Switch to HTTPS

Here's something you might have seen recently if you use Google Chrome to browse the Internet:

Chrome Not Secure Warning

This scary red 'not secure' warning now appears in the Chrome address bar whenever you type something in on a non-HTTPS web page.

What does this mean for my website?

If your own web address still begins with HTTP rather than HTTPS, Chrome users will see the warning whenever they enter any information on your site. It doesn't matter whether they're entering their credit card number, searching for a product, or just commenting on your latest blog post - as soon as they start typing, Chrome will display that little red warning triangle and inform them that your website is not secure.

Obviously, this may put people off using your website, particularly if you're asking them to enter sensitive and/or personal information like their name, location, telephone number, email address, card details, etc.

(If your site is already under HTTPS, you don't need to worry - Google Chrome doesn't show the 'not secure' warning on HTTPS pages.)

Why is this happening?

Chrome already showed a 'not secure' warning on non-HTTPS pages that requested sensitive info such as passwords and payment details.

But Google made it clear some time ago that this warning would eventually be displayed on all non-HTTPS pages, and they recently made good on this promise. Now, if you use Google Chrome to visit any non-HTTPS page, you'll immediately see this notice in your address bar:

And if you start typing text into any text entry field on that non-HTTPS page, that warning will turn red, like this:

This is Chrome's way of letting you know that the information you're inputting will be sent over an unencrypted connection.

How can I make sure the 'not secure' warning doesn't appear on my site?

Simple: switch to HTTPS!

If your website address begins with http:// rather than https:// then Chrome will show your users the 'not secure' warning whenever they type something on your website. Under a HTTPS connection, all information is sent securely and encrypted to prevent unauthorised access. The same does not apply to a HTTP connection, which is why Chrome now shows this warning.

Online security is a big concern for Internet users nowadays. By switching from HTTP to HTTPS, you will not only be safeguarding yourself from Chrome's 'not secure' warning but also proving a bit of extra reassurance to your users. This will make them more likely to buy from you, or make an enquiry, or do whatever it is you want them to do. There is also some evidence that HTTPS websites rank better in the Google search results.

If you're a Designer Websites client and you'd like to switch from HTTP to HTTPS, please email info@designer-websites.co.uk or give us a call on 01446 339050.

 GDPR FAQ

IMPORTANT NOTE: Unlike some companies who have written about this topic recently, we are not running a GDPR course, and so we will not be exaggerating the issues to scare you into parting with your cash. This is merely an advisory post for Designer Websites clients, many of whom have been asking us about the new law that will soon be in effect.

If you're a business owner, odds are you've already heard about the General Data Protection Regulation (GDPR) that will soon be in effect throughout the European Union. This new regulation is fairly complex, and many different claims are being made about it - not all of them accurate.

With that in mind, we want to do what we can to help you understand the new laws and what they mean for your business, particularly your website. You've probably got a lot of questions about the GDPR, and today we're going to attempt to answer some of them.

Please note that this post is for informational purposes only and should not be mistaken for professional legal advice. Designer Websites Ltd will not be held responsible for any other organisation's failure to comply with the GDPR or any other piece of legislation.

Contents:

  1. What is the GDPR?
  2. When will the new law take effect?
  3. Where does the GDPR apply?
  4. Why does my organisation need to be GDPR compliant?
  5. Who is responsible for ensuring that my organisation is compliant?
  6. How can I make sure I'm ready for the new law?
  7. What steps do the ICO recommend?
  8. Are Designer Websites GDPR compliant?
  9. Do I need to do anything about my website?
  10. Can Designer Websites help with GDPR compliance?
  11. Useful links

1. What is the GDPR?

The GDPR (General Data Protection Regulation) is an EU regulation that aims to improve data protection for individuals within the European Union. The regulation will give individuals more control over their personal information and how it is used.

Under the GDPR, organisations that process people's personal data will be expected to keep that data secure, be transparent about its use, and report data breaches promptly when they occur.

Here in the UK, the new data protection law will be enforced by the ICO (Information Commissioner's Office). An in-depth guide to the GDPR can be found on their website.

