• About
    • History of Dallas SEO
  • Contact
  • Topics
    • Bing
    • Blogging
    • Branding
    • Domain Names
    • Google
    • Internet Marketing
    • Link Building
    • Local Search
    • Marketing
    • Public Relations
    • Reputation Management
    • Search Engine Marketing
    • Search Engine Optimization
    • Search Engines
    • Social Media
  • Tech
  • Advertise
  • Services
    • Search Engine Optimization
    • Ongoing SEO Services
    • SEO Expert Witness
    • Google Penalty Recovery
    • Mini SEO Audit
    • Link Audit
    • Keyword Research
    • Combine Websites SEO Services
    • PPC Management
    • Online Reputation Management
    • Domain Name Consultant
    • Domain Names & Expired Domains
    • Domain Name Appraisal

Bill Hartzer

GoDaddy Airo: Register your .com domain name today!
Home » Google » Google Site Kit Gives Attackers Access to Google Search Console

Google Site Kit Gives Attackers Access to Google Search Console

Posted on May 13, 2020 Written by Bill Hartzer

Site Kit by Google vulnerability

Not long ago, I installed the Google Site Kit WordPress plugin, as it is an official Google WordPress plugin. When you install the plugin, it gives you an easier way to view data from Google Analytics, Google Search Console, Google AdSense, and Google PageSpeed Insights. You can view this data for the entire site or you can view it per page or per post. It doesn’t really do anything special except make it easier for you to view the data. You can see it directly in the WordPress dashboard rather than having to go to each of those sites separately: Google Analytics, Google Search Console, Google AdSense, and Google PageSpeed Insights. Well, there’s a problem with the plugin: an attacker can gain access to your Google Search Console for the site, and presumably with access they could do some harm.

In this case, they have to be an authenticated user of the WordPress site. If they’re a WordPress user of the site, they could potentially get access to the Google Search Console if they didn’t already have that access.

Wordfence has discovered a vulnerability in the Google Site Kit WordPress Plugin. They recommend updating the plugin as soon as possible. Logging into a WordPress site (such as this one) where I had Google Site Kit installed, there is an update for the plugin. However, rather than updating it I chose to simply deactivate the plugin and then delete it.

Here’s what they found:
“In order to establish the first connection with Site Kit and Google Search Console, the plugin generates a proxySetupURL that is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.” They went on to explain that “Due to the lack of capability checks on the admin_enqueue_scripts action, the proxySetupURL was displayed as part of the HTML source code of admin pages to any authenticated user accessing the /wp-admin dashboard.” They have to be an authenticated user of the WordPress site in order to see the code. That is my understanding.

Jump To

Toggle
  • Do You Need Google Site Kit?
    • Related Posts

Do You Need Google Site Kit?

I really haven’t seen any additional benefits from having the Google Site Kit WordPress plugin installed, as it does not give me any more functionality in my blog. It’s not helpful for users at all, just an add-on to the WordPress dashboard. If I need the data, then I can just go log into Google Analytics, Google Search Console, Google AdSense, or Google PageSpeed Insights. Also, adding more plugins that aren’t really necessary can help speed up the overall performance of the site, as it doesn’t have to load if the plugin isn’t installed. I’m personally a big fan of removing all plugins that are not needed, as it will help the site load faster, and the site is less vulnerable to security issues (as we can see with this Google Site Kit plugin).

My recommendation? Only install Google Site Kit if you absolutely can’t live without it. And here’s a hint: you don’t really need it.

Related Posts

  • Hackers Hijack Google Results: Bybit Exposes AI-Powered macOS Malware Targeting Claude Code Searches
  • Brandpoint: 60% of Google Searches End Without Clicks
  • Google’s New Discover Update Is Live
  • Google Is Shutting Down Its Dark Web Report
  • After Years of Resistance, Google Agrees to South Korea’s Strict Mapping Rules

Filed Under: Google

About Bill Hartzer

Bill Hartzer is the CEO of Hartzer Consulting and founder of DNAccess, a domain name protection and recovery service. A recognized authority in digital marketing and domain name strategy, Bill is frequently called upon as an Expert Witness in internet-related legal cases. He's been sharing his insights, expertise, and research here on BillHartzer.com for over two decades.

Bill Hartzer on Search, Marketing, Tech, and Domains.

Hartzer Domains

Bare-Metal Servers by HostDime

DFWSEM logo

 

 

Brand Ambassador for:

Majestic logo

Oncrawl logo

Industry Friends

  • David Daniels
  • WTFSEO
  • SEO By the Sea
  • Jeff Lenney
  • Jeff Gabriel
  • Scott Hendison
  • Dixon Jones
  • Brian Hartzer
  • Navah Hopkins
  • DNAccess
  • SEO Dallas
  • Confirmed Stolen
  • Hartzer on IT.com
  • Jason Olson

Connect With Bill Hartzer

  • Bill Hartzer on X
  • Bill Hartzer on BlueSky
  • Bill Hartzer on Instagram
  • Hartzer Consulting on Facebook
  • Bill Hartzer on Facebook
  • Bill Hartzer on YouTube

Recent Posts

  • New Data: AI Visitors Sign Up 11x More Than Google Traffic
  • Businesses Fired the Human Overseer From Their AI. New Data Shows How Fast It Happened
  • When a Web Developer Holds Your Domain Name Hostage: “You Didn’t Pay Me” Is Not a Defense
  • Forget the Design Team: One URL Now Builds a Full Set of Ads
  • What People Actually Ask Before Turning a Video into an MP3
  • ChatGPT Just Beat Google at Sending Businesses Their Hottest Leads, 70 Million Calls Prove It
  • Which AI Model Should You Use? A Practical Guide by Task
  • Legal Tech Media Group Bets Big on AEO
  • The Domain Name Gap: What GoDaddy’s 2026 Most Entrepreneurial Cities List Reveals About Digital Presence in America’s Growth Markets
  • Remembering Bruce Clay: The Father of SEO and a Friend Who Changed an Industry
Note: All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only, and are mentioned only to help my readers. All other trademarks cited herein are the property of their respective owners. Use of these names, logos, and brands does not imply endorsement.

  Hartzer Consulting

Website, Content, and Marketing by Hartzer Consulting, LLC.
Disclaimer - Privacy Policy - Terms of Use - AI Instructions

Copyright © 2026 ·