Site Meter WTF?

Have you been seeing pop-up ads on my blog?

You see, a couple of days ago I was fiddling with some darned thing here in WordPress — I can’t remember what it was anymore — and I wanted to take a look at how the page lays out to ordinary people. As a logged-in WordPress user, I get extra features like a command bar at the top and special links I can click to edit content, and I wanted to get a look at the site without any of that. I could just log out, but then I’d have to login again to tweak it some more, and that’s a pain.

So instead, I launched the Chrome browser in “incognito” mode, which runs the browser with no cookies of any kind, as if it had never been launched before, which means my blog will treat it like just another random first-time visitor.

And the darnedest thing happened. Some kind of full-page ad popped up and completely covered the contents of my blog? At the top it had the words “A Message From Our Sponsors” with a link in the upper right corner labeled “Click to continue to site” or something like that. It was just like one of those full page ads you sometimes get when you follow a link to a big media property like Forbes.

What the fuck?

Just to be clear, I don’t put ads like that on my blog. I have an Amazon banner on the right side, and another one at the bottom of every article, and that’s it. Whatever this was, I didn’t do it.

I flipped on developer mode in the browser and took a look at another page. I wanted to see where it was getting content from. This page didn’t show the ad, but when I looked at the Network tab, I was in for another shock. The first file was the main HTML page, and the next dozen or so were the usual bits and pieces from the wordpress folder, bits and pieces of CSS, Javascript, and a handful of images. An awful lot of the rest of the files were stuff I didn’t recognize.

There’s always some of that on a page. If you use widgets or Javascript code to link to Twitter or Facebook or Amazon or Gravatar, the tiny stub of code you use to do that pulls down more code and other assets that it needs to function. But this went beyond any of that. It was hitting a horrifying array of unfamiliar sites:

• specificclick.net
• vindicosuite.com
• yashi.com
• demdex.net
• nexac.com
• bluekai.com
• mookie1.com
• spotxchange.com
• turn.com
• adadvisor.net
• ib-ibi.com
• doubleclick.net
• scorecardresearch.com
• adnxs.com
• specificmedia.com
• rubiconproject.com
• invitemedia.com
• btrll.com
• collective-media.net
• tidaltv.com
• tubemogul.com
• exelator.com
• mathtag.com
• dotomi.com
• casalemedia.com
• pubmatic.com
• cpmaxads.com
• advertising.com
• criteo.com
• adsrvr.org
• veruta.com
• wtp101.com
• connexity.net
• openadserve.com
• insightexpressai.com
• doubleverify.com
• serving-sys.com
• betrad.com
• vizu.com
• 2mdn.com

As near as I can tell, every single one of those is in some way associated with web advertising. Someone was using my blog to get credit for distributing ad content. At the very least, they were probably littering my visitors’ browsers with tracking cookies.

I’m truly sorry about that. This is an embarrassing discovery, and I apologize.

On discovering this, I got a little panicked. My mind went to a bad place: It was possible I had been hacked via malware in a WordPress plugin. WordPress and all its plugins and themes are built on PHP and PHP is wide open: Every WordPress plugin, every theme, has complete access to all the files in a web server account. If any one of the plugins is malicious, it can infiltrate itself into a WordPress installation in ways that are hard to remove. It’s like a virus.

You should never install WordPress plugins or themes from an untrustworthy source. The plugins and themes that you can find from within WordPress via the Add New button have been somewhat vetted by the community and are probably safe, but with the exception of a few reputable vendors, you should never download and install a theme or plugin from another web site. One study on a small sample of random free WordPress themes found that 100% of them had some kind of hidden code to insert tracking cookies or place hidden links on the site. Every single one.

I had been careful about adding plugins, but maybe I had made a mistake, or maybe one of them had slipped past the guards on the WordPress repositories. I began disabling plugins, starting with the most recent ones, and refreshing the page to see if the invading websites were still there. Eventually I got down to just a handful of trusted plugins — Google, Amazon, stuff everyone installs — and the ads were still there.

The culprit turned out to be one of the oldest things I had ever put on my site: The Site Meter badge. I’ve had that thing on my website since before WordPress. I think I even had it before MovableType, back when I was hosted on Blogger. At the time, every blogger in the world used Site Meter to track their stats, and I was no exception.

Site Meter didn’t press their advantage, however, and they didn’t keep up with the times. Their simple counter and statistics are no match for a modern powerhouse like Google Analytics or Woopra. Apparently, at some point they just gave up trying to monetize stats and started just pushing out all kinds of advertising crap. Given how many advertising companies they’ve sold my site to, I assume they’re trying to squeeze out as many tiny fractions of a penny as they can.

(This was actually good news, since Site Meter was just a <script> tag I had embedded in the footer. It didn’t run any PHP code on my site, so it couldn’t have corrupted anything else. It all ran in the relatively safe sandbox of my visitors’ browser.)

I Googled around about this, and apparently everyone else noticed the problem a few years ago. I wasn’t paying attention, and I missed it. I guess that’s because I don’t really use Site Meter any more, and I would have abandoned it, but…it was the oldest counter I had on the site, and I was enjoying watching the numbers climb. It used to go up pretty fast, and I would have reached my first million several years ago, but my site statistics took a dive about 6 years back when I was busy taking care of my parents.

According to Site Meter, I still haven’t quite reached my first million visits. The counter currently sits at 999315.

And there it will stay.