2. When will the new law take effect?

The GDPR was adopted in April 2016, but it is not yet in effect. It will be enforced from 25 May 2018 onwards. Your organisation will need to be compliant with the new law by that date.

3. Where does the GDPR apply?

The GDPR is an EU regulation, and thus it will apply to all EU member states. This will include the United Kingdom, even after Brexit.

The GDPR also applies to any organisations who process the personal information of individuals within the EU. For example, Facebook and LinkedIn are both based in the USA, but since they hold personal data on EU citizens and residents, these companies will be expected to comply with the new regulation just as if they were based inside the EU.

4. Why does my organisation need to be GDPR compliant?

Once the new law is in force, your organisation will be required by law to comply with the General Data Protection Regulation. After 25 May, if you are found to be in violation of the GDPR, you will be breaking the law, and may thus be subject to a number of sanctions.

That said, the ICO have made it clear that they view fines as a last resort, and will only use them to punish companies who "systematically fail to comply with the law or completely disregard it". Information Commissioner Elizabeth Denham has stated the following:

"The ICO's commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR...we intend to use [our increased] powers proportionately and judiciously. And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand...the GDPR gives us a suite of sanctions to help organisations comply - warnings, reprimands, corrective orders." [source]

So don't panic when you see people using scaremongering tactics and telling you that you'll be fined millions of pounds if you aren't GDPR compliant by 25 May - this is simply not true. The important thing is that you're making a reasonable effort to comply by being transparent about your data collection practices and keeping people's personal information secure.

5. Who is responsible for ensuring that my organisation is compliant?

Short answer: you are. If it's discovered that your organisation is not complying with the GDPR, it's your organisation that will be held to account.

The long answer is a little more complicated. The new regulation makes the following distinction between what the EU call 'controllers' and 'processors':

  • Controllers determine the 'purposes and means' of processing personal data (e.g. if you collect information about your customers and use that information to either communicate with them or make decisions about them, then you are a controller).

  • Processors are the ones who actually handle the data on behalf of a controller (e.g. companies like Sage, Salesforce, Infusionsoft and MailChimp are processors because they provide a service that involves processing data on behalf of controllers).

It is quite possible that you are a controller and a processor of some personal data.

Both controllers and processors have some responsibilities under the GDPR. Processors must keep accurate records of the data itself and of processing activities; they are responsible for keeping people's personal data secure, and will be held legally liable in the event of a breach. However, controllers may also be held liable if they use a processor without ensuring that the processor is GDPR compliant.

Since virtually all organisations process some personal data themselves - even if it's just their own employee records - nobody will be off the hook when the GDPR comes into force on 25 May. So now let's answer the most important question of all...

6. How can I make sure I'm ready for the new law?

The most important thing is to demonstrate that your organisation has made a reasonable effort to comply with the GDPR and protect the rights of the individuals whose personal data you store and/or process. As you've already seen, the Information Commissioner's Office will only be issuing fines to the very worst offenders - they're more interested in helping businesses to understand and comply with the new law in order to protect individuals' rights as best as possible. In fact, if this whole thing has you feeling completely lost, you may want to make use of the ICO helpline (open 0900-1700, Mon-Fri).

So what exactly will you need to do from 25 May onwards? Well, the right approach will differ from one organisation to the next, but here's a good rule of thumb: before you collect or process someone's personal data, make sure you...

  • Have a clear reason - and a lawful basis - for doing so. Know why you're collecting other people's information, and know whether that reason is defensible in the eyes of the law. Under the GDPR, there are 6 valid legal reasons for organisations to collect personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Details on all 6 lawful bases can be found here; for the majority of businesses, the most applicable basis will either be consent (the individual consented to you collecting and processing their information) or legitimate interests (you have a valid business reason for collecting the data, and you are not infringing on the personal rights of the individual).

  • Are only collecting what's necessary. You should only ever collect/process personal data if it is necessary to your stated goal. For instance, you might reasonably collect a customer's name and contact details so that you're able to reach them, but that's no reason to also collect information on their race, nationality, date of birth, etc.

