well with the Majestic SEO's historic back link data:

For hosting related terms like the ones GoDaddy targets, doubling your search engine visibility like that is worth a fortune. To show you even more how blatant these links are, this is a screenshot of the top pages report in Majestic, after doing an advanced historic report, look at the anchor texts and notice that the two with a flag on the right are reported wrongly, the anchor text for the link in fact is email marketing there as well. You can click for a larger version:

Some of these sites however already show these links a the beginning of 2011. See this archive.org example and this one to see that, they even changed the link in the meanwhile... What I think happened in September / October that made me catch them was that they started doing this for more keywords.

The long and short of it

GoDaddy is playing this game a bit too aggressively in my opinion, and Google should really start discounting those links. The right way would be for GoDaddy to ask their customers whether they're allowed to insert a link and make them choose where it points. No single customer would, by own volition, link to an email marketing page...

I am, though, disappointed in Google's filtering of these links; there are far too many spammy links pointing at those pages that:

• have a very unnatural anchor text distribution
• they're all in the footer of these sites
• are distributed over only a select number of IP's.

Those 3 things combined, I can't believe they didn't catch that.

Disclaimer: I'm not saying anything that GoDaddy does here is illegal from a legal point of view. In my opinion it's against search engines guidelines and they're not transparent towards their customers, so I'd call it bad karma.

Thanks goes out to Dixon Jones of Majestic SEO and Marcus Tober of SearchMetrics for helping me figure all this out.

GoDaddy’s spammy link building techniques is a post by Joost de Valk on Yoast - Tweaking Websites.A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!

There's all sorts of factors that decide on whether your email is delivered or not, but one of the most important ones is a DNS record called SPF. SPF stands for Sender Policy Framework and let's the receiving mail server reliably determine whether the server that is sending you email is actually allowed to send you email. Adding one will increase your email reliability incredibly.

As with most DNS type records, the syntax is quite hard to explain so I won't even try. Let me link you to the Wikipedia page if you really want to know. What I found way more helpful though when I was searching and trying to figure out how to do this is Microsoft's wizard for this stuff. It asks you a bunch of questions and will still require some time from your side but it got me to the desired end-result a lot faster.

SPF records, Google Apps for Domain and email reliability

I use Google Apps for domain to handle my email, which means that I do most of my sending through a Google SMTP server. Because of that I had set the SPF record in the manner Google suggests here. The thing missing from that is very, very subtle, but makes all the difference. It's a few letters, let's see if you can spot it. This is the SPF record Google gave me:

v=spf1 include:_spf.google.com ~all

This is what it actually needed to be:

v=spf1 a include:_spf.google.com ~all

You will have spotted the addition of "a " after "spf1". This simple addition means that all web servers that are identified in my domains A records, hence, all the web servers from which I run my domain and subdomains, are allowed to send email as well.

The include directive means that Google can setup SPF records for the domain _spf.google.com and thus add or remove mail servers without you having to change anything.

How to test email reliability

If you're now thinking "I don't know whether this has been set up correctly for my domain", don't fret. You can test it quite easily. Go to this SPF testing tool and use the 3rd form on the page. Using only the first and third input of that form, enter your web server's IP address and your from address, which is usually wordpress@yourdomain.com if you're running WordPress. With my initial test, it gave this result:

This means that this test won't fail your email per se (as there was no SPF record), but for stricter email servers, it might, in other words, you've got quite low email reliability. Now I ran it with the SPF record I has just fashioned using Microsoft's wizard and it gave me this:

That is the result you want to see, as that means my server's email reliability just went up quite a bit.

WordPress specific email reliability: using another SMTP server

Quite often email from your own server won't work as expected, especially when you're on a shared host it can give issues. There are quite a few plugins out there to help you set up an external SMTP server, I've relied on Coffee2Code's Configure SMTP plugin myself a few times. There's some issues with that though, especially once you're starting to get more visitors, as most SMTP servers for free email services have a limit to how many emails you can send per day.

If you can, just use your own server or outsource the email delivery to a third party that specializes in sending service emails. I've been testing SendGrid myself, but wasn't completely happy with it. Their reliability was a lot higher but the costs are quite high too when you get several hundreds of comments. You might think "that's only a couple of hundred emails", well, it's not.

If you have subscribe to comments enabled, which I highly suggest you do, it'll be a lot more. I get anywhere from 20 to 200 comments on a post, average about 80 at the moment. If 50% subscribes to comment notifications, that adds up to an enormous amount of email being sent.

