-
-
Notifications
You must be signed in to change notification settings - Fork 0
Reputation Hygiene
✅ Guidance, not software. Nothing to install. This is the cheap version of Site Hijacked — Recover, In Order.
The whole page in one line: "never get on" beats "get off".
Getting blocklisted takes a day. Getting un-blocklisted takes weeks of review queues, appeals, and waiting — while your visitors see a full-page red interstitial and your mail silently vanishes. The asymmetry is brutal and it is the entire reason this page exists.
Not all of these matter equally. People routinely over-invest in the small ones because they're visible, and under-invest in the two that reach almost everyone.
| Service | Reach | Why it matters |
|---|---|---|
| Google Safe Browsing | Chrome, Firefox, Safari, Android | The big one. A listing here is a full-page red warning in front of most of the web's users. |
| Microsoft SmartScreen | Edge and Windows itself | Easy to forget because it isn't just a browser — it's baked into the OS, so it catches downloads too. |
These two are the ones to care about. Both are free, both are checkable, and both are where a listing genuinely hurts.
- Norton Safe Web / Gen Digital (Norton, Avast, AVG — one company now). The installed base is genuinely large, but it only affects users who've installed their software. Worth submitting to; not worth losing sleep over.
- VirusTotal — aggregates ~70 engines. Best used as a diagnostic: it tells you which vendor flagged you, so you know whose form to fill in. It isn't itself a blocker.
Watch out for the sales funnel. Several "check your reputation" services exist mainly to sell you monitoring. Check with the free first-party tools above; treat everything else as a lead-gen page.
Takes two minutes, costs nothing, and most people have never done it:
- Google Safe Browsing status — paste your domain
- VirusTotal — paste your URL, see all engines
- Google Search Console → Security & Manual Actions
- Bing Webmaster Tools → Security
Enrol in Search Console and Bing Webmaster Tools now, before anything is wrong. That's the actual advice. They're free, they take ten minutes, and they're how you find out you've been hacked from them rather than from an angry customer three weeks later. You cannot receive the warning if you never signed up for it.
| Cause | Prevention |
|---|---|
| Hacked CMS (the #1 cause by a mile) | Updates on, unused plugins deleted, 2FA everywhere. Or go static — see below. |
| Nulled/pirated themes & plugins | Never. They are routinely backdoored; that's the entire business model. |
| User-generated content | Spam links in comments get you listed for linking to bad neighbourhoods. Moderate or disable. |
| Ad networks / third-party scripts | You inherit their reputation. Low-quality ad networks serve malware and it lands on your domain. |
| Shared hosting neighbours | If reputation is IP-based, someone else's mess can splash on you. |
| Abandoned subdomains |
old-blog.example.com still pointing at a dead service someone else can claim → subdomain takeover. Audit your DNS.
|
The structural answer: a static site can't be hijacked-and-redirected. No CMS, no plugins, no admin login, no database, nothing to inject. The most common route onto a blocklist simply isn't available to an attacker. → Make Your Page
Mail reputation is separate from web reputation, and it's less forgiving. A "spam" verdict usually isn't an error message — your mail just silently doesn't arrive.
The one rule that matters most: never send mail from a residential IP. Ever.
- Residential ranges are on permanent blocklists (Spamhaus PBL and friends) by design. It's not a mistake to appeal — it's policy.
- You don't own your PTR/rDNS record — your ISP does. You cannot set it.
- Virgin Media blocks outbound port 25 anyway, so the question is usually moot.
Send through a real provider (Fastmail, Migadu, a VPS relay). Then authenticate the domain properly:
| Record | Does |
|---|---|
| SPF | Says which servers may send as you |
| DKIM | Cryptographically signs your mail |
| DMARC | Ties them together, tells receivers what to do on failure, and reports back |
Start at p=none and read the DMARC reports before you tighten. Going straight to
p=reject is how people discover — by breaking it — that their newsletter tool was sending
as them all along. Ramp none → quarantine → reject once the reports are clean.
→ Full walkthrough: Your Domain + Mail DNS
- Fix it properly first — see Site Hijacked. Filing a review while still compromised resets the queue and damages your standing with the reviewer.
- Then request review in Search Console / Bing Webmaster Tools. Be specific: what happened, what you fixed, how you're preventing recurrence. Vague requests get rejected and cost you another cycle.
- Wait. Days to weeks. There is no fast lane. This is the part you cannot buy your way out of, and it's why everything above is worth doing in advance.
Honestly scoped:
- ✅ AdGuard Home blocks malware/phishing domains network-wide — protects your household from other people's compromised sites.
- ❌ It does nothing for your public website's reputation. That's on someone else's server.
- ✅ It makes the good path easy: static site, published off-box, on infrastructure with a reputation team of its own.
Put Cloudflare's free tier in front of anything you publish. WAF, DDoS protection, rate limiting, DNSSEC, TLS — protection with zero cost and zero attack surface on your box. Don't reimplement a layer you get for free.
Source of truth: wiki/ in the main repo — edits here are overwritten, please PR instead.
Docs licensed CC-BY-SA-4.0; code/config MPL-2.0.
👤 Users
- Getting Started
- Right-Size Your Box
- Tested Devices
- Troubleshooting
- Site Hijacked?
- Reputation Hygiene
🕸️ IndieWeb
🛠️ Maintainers
Status key ✅ Built · 🧪 Draft config 📐 Designed · 💭 Sketch