  • Know how long you will be holding on to that data. The GDPR doesn't allow organisations to keep people's personal information indefinitely just because. Once you know why you're collecting personal information (see first point), you should also assess how long you'll need to keep the data in order to meet that goal. This doesn't necessarily need to be a specific number of days or months - it could just be 'for as long as that person remains a customer' or 'until that person unsubscribes from our newsletter'.

  • Will be able to keep this data secure. This may mean installing security software or making organisational changes to ensure that only authorised personnel are able to access the collected information.

  • Will be able to respect the individual's rights to access and erasure. Under the GDPR, individuals have the right to view all personally-identifiable information that an organisation holds on them. In addition, they usually have the right to request that this information be deleted. Ensure that your data subject(s) will be able to make these requests, and that you'll be able to honour them in a timely manner - requested information will need to be supplied within 1 month of receiving the request, and while there are certain circumstances under which you can refuse to delete personal data (see 'When can I refuse to comply with a request for erasure?'), you will generally need to comply with deletion requests as quickly as possible too.

7. What steps do the ICO recommend?

The ICO have put together a helpful list of 12 steps that organisations should take ASAP in order to prepare for the General Data Protection Regulation. By now, you hopefully have a reasonably clear idea of what your responsibilities will be under the new law, but if you're not sure what actions you now need to take, this list is a great place to start.

So let's go through the 12 recommended steps in a little more detail:

1) Make sure everyone's aware of the new law.

Speak to the key decision-makers within your organisation and ensure that they understand the new law and what it requires of them.

2) Document all personal data you currently hold.

You probably already have at least some personal data on record. Now is a good time to review:

  • What data you hold
  • Where it came from
  • Whether you still need it
  • How you're using it
  • Who has access to it
  • Whether you have a lawful basis for keeping it

An information audit may help with this step.

3) Review your privacy policy.

People who interact with your organisation should be able to access a copy of your privacy policy (most companies publish it on their website). Read over your privacy notice and revise it if necessary to ensure that it complies with the GDPR.

If you're not sure what your privacy policy needs to include, you may wish to refer to our own privacy policy as an example - however, please bear in mind that every business is different, and your privacy notice may need to cover certain things that ours does not.

4) Make it easy for individuals to make information requests...

As we've already covered, data subjects have the right to know what information you have on them. Try to make it as easy as possible for data subjects to submit information requests - for instance, you might put a contact form on your website for this purpose, or set up a dedicated email address for right of access requests.

Larger companies may choose to provide an automated system to allow their customers to view, update and delete their own personal information manually. However, developing a tool like this would probably be overkill for small/medium-sized businesses who do not expect to receive many requests.

5) ...and ensure that you're able to respond to these requests.

In addition to the above, you need to make sure that your systems allow you to quickly retrieve and, if necessary, delete people's personal information when they request it. Ensuring that this can be done in a timely manner will help you to comply with the GDPR, and it will save you valuable time if and when a request is submitted.

6) Identify a lawful basis for your data collection / processing.

Remember, there are 6 lawful bases for processing data - make sure you understand them, and identify which one applies to your activities. Bear in mind that you can't change your mind later (e.g. if you collected a customer's contact details on a 'consent' basis because they agreed to receive promotional information from your organisation, you cannot use those details for other purposes on the basis of 'legitimate interests').

Your choice of lawful basis should be documented in your privacy notice - see step 3.

7) Check how you establish consent.

If you collect people's personal data on a 'consent' basis (see above), you need to:

  • Give individuals a clear way to give - or withhold - consent
  • Make it clear what individuals are consenting to

For instance, if there is a form on your website that requires people to enter their contact details, you need to be EXPLICIT about what you plan to do with those contact details. If you're going to send promotional emails, say so. If you plan to share the individual's details with your partner companies, make this clear.

Consent should never be the default option. Here's something you've probably seen quite often on the Internet:

☐ Tick this box if you do not wish to receive promotional emails from us.

In this example, users are automatically consenting to receiving emails until they tick the box. Under the GDPR, this sort of thing will not be allowed - the message above would need to be changed to 'Tick this box if you wish to receive promotional emails from us' or something similar. Make sure you're ASKING for consent instead of giving the option to withdraw it.