As for newsletters, there are plugins for sending those from your WordPress install too. I highly encourage you not to do that. Use Mailchimp, or any other newsletter service for that. Their reliability is way higher and you get awesome statistics and subscription services to boot. I use them for my WordPress Newsletter and never regret it.

Are you using other services that send email for you?

If you're using other services that send email for you, for instance if you're using Freshbooks (aff) for invoicing like I do, be sure to include them in your SPF too, just add another include like we did above for Google:

include:_spf.freshbooks.com

There are more services that support this, be sure to check if you're using any services that send email on your behalf. Email reliability is important, but even more important when it's sending your invoices!

Update from Antonio Romero in the comments, the same goes for MailChimp:

include:servers.mcsv.net

Just updated my own SPF with that as I use my own email address as a from address there.

Conclusion: make sure your email reliability is high!

Whether you run your own server or not, it can't hurt to do the check above to see whether your email has a high chance of being delivered. If you're sending email from your web server, be sure to do the above check and make the necessary changes to your SPF record if needed!

Bonus tip: DKIM

If you're using Google Apps for domain, be sure to read this guide and implement everything in it. It'll help you set up domain keys, which adds another layer of spam protection.

Email Reliability: use an SPF record is a post by Joost de Valk on Yoast - Tweaking Websites.A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!

I value comments a lot, in fact, I look at the number and quality of comments on a post almost as much as I look at the number of shares, tweets and pageviews to determine how well a post was received. Recently I've done some posts that got a lot of annoying responses. Most of those were anonymous comments, which lead me to change my comment policies a bit to prevent those from happening in the future.

This tactic might work for more people, so I thought I'd share it:

Confirming the comment e-mail address

Using a plugin called comment e-mail verification I now force people to use a real e-mail address when commenting. The process is simple: if you comment for the first time, your comment will be kept in moderation automatically. You'll get a confirmation e-mail with a link in it. Clicking that link will take your comment out of moderation and place it immediately.

The plugin allows you to change the email message sent to the end user as well as some other things, but mostly just works. I use this plugin in conjunction with my own comment redirect plugin, which takes people who comment here for the first time to a special thank you page. This page looks like this:

So the process goes like this, when someone comments here for the first time:

• Visitor leaves a comment.
• Visitor is redirected to the comment thank you page, which states, among other things, that they have to confirm their email address.
• Visitor clicks the confirmation link in his / her email, which takes the comment out of moderation.
• The visitor is redirected immediately to the comment.

Funnily enough, I now see visitors leave the same comment twice. Once with a fake e-mail address, and then later on with a real e-mail address.

Next to the measures above, I've also added some statements to my Comment Rules, above the comment submit button. I now strictly adhere to these rules:

• Keywords instead of a real name? Comment gets deleted.
• A fake name instead of your real name? Comment gets deleted.
• A comment "signature" (with or without links)? Signature gets deleted first time, second time, comment gets deleted.

I'm curious though, most of you reading this are bloggers, what do you do to prevent not just comment spam but annoying comments and commenters?

Top image from Shutterstock.

Preventing anonymous comments in WordPress is a post by Joost de Valk on Yoast - Tweaking Websites.A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!

My buddy Dave (who's colleague posted a very nice review of my WordPress SEO Plugin yesterday btw) tweeted today about 9rules, a once well respected blog network I've tried to get into 2 times:

http://twitter.com/DaveNaylor/status/15720794046857216

I didn't know what he was on about but then Wiep, one of Holland's best link builders, chimed in:

http://twitter.com/wiep/status/15721791548821504

Ok, as you might guess, I was now overly curious as to what was going on. Wiep was kind enough to point it out to me in chat before I had to start search myself. It appears 9rules is openly selling links. It was doing so using a plugin that I've seen more blogs use to sell advertising, called OIO Publisher. The point? The links 9rules sells are not nofollowed.

Now, here's the part where it got really interesting. You see that link where they're selling links? It's an interface of the OIO Publisher plugin. That's what we tend to call a footprint. Let's take some parts of the URL and use them in a nice Google query:

inurl:/oiopub-direct/purchase.php inurl:link

I ran the query and... Ouch... That's a lot of results. Some of them turned out to be sites that were also selling text link ads, but they were nofollowed. Which led me to think it's an option in the plugin. So I asked for a copy of the plugin on Twitter, went through the source and indeed: it is an option. Not just for links, but for the banner ads as well.

