How To Find Spies In Your Website
Nearly every website has code included from other website, whether it be from Google or your mailing list manager or social network. These bits of code are aware they’re on your site, and what your visitors are doing. They’re not necessarily malicious, but you should be aware of who is watching. I’ll show you how.
Transcription:
I realized the other day that I start every single one of these tip videos the exact same way. “Hey, folks! Welcome to another HeroPress Tip of the Week.” So this week it’s a little different. That’s about as different as it’s gonna get. This week we’re going to talk about spies in the code of your website.
Now, two things I want to say right away. Almost every website has them, and they’re not necessarily malicious, and so you don’t need to freak out. But I do believe that you should know what’s in there and what they’re looking at and just kind of what’s going on.
So let’s take a look first. We’re here at wordpress.com, and we’re going to go to the source code of the web page. So we right-click and view page source. I’m using the Brave browser. Nearly every browser has this feature. Firefox phrases it a little differently, Chrome phrases it a little differently, but every one of them you can view page source.
And it looks like this. This is HTML, for those who are unfamiliar. There’s a little JavaScript right here. And what we’re looking for is code that includes code from other websites. And that can be a little confusing. You say, “I’m not a developer. I don’t know what I’m looking for.” Well, there are some easy things to search for, and I’m going to show you what they are.
The first is search for “Google”. So I’m going to click here at the top just so that my search starts at the top, and I’m going to search this page, and I’m going to search for “Google”. And right here at the top, we have this thing called DNS-prefetch. These are not spy things. This is telling your browser, “I’m going to ask for some stuff from these websites later. Please get ready.” And so it does.
So I search for the next one and the screen stuff starts with this exclamation point, dash dash. So this is a comment. That doesn’t do anything. But the very next line says script source googletagmanager.com and it includes some JavaScript. Now, I have no idea what that does. In general, I do. It’s Google Tag Manager. It’s keeping track of analytics on my site and all kinds of stuff. But I’ve never read that code. I don’t know JavaScript. It wouldn’t do me any good if I did read it. They could be doing anything in there.
So it’s good to know that Google is doing something with Tag Manager right here. Let’s search again. So this is inside a comment. So that doesn’t matter. This is also a comment, that doesn’t matter. Now, these refer to Google, but this is on heropress.com. So it’s my own code.
Let’s go a little deeper. This is a second file coming from Google Tag Manager. I don’t know why that is. That makes me curious. Now, while we’re here, I’m going to show you this other thing. See, we’re looking at MailerLite here. That’s a service I know and use. It handles this subscription form right here. So I know it’s there. But they also are including a JavaScript file. And it’s probably perfectly benign and doing exactly what it’s supposed to. But I don’t know. I’ve never read it. I’ve never paid a security analyst to go through it and tell me what they’re doing. Are they reading cookies? Are they tracking my people? I don’t know.
So that was Google and MailerLite. And you may recall there were two DNS-prefetches, and one was for… let’s see, wp.com. And sure enough, right here, they’re including a JavaScript file. And this is for jetpack stats. I know I’m using Jetpack Stats. This is not a secret. They didn’t slip something by me, I put it here. But I’ve never read this code and I don’t know what it does, for sure. So I trust them. I have to. So that’s it from wp.com.
Now, I’m going to switch over to my personal site here. This is an older theme. I made this theme eight years ago. So we’ll look at the page source, and right at the top you’ll see that I included fonts. Now this code is condensed. So that first line is actually really long. But it doesn’t condense the font tags. And you can see right here, it’s including sstatic.com, blah, blah, blah, that TTF.
Now, these TTF files are fonts. They’re not code. They’re not going to run code on my site. But you can bet that Google is tracking what sites are downloading these TTF files, and what browsers. So they’re not just looking at my site, they’re looking at my visitors and knowing that they’re using those fonts. Down here is a preload for all that font stuff.
Let’s see what else we have for Google. There’s DNS-prefetch. Okay, not a whole lot from Google. Gstatic is also Google. So let’s search for Gstatic. There’s a prefetch. There is a preconnect. Okay, the Gstatic URL is used for the fonts.
I’m going to search real quick for jQuery. It’s not so common anymore but for a while it was very common to include jQuery from a remote server. So I’m including it here from my own server. And that’s great. But for years, Google offered it as a service and people would download jQuery, which is a huge blob of JavaScript and probably was perfectly benign. But again, what do I know?
So there’s that. What else do I have on my site here? So these tracks come from… Let’s see. Is there a link here? Last.fm. So let’s see if Last.fm has got anything on my site? Probably not. I think that’s an RSS feed. Last.fm. There we go. So that’s just a link up to their site, and that’s it. So Last.fm is not sneaking anything in here. That’s just RSS. I used to have a Twitter thing but Twitter broke. So that’s what it does.
So I’m not going to show you too many more. You get the idea. Services that you use include code on your site. I’m using Google Fonts, Google Analytics, Jetpack Stats, MailerLite. Any service you have is probably going to slip a little code in your site. And you should be aware of that. It’s probably safe. If you didn’t think the company was safe, you shouldn’t use the company. But you should look around and know what’s on your site. I hope you find this useful.