8) Think of the children!

Children under the age of 13 cannot legally consent to the collection and processing of their own personal data. A parent or legal guardian must consent on their child's behalf.

If you think that children may interact with your organisation, it may be necessary to implement some kind of age verification system on your website and/or set up a simple way for parents and guardians to consent to data processing activities.

9) Know how to respond to a data breach.

If a security breach allows unauthorised personnel to access the personal data that you hold, you will be expected to respond to the breach properly. Make sure you have an established procedure in place for detecting, reporting and investigating data breaches. (Remember, if you're based in the UK, breaches must be reported to the ICO within 72 hours.)

10) Familiarise yourself with the guidelines.

You're already reading up on the General Data Protection Regulation, but now is also a good time to familiarise yourself with other relevant guidelines, especially the ICO's code of practice for conducting privacy impact assessments.

11) Designate a data protection officer.

While everyone in an organisation has a role to play in keeping data secure and complying with the law, you should appoint (formally or informally) a data protection officer to take overall responsibility for compliance and security.

12) Determine your lead data protection supervisory authority.

If you solely operate within the UK, your data protection supervisory authority is the ICO (Information Commissioner's Office). If you hold information on individuals in other EU member states, you should identify the authorities for each of those countries and determine which is the 'lead' authority for your organisation.

8. Are Designer Websites GDPR compliant?

Yes, we are. In fact, we have always been compliant; from the very beginning, we were always extremely careful to store / process customer and staff details securely.

We keep our servers (which hold the data we collect and record for our customers) in a purpose-built secure data centre with firewalls, secure access and activity logging. We have our own defined procedures in place for tracking and using the data that we record. We have always had a designated data protection officer, and we have an up-to-date privacy policy.

When an enquiry is submitted via our website, we do not store the submitted information in a database - we simply receive an email containing the content of the submitted form. These emails are deleted after 12 months.

9. Do I need to do anything about my website?

As stated earlier, all businesses - and all business websites - are different. We can offer some general guidance to help you ensure that your website is GDPR compliant, but please remember that it is your responsibility to familiarise yourself with the new law and ensure that every part of your organisation is following it.

With that said, we recommend the following:

  1. Update your privacy policy and cookies policy. Make sure these documents are accurate and exhaustive. Explain all the ways you collect people's data through your website, how that data is used, and how people can contact you to request access to / deletion of their information.

  2. Review the forms on your website. If your website contains any forms that ask users to enter personal data, you must declare why you are capturing that information and what you intend to do with it (e.g. 'we will use this information to inform you about future offers' or 'we reserve the right to share this information with our partner companies'). This should be stated on the form itself as well as in your privacy policy (see above).

  3. Stop making consent the default option. If you use pre-ticked checkboxes on your web forms (or require the user to tick a box to opt OUT of something), you will need to stop doing this before the GDPR comes into force. Ensure that users cannot consent to anything through a lack of action - for instance, users should have to tick a box when they DO wish to be added to your mailing list, not when they want to be kept off it.

  4. Make sure you have consent for any data you already hold. If you have collected people's personal details in the past, you should make sure they are still happy for you to keep hold of them. For example, you may need to make it easier for people to unsubscribe from your mailing list if they no longer wish to be on it.

  5. Ensure that people are able to view and delete their personal information. As we mentioned earlier, you may wish to set up an automated system that allows your customers to manage their own personal data, but a contact email address is sufficient if you're not expecting a lot of requests. Just make sure that anyone looking to access their personal data has a clear way to do it.

10. Can Designer Websites help with GDPR compliance?

It is ultimately your responsibility to comply with the GDPR law, but if you need any help from the Designer Websites team then we will of course assist you wherever possible.

For instance, if you need us to make your web forms compliant, or if you need help with your website's privacy policy, please email info@designer-websites.co.uk and ask for assistance. This work is chargeable (our usual rates apply), and each website is different, so we would have to add you to our list of requests and assess how much time would be needed to make your site compliant. Please bear in mind that we manage hundreds of websites, and it may be some time before your changes can be made.