Here's where it got really bad too: it has an option to charge a premium to remove the nofollow. Now if you've ever tried to tell Google that you didn't know what you were doing while selling links, checking that box is the best way to make them never ever believe that. And it creates an even nicer footprint:

inurl:/oiopub-direct/purchase.php inurl:link "use nofollow"

All these sites charge you a premium to remove the nofollow tag from your link and deserve to be banned instantly for selling links knowingly.

So, to repeat it: don't sell links without nofollow. If you do, don't be stupid enough to get caught. The example above is a feast for Google. They'll find plenty of link buyers & sellers while researching this footprint.

One more time: Selling links? Don’t be Stupid. is a post by Joost de Valk on Yoast - Tweaking Websites.A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!

You have a set of plugins installed, WordPress gathers the name, slug (directory name), version number and some other things, and sends that to WordPress.org. On WordPress.org, the server tries to find that plugin within its system, and when it's found it, it checks the version number against the current version number for that plugin. If it finds a newer version, it returns it. Simple, superb, just works, every day, for all of us.

How I "used" the WordPress plugin update system

The thing is, the update check relies on the fact that the plugin is on WordPress.org. If it's not, it should return nothing. What I did was create a BlogPress SEO plugin on WordPress.org which was empty. Note that that's easier for me than for most: I have a lot of registered plugins already, and most people who have the rights to approve a new plugin for me will do so without too much of a check. The empty plugin has the same name etc. and a higher version number than the current version BlogPress SEO sends out, and therefor it updates.

Call it genius, call it evil, some people thought it was pretty bad that it's possible. In this case I used it for "good", where it could also be used for "bad". Mind you, I only did it when I found the backdoor, I wasn't willing to do it before when it was "just" SEO spam, even though I had thought up this method about 11 months ago already.

This will not work for plugins that are already on WordPress.org, it might work for others. But remember: plugin requests do normally get a high level of scrutiny on WordPress.org. After that, if something bad got through, it would be pulled immediately. I doubt they're going to pull this hijack of mine for obvious reasons: it does a good thing. Still, if you're concerned about this happening, the fix is to apply this method by Mark Jaquith, or even better, replace it with your own update server.

Is this legitimate (ab)use?

Some people will argue I shouldn't have done this. In this case, I think the end justifies the means, you're welcome to disagree and give me your opinion, I sincerely want to hear that, ethical behavior is very important to me.

Killswitch?

This whole story also opened the discussion about whether WordPress needs a kill switch for stuff like this (this isn't one, people have to upgrade, I can't just kill the plugin). I think we do need one, but we should also set very strict rules on how to use that when we add it. But then again when someone purposefully adds a backdoor to WordPress blogs around the globe, I think the platform would benefit if we (or rather, the lead developers) would be able to "kill" that plugin on all WordPress.org blogs instantly. The issue is of course that a sophisticated developer would just disable that check, so in the end, there's probably no chance of that. Of course this is also a one off fix, as all other bad people out there will now also apply Mark's fix...

WordPress plugin updates and how I (ab)used it is a post by Joost de Valk on Yoast - Tweaking Websites.A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!

You see, WordPress, by default, checks for updates to every plugin on WordPress.org. It matches the plugin by name and slug (folder name), there's a method to prevent this for a plugin, but BlogPress SEO doesn't do that. With the help of Andrew Nacin, I registered blogpressseo as a plugin on WordPress.org, created an empty plugin file with the same name and a higher version number, added a readme.txt with an upgrade notice, and uploaded it to WordPress.org.

I had already installed the plugin on my blog (well, an empty version of it, just the headers), so I could test it, and low and behold, it worked:

It's a primitive form of a kill switch (which I wish WordPress had, but it's better than nothing). The funny thing is: we'll now also be able to see how many people are running this plugin and how many of them upgrade. So far, 26 people have been saved!

Update: Just posted more info on how I did this using the WordPress plugin update system.

BlogPress SEO: solved is a post by Joost de Valk on Yoast - Tweaking Websites.A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!

BlogPress SEO falls in the latter category. My spam senses started tingling when I read the second sentence of the email they sent me:

We have developed a superb wordpress plugin which can actually get 100's of backlinks like crazy, all on autopilot.

Right. Backlinks, on autopilot. Such a thing does not exist. Let's see how this one works, taken from their own explanation:

As soon as you install the plugin, the plugin will find all relevant blogs in the network which are similar to your niche. So if you write about dogs then the plugin will find all blogs which talk about dogs. Once the plugin find the relevant blogs, it will mutually exchange links between the blogs. So if you have 300 posts in your blog then it will find 300 similar posts in the network, and in turn mutually links with those posts. So you will get around 300 backlinks right away. The more you write the more backlinks will be found by the plugin for your posts. This is a ongoing process and I can assure you that you will see gradual increase in traffic over time.

