• About
    • History of Dallas SEO
    • SEO Expert Witness Service
  • Contact
  • Topics
    • Bing
    • Blogging
    • Branding
    • Domain Names
    • Google
    • Internet Marketing
    • Link Building
    • Local Search
    • Marketing
    • Public Relations
    • Reputation Management
    • Search Engine Marketing
    • Search Engine Optimization
    • Search Engines
    • Social Media
    • Tech
  • Advertise
  • Email Newsletter

Bill Hartzer

Bill Hartzer on Search, Marketing, Tech, and Domains.

traffic analysis tools

Home » Google » Google Site Kit Gives Attackers Access to Google Search Console

Google Site Kit Gives Attackers Access to Google Search Console

Posted By Bill Hartzer on May 13, 2020at 4:41 pm

Site Kit by Google vulnerability

Not long ago, I installed the Google Site Kit WordPress plugin, as it is an official Google WordPress plugin. When you install the plugin, it gives you an easier way to view data from Google Analytics, Google Search Console, Google AdSense, and Google PageSpeed Insights. You can view this data for the entire site or you can view it per page or per post. It doesn’t really do anything special except make it easier for you to view the data. You can see it directly in the WordPress dashboard rather than having to go to each of those sites separately: Google Analytics, Google Search Console, Google AdSense, and Google PageSpeed Insights. Well, there’s a problem with the plugin: an attacker can gain access to your Google Search Console for the site, and presumably with access they could do some harm.

In this case, they have to be an authenticated user of the WordPress site. If they’re a WordPress user of the site, they could potentially get access to the Google Search Console if they didn’t already have that access.

Wordfence has discovered a vulnerability in the Google Site Kit WordPress Plugin. They recommend updating the plugin as soon as possible. Logging into a WordPress site (such as this one) where I had Google Site Kit installed, there is an update for the plugin. However, rather than updating it I chose to simply deactivate the plugin and then delete it.

Here’s what they found:
“In order to establish the first connection with Site Kit and Google Search Console, the plugin generates a proxySetupURL that is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.” They went on to explain that “Due to the lack of capability checks on the admin_enqueue_scripts action, the proxySetupURL was displayed as part of the HTML source code of admin pages to any authenticated user accessing the /wp-admin dashboard.” They have to be an authenticated user of the WordPress site in order to see the code. That is my understanding.

Do You Need Google Site Kit?

I really haven’t seen any additional benefits from having the Google Site Kit WordPress plugin installed, as it does not give me any more functionality in my blog. It’s not helpful for users at all, just an add-on to the WordPress dashboard. If I need the data, then I can just go log into Google Analytics, Google Search Console, Google AdSense, or Google PageSpeed Insights. Also, adding more plugins that aren’t really necessary can help speed up the overall performance of the site, as it doesn’t have to load if the plugin isn’t installed. I’m personally a big fan of removing all plugins that are not needed, as it will help the site load faster, and the site is less vulnerable to security issues (as we can see with this Google Site Kit plugin).

My recommendation? Only install Google Site Kit if you absolutely can’t live without it. And here’s a hint: you don’t really need it.

Filed Under: Google

traffic analysis tools

Listen to "Digital Marketing with Bill Hartzer" on Spreaker.

About Bill Hartzer

Bill Hartzer is CEO of Hartzer Consulting, LLC, an SEO Consulting firm that includes services such as search engine optimization, technical SEO audits, domain name consulting, and online reputation management.

Recent Posts

  • Andrew Muller on Testing Google Ads Using Facebook Ads January 15, 2021
  • Mike Rhodes from Web Savvy On Google Ads January 8, 2021
  • How to Opt Out of Google Analytics December 16, 2020
  • Majestic Just Changed SEO and Linking Forever December 15, 2020
  • Yext Consumer Search Trend Predictions for 2020 December 8, 2020
  • SearchBox Launches SearchAI SmartSuggest, SearchAI Answers and SearchAI Personalization December 7, 2020
  • Google Poly is Shutting Down December 2, 2020
  • Domain Name Brokers Put FFF.com and HHH.com Domains Up for Sale December 1, 2020
  • Google Webmaster Tools Moves Twitter Account November 11, 2020
  • Email Deliverability, Setting Up DMARC, DKIM, and SPF on Your Domain October 29, 2020
  • The Bing Search Engine is Now Microsoft Bing October 6, 2020
  • Beck Power on Building Authority on Social Media and Repurposing Content October 2, 2020
  • Naira Perez on Paid Media, and an Intro to Social Paid Media, and Audiences September 17, 2020
  • Fake Birth Date Used on Google and Apple Accounts Is on Credit Report August 17, 2020
  • What is Bill Hartzer Disease? July 20, 2020
  • Web Host Agents Sending Fake Invoices for Website Hosting July 17, 2020
  • Duane Forrester On Search Intent and Internal Site Search July 9, 2020
  • Google Loses Blogspot.In Domain Name July 8, 2020
  • Peter Leshaw on In-House Digital Marketing and Dashboards for Reporting July 2, 2020
  • Mark Traphagen on Schema, Schema Tools, and On Page SEO Tools June 29, 2020

DFWSEM logo

Bill Hartzer is a Brand Ambassador for:



Industry Friends

WTFSEO
SEO By the Sea
Jeff Lenney
Jeff Gabriel
Phil Drinkwater
Dixon Jones

Connect With Bill Hartzer

Bill Hartzer on Twitter
Bill Hartzer on Instagram
Hartzer Consulting on Facebook
Bill Hartzer on Facebook
Bill Hartzer on YouTube

Categories

  • Advertising (19)
  • Bing Search Engine (6)
  • Blogging (42)
  • Branding (12)
  • Domain Names (197)
  • Google (228)
  • Internet Marketing (24)
  • Internet Usage (84)
  • Link Building (52)
  • Local Search (38)
  • Marketing (176)
  • Marketing Foo (30)
  • Pay Per Click (1)
  • Podcast (8)
  • Public Relations (8)
  • Reputation Management (9)
  • Search Engine Marketing (44)
  • Search Engine Marketing Events (47)
  • Search Engine Marketing Firms (19)
  • Search Engine Marketing Jobs (33)
  • Search Engine Optimization (156)
  • Search Engines (202)
  • Social Media (187)
  • Tech (7)
  • Web Analytics (16)




Note: All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only, and are mentioned only to help my readers. All other trademarks cited herein are the property of their respective owners. Use of these names, logos, and brands does not imply endorsement.




Hartzer Consulting



Website, Content, and Marketing by Hartzer Consulting, LLC.

Copyright © 2021 by Bill Hartzer and Hartzer Consulting, LLC.

Disclaimer - Privacy Policy - Terms of Use
Go to mobile version