11. Useful links

From October 2017, Chrome will show a 'NOT SECURE' warning on any HTTP page containing a text form

Switch your website to HTTPS

Google are currently on something of a crusade. They want their users to feel totally secure as they browse the web, and so they've been doing their best to force website owners to take user security more seriously. Google Chrome already shows a 'Not secure' warning on non-HTTPS pages that collect sensitive data; for instance, checkout pages and login screens must be served over a HTTPS connection in order to ensure that card details, passwords, and other sensitive details are encrypted. If you're asking users to enter that sort of information on a HTTP page, Chrome will flag up the risk with a notice like this:

Google Chrome 'Not Secure' Warning

As things stand, that 'Not secure' warning is only shown on pages where a user is explicitly asked to enter 'sensitive' data, such as:

  • Passwords
  • Credit / debit card details

However, Google have now announced a major change that could cause a lot of problems for website owners. As of October 2017, the 'Not secure' warning will appear on EVERY non-HTTPS page that contains a text input form, regardless of the form's purpose.

This means that, from October onwards, the following pages will need to be secured with a SSL certificate:

  • Any page with a search bar
  • Any page with a contact / enquiry form
  • Any page with a newsletter signup form

Basically, if your page contains ANY element that allows the user to enter and submit some sort of information - whether it's their credit card number, their email address, or the name of the product they're looking to buy from your website - then you'll need to get that page secured with an SSL certificate by October.

With this change looming on the horizon, a lot of website owners will need to think very seriously about implementing HTTPS across all pages if they have not already done so. For instance, it's quite common for ecommerce sites to use HTTPS on their login/register and checkout pages while serving all other pages over an unsecured HTTP connection, but once this Chrome update takes effect, the people who visit those websites will start seeing 'Not secure' messages everywhere they click.

And those two little words will often be enough to put off potential customers and send them running to a fully-secured competitor instead.

What do I need to do?

If you are currently serving text input forms over an HTTP connection, you will need to purchase an SSL certificate and install it on the server where your website is hosted. You will then need to update things like canonical tags and internal links so that they point to your website's new URL (beginning with https:// rather than http://). You will also need to ensure that the proper redirects are in place so that anyone trying to access the HTTP version of your website is automatically sent to the secure HTTPS version.

If that to-do list seems a little intimidating, don't worry - all you really have to do is ask your website developer to make the necessary changes for you. They will know how to install the SSL certificate and update everything 

Do I need to switch to HTTPS if my website doesn't contain any forms?

Perhaps you've been reading this and thinking 'this doesn't concern me - I don't have any search bars, contact forms or anything like that on my website, so I must be safe'.

If so, we have some bad news for you. Google have made it quite clear that the October update will merely be the latest step towards their ultimate goal, which is to mark ALL HTTP pages as 'Not secure'.

This week, Google sent out an email to webmasters warning them of the imminent expansion of the 'Not secure' message. That email included the following ominous statement:

"The new warning is part of a long term plan to mark all pages served over HTTP as 'not secure'."

So while your unsecured website may survive the update in October, you won't be able to escape that 'Not secure' shame notice forever. And given that users are increasingly expecting to see that little green padlock at the top of their screens no matter what they're doing online, it's probably a good idea to get that SSL certificate and upgrade to HTTPS sooner rather than later.

Further Reading: Why Convert Your Website to HTTPS?

UPDATE (12th Dec 2016): Google recently announced that HTTP websites that collect sensitive data (e.g. passwords, payment details) will soon be flagged as 'not secure' when someone attempts to view them on the Google Chrome web browser. This means that, if your website requires users to enter login details and/or personal information, it is now even more important that you follow the advice given below and secure your site by upgrading to HTTPS. Failure to do so ASAP may lead to a sharp decrease in site traffic as Chrome begins to warn people away from your site.

Why Convert Your Website to HTTPS?

There’s lots of chatter on the internet, and particularly within the SEO community, about implementing site-wide HTTPS for websites, and you may be wondering why. In the first instance, website owners are making the shift predominantly because Google have (relatively recently) suggested that, because HTTPS is inherently more secure for internet users, they have added this as a ranking factor within their SERP algorithms. There are other reasons, of course (chiefly the added security), but most website owners whose websites were not previously secured by an SSL are having to think about the switch simply to stay ahead of the competition.