So... It'll automatically add links from your posts to other people's blogs, and links form other people's posts on the same topic to your posts. There's a word for that, it's called a link scheme. And let me tell you: Google doesn't like those. I took the liberty of emailing Matt Cutts, the  head of Google's Webspam Team. He said that he "considers it a link scheme of the sort that Google doesn't want to count".

You know what the funny thing is? The bad stuff doesn't end here. In the email they sent me, they also alluded to a paid version of their plugin, to be released soon:

The paid version of the plugin will not exchange links, but just allow other blogs to place links and will not place any outgoing links on users blog.

You know what we call that? We call that buying links. Now whether or not you're morally opposed to that doesn't matter, Google is. Some of you might remember that, back in the day, Text Link Ads launched a service called InLinks, which did something similar to this. Matt responded to that then, on TechCrunch. He's very clear on the topic. And that was before there were FTC guidelines saying that you should disclose stuff like that. These guidelines are there now.

So let's say you don't care about rules and burning a website or two and you do stuff like this, you than have two rules to go by: you don't talk about it and you make sure you don't get caught. Which means you also don't go around asking for people like me to review it, like the author of BlogPress SEO did with me.

Luckily, it's quite easy to detect whether a blog runs this plugin, so Google will probably eliminate those quite easily. The risk you run? Well, I've seen sites get banned for participating in programs like these in the past. Like, banned from Google entirely, getting no traffic from Google anymore, nothing, zero, nada, zilch. Is it worth that? Thought not.

And wait, there's more. If you download the plugin and dig around in the code a bit, you'll notice this code:

function email_send_fun()
{
    $headers="From:".get_option('admin_email')."n";
    $headers.="Reply-to:".get_option('admin_email')."n";
    $sub="BlogPressSeo new installation.";
    $mes=get_option('siteurl');
    $to="info@blogpressseo.com";
    mail($to,$sub,$mes,$headers);
    if($hwe_blogidd)
    {
        wplink_activate();
    }
}
register_activation_hook(__FILE__,"email_send_fun");

What that does? Oh it only sends your blog's URL and your email address to the author of BlogPress SEO. Wait, without your consent? Yes, without your consent. That's illegal in many countries, but hey, why would they care. Next to that, the plugin is kind of enough to add a link back to itself on your blog's homepage, in a hidden div of course, because that's how smart people roll, right? Luckily, that makes it even easier for Google to find all the sites running the plugin and ban them all in one big sweep.

So, besides the fact that they get you involved in a link scheme, for which penalties can be quite severe; even getting your site banned in some cases, they also add hidden links to your site and send off your personal info without your authorization. Nice, isn't it? So my advice to you is simple, and you'll have understood it by now:

Do NOT use BlogPress SEO. Ever.

Update: It get's worse. As pointed out by this post, BlogPress SEO is pure malware, as it contains a function that allows someone who knows your admin email address (you know, the one they just sent to themselves when you installed the plugin) to log in without a password... That's purely criminal.

Update 2: I've tried to fix this situation by making use of the WordPress plugin update system in a rather ingenious (though slightly devilish) way.

BlogPress SEO Plugin: Spam! is a post by Joost de Valk on Yoast - Tweaking Websites.A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!

But this isn't really new is it? And it's not only about the display URL policy either... It's about hijacking a good page / domain to get a good quality score, and using that quality score to make sure you get cheap clicks on your bad landing pages (with high CTR's, I bet)...

Trust me, this has been going on for quite a while, and it's done for all sorts of reasons outside of this one: cloaking to be able to use flash landing pages, to serve high quality pages to Google and high converting pages to customer's, etc. etc. You'd think Google was aware of this by now...

Cloaking for AdWords is a post by Joost de Valk on Yoast - Tweaking Websites.A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!

Nice noframes spam… is a post by Joost de Valk on Yoast - Tweaking Websites.A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!

Ok Matt, please tell me, how would you make a top 10 for these keywords:

• crucifixion
• assumption of mary
• papal infallibility

You know Matt, that I am with you on quite a lot of spam issues, even link buying, but this time, you've crossed an invisible line, I'm afraid... I hope very much, that we're misquoting you, or not understanding what you're saying...

So Matt, how would you classify these stories? is a post by Joost de Valk on Yoast - Tweaking Websites.A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!

Google subdomain & 302 spam is a post by Joost de Valk on Yoast - Tweaking Websites.A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!