We’ve been building secure websites for ecommerce for over a decade; this is normal practice when handling transaction and customer details, but not so much for basic brochure-style websites. However, we recently converted a brochure-only website for one customer to a more secure HTTPS website; take a look at composite decking suppliers TimberTech.

Timbertech are among the first of our customers to switch to a site-wide HTTPS website, and we’re very closely monitoring their rankings to see if this has any effect on the SERPs. We anticipate carrying out this task for a great many of our customers over the coming months, and we think that if you have not already done so, then you should seriously start thinking about doing this for your website. Here are two reasons why:

1. A more secure browsing experience for your users.

All data sent via HTTPS is encrypted, meaning that it cannot be read by anyone but the intended recipient. As mentioned, we always use the HTTPS protocol at the checkout stage of our ecommerce websites, thus ensuring that each customer's payment details and personal information are handled securely. However, many non-ecommerce site owners are now opting to switch to HTTPS too, and it's not hard to see why: even if no payment information is sent via your site, it can still give users extra peace of mind to know that any other sensitive information they enter (email addresses, telephone numbers, login details, etc.) will be safely encrypted by your website.

2. Potentially higher Google rankings.

The primary aim of any search engine is to deliver the best possible results to the end user, and since online security is a major concern for many web users right now, companies like Google and Bing are always looking for new ways to identify secure, high-quality websites.

Google announced some time ago that HTTPS had been incorporated into their algorithm as a "lightweight" ranking signal, potentially giving HTTPS websites a slight advantage over standard HTTP sites in the search engine's results. We've seen a lot of debate over how much difference HTTPS can actually make to a site's rankings, but while it would be foolish to suggest that HTTPS is some kind of miracle solution, it seems fairly safe to say that converting to HTTPS can at least make a small difference to a site's organic search positions. This blog post from ahrefs.com suggests that HTTPS, when implemented properly, does correlate with higher search rankings.

However, that brings us to an important point: if you're going to make the leap from HTTP to HTTPS, it's important to ensure that it's done properly. Among other things, you will need to implement the proper redirects throughout your site, and make sure that there is a single canonical version of each URL.

If you'd like the Designer Websites team to help you upgrade your site from HTTP to HTTPS, please get in touch - we will ensure that the changeover is handled properly, giving you the best possible chance of achieving higher rankings and meeting the expectations of your users.
Block referrer spam

If you use Google Analytics to track the performance of your website (and you definitely should!), you may have noticed something strange going on in your traffic reports of late. Does this look familiar to you?

Referral spam

If you've seen URLs like buttons-for-your-website.com and 100dollars-seo.com in the 'Referrals' section of your Analytics account, then you - like countless others - are a victim of referral spam. This is when spammers send phony visits to your site so that their name will appear in your Analytics reports.

Hold on - why are people doing this?

For the spammers behind buttons-for-your-website.com and the like, fraudulently appearing in somebody else's Analytics report is like a very unorthodox kind of advertising.

Allow us to explain. When your website gets referrals from a site you don't recognise, your first course of action will probably be to check out that site and find out why you're receiving traffic from them - for all you know, somebody has written a blog post about you or reviewed one of your products. So you type buttons-for-your-website.com into your browser's address bar and press enter...

...and that's how they get you. As soon as you visit your new referrer's website, their shady marketing tactic has worked and they've won. Bear in mind that these spammers have most likely been targeting many thousands of websites; your one inquisitive visit may not seem like much, but multiply it by a hundred thousand and you may begin to see what these people stand to gain by inserting themselves into other people's Analytics data.

The end goal of all this varies depending on which spammer you've been hit by; some want you to sign up for their SEO service or install their button on your blog, whilst others simply get money for every hit their website receives.

Is this a problem?

At first, you may not see much reason to do anything about these referral spammers, but the more they do it, the more your Analytics data will become skewed and inaccurate. For example, Analytics might tell you that you received 3,000 visits last month - a new record for your site - but, upon closer inspection, you'll realise that roughly a third of those visits came from spammers instead of real people.

In short, referral spam makes Google Analytics much harder to use properly, and if you want to get a truthful impression of how well your site is performing, we strongly recommend that you take action.

So how do I block referrer spam?

We're glad you asked. Broadly speaking, there are two types of referral spam: bot referrals and ghost referrals. In this blog post, we'll tell you how to tackle 'em both.

Part 1 - Terminating Your Bots

Some spammers use bots to invade our Analytics accounts, setting up programmes that automatically visit people's websites over and over again. Since Google Analytics can't differentiate between a legitimate session and an automated one, these visits will be counted alongside all of your real customers, and after a while they'll really start to pile up.

Here's how to block bot referrals and put an end to your own personal robot uprising:
  • Log into your Google Analytics account and click on the Admin tab at the top of the page.

  • In the right-hand column, select your preferred View and click Filters. Then, on the next page, click + NEW FILTER.

  • Select Create new Filter and give your filter a sensible name, like this:
Death to spam
  • Under Filter Type, click Custom. Then, click Exclude and, from the drop-down menu, select Campaign Source.

  • In the box marked Filter Pattern, type the name of the website(s) whose referrals you wish to block. If you are blocking multiple referrers, separate each website name with a | rather than a space. You should end up with something like this:
buttons-for-your-website.com|100dollars-seo.com|www.event-tracking.com
  • Click Save to apply your filter and lock the specified websites out of your Analytics reports. Note that you may need to add more websites to the Filter Pattern field further down the line - if so, just add a | to the end of your original list and add the new sites as above.

Part 2 - Exorcising Your Ghosts

Ghost referrals are tricky. These spammers never actually land on your website (not even via an automated bot, like the spammers covered in Part 1); instead, they send information straight to Analytics saying that they've been on your pages.

Fortunately, there is a way to stop them. Here's our step-by-step guide to busting ghost referrals and restoring peace to your Google Analytics reports:

  • On your Google Analytics reporting screen, set the date range to show the past year's worth of data.

  • On the left-hand side of the screen, click Audience > Technology > Network. Then, just underneath the main line graph, you'll have the option to set a Primary Dimension - set this to Hostname instead of Service Provider.

  • You will now be shown a list of hostnames that have used your website's tracking ID in the past year. Your main site URL will (hopefully) be the most prominent, but you'll probably see a bunch of others that aren't so familiar:
Hostnames
  • Make a note of all valid hostnames on this list. This will include your domain name, but it may include other sources too - if you have pages on the domain/server in question, it's probably a legitimate source of Analytics data. In the list above, www.henstuff.co.uk (main website) and freedapromotions.us2.list-manage.com (mailing service) are valid hostnames; the others are spam referrers.
IMPORTANT! You may find that google.com and other seemingly reputable names like mozilla.org and firefox.com appear as hostnames in your Google Analytics report. However, since you probably don't have any pages on the Google servers themselves, this traffic is almost certainly spam. Some spammers fake a 'google.com' hostname to appear legitimate and escape the attention of site owners like you. Don't be fooled - ignore these hostnames!
  • Once you've made a list of all valid hostnames, click the Admin tab at the top of the screen. Then, go the right-hand column, select your preferred View, and click Filters.

  • Click the + NEW FILTER button; then, on the next page, select Create new Filter and give your filter a sensible name, like this:
Ghostbusters reference
  • Under Filter Type, select Custom; then, set the filter to Include > Hostname.

  • In the Filter Pattern box, type each of the valid hostnames you noted down earlier. Again, use the | vertical bar to separate hostnames instead of spaces. Your filter pattern should look like this:
www.henstuff.co.uk|freedapromotions.us2.list-manage.com
  • Click Save to finalise the new filter and block all traffic that isn't using a legitimate hostname.
One final tip: after you've applied the filters described above, it's a good idea to create a new View in Google Analytics (without any filters). This will allow you to compare your filtered, spam-free traffic with Google's raw data and spot any genuine traffic sources you've accidentally blocked.

Need more help managing your Analytics account? Get in touch with Designer Websites now.