How One Innocent Line Of Javascript Code Can Put Your Entire Website At Risk

Share On Facebook

Over the past several years of running my online store course, I’ve noticed some very disturbing trends with a fair number of students in my class.

3rd party javascript

First off, I want to preface this post by saying that most of the students in my course do not have a programming background nor do they join my class with a solid grasp of how web technologies work.

As a result, whenever they need or want a certain feature for their shopping cart that hasn’t been covered in the class, they do what any normal person would do…

They do a search on Google, look for a plugin, widget or piece of code that will do what they want and then they blindly install it on their website.

And 90% of the time, the plugin seems to do what they want so they keep it installed without realizing the potential ramifications of their decision.

So today I want to talk about the dangers of installing 3rd party code, especially 3rd party javascript code on your site. Hopefully by the end of this post, you will be a lot more deliberate in choosing what you allow on your site.

What Is Javascript Code?

javascript

Javascript is a programming language that runs on the client computer once it is downloaded from a website. And in some implementations, javascript can send private information about your website/computer back to a 3rd party server owned by the code author.

For example, Google Analytics is a piece of javascript code written by Google that transmits all sorts of data about your website directly to Google’s servers where they log and collate your data.

Have you ever looked at your Google Analytics report before? Every possible piece of information about your website and your visitors is sent to Google’s servers where they “promise” not to look at it. And they obtain all of this data about your website from one tiny piece of javascript code that you cut and paste onto your site.

So what does this mean? Any time that you blindly cut and paste a piece of 3rd party javascript code on your site, you could be sending all of your private website information to that company. Just think about that for a moment before I move on to the next section.

With such power obtained over a website from a small piece of code, you really have to trust the code you are using. Below are some of the problems my students have faced as a result of blindly using 3rd party code.

3rd Party Javascript Can Cause Your Site To Slow Down

One of my students was getting a decent amount of traffic to her website from Google but her traffic wasn’t resulting in many sales for her online store.

As a result, she decided to show some CPM ads on her site (generally not a good idea btw). After all, if her visitors weren’t buying products on her site, she wanted to make “some” money by showing ads in the meantime.

One day, she sent me an email asking me why no one was buying products from her store. And when I went to look at her site, I was horrified.

First off, her site took almost 20 seconds to load and when it finally did load, there were flashing animated ads all over the place. When I did a web page speed test, this is what I found.

Ad Network

One teeny tiny piece of javascript code from her ad network was slowing down her entire site. And she implemented the code in such a way that the ad code was blocking her content from showing up until after the ad code loaded.

It’s no wonder that no one was shopping in her shop! Besides the flashing ads, customers were likely getting frustrated with the extremely slow loading times caused by an innocent line of javascript.

3rd Party Javascript Can Take Down Your Site

Server Down

Another student in my class was looking for a plugin to boost the number of likes on her Facebook fan page. As a result, she found this piece of code that made a customer “like” her Facebook fan page before exposing a coupon code that would incentize a customer to buy.

It seemed innocent enough and the plugin worked like a champ for quite a while. But then one day, this student emailed me frantically telling me that her website was broken even though she had not made any changes to her site.

When I went to her online store to investigate, I found that her website header and logo were loading just fine but the rest of her shop was completely blank.

With a quick glance at her page source, I found that the magical piece of Facebook javascript code she copied was making calls to some random server that happened to be down.

And because this code was in the header of her store, it prevented the rest of her site from loading because it couldn’t get past the call to the bad server.

Be careful when putting any javascript code in the header of your site! If you absolutely have to use 3rd party javascript code in your header, make sure that the code loads asynchronously in the background and so it will not block the loading of your site.

3rd Party Javascript Can Change Your Website Without Your Permission

Did you know that installing someone else’s javascript code is essentially like giving the keys to your website to someone else? When you use someone else’s code, that person can essentially alter your website however they see fit.

Now the javascript developer would have to be a very bad person in order to maliciously alter your website but it has happened in the past even with well known large companies.

For example, did you know that the popular website Houzz.com used their javascript widgets to install black hat SEO links back to their site?

houzz

Here’s how it went down. Houzz.com is actually a very popular website that showcases home decor. As a result, bloggers were using their javascript widgets to display beautiful and colorful decorating images on their blogs.

But one day Glen Allsop of Viperchill found that Houzz.com was using their javascript widget code to secretly embed backlinks back to the Houzz.com website.

As a result, Houzz used their javascript widget to maliciously manipulate their search rankings in Google.

For information about this, you can read Glen’s post in its entirety here

But bottom line, any piece of javascript code can potentially allow a 3rd party to make changes to the way your site is displayed without you knowing about it.

What To Look Out For

Hopefully, I’ve convinced you that you need to be extremely careful when using 3rd party javascript code on your site. Now that’s not to say that you should NEVER use other people’s code because that would be silly.

But make sure that you fully trust the author of the code you are using.

In the event that you absolutely need to use someone else’s javascript code, here are some guidelines to follow

  • Always install the javascript code in the footer of your site – This way if the code calls a 3rd party server and the server is down, it will not bring your entire site down with it
  • Only use asynchronous javascript code if possible – Asynchronous javascript code loads in the background and will not affect the overall loading of your site
  • Try not to use code that makes calls to a 3rd party server – Sometimes this can not be helped but try to limit this if possible
  • Host the javascript on your own server – In a lot of cases, 3rd party javascript code often resides on another person’s server. But instead of making calls to someone else’s server, download the javascript and host it on your own server.

Anyone who has worked with me in the past knows that I’m super anal about introducing any additional points of failure with my site. As a result, I keep all 3rd party code to an absolute minimum.

Now you don’t have to be as anal as I am but you should at least understand the ramifications of your actions. Just make sure that you know what you are getting into when using someone else’s code and make sure you trust them.

Ready To Get Serious About Starting An Online Business?


If you are really considering starting your own online business, then you have to check out my free mini course on How To Create A Niche Online Store In 5 Easy Steps.

In this 6 day mini course, I reveal the steps that my wife and I took to earn 100 thousand dollars in the span of just a year. Best of all, it's absolutely free!

Share On Facebook

Similar Posts

Have you read these?

6 thoughts on “How One Innocent Line Of Javascript Code Can Put Your Entire Website At Risk”

  1. Yikes…that’s scary stuff! I really appreciate the heads up and the tips. Besides all of this, there’s an underlying theme I hope readers recognize: You take amazing care of your students!

    I have been on the fence about signing up for your course, Steve. Not because I doubt the value of the content/experience, but rather because I am reluctant to spend money. After all, I run a personal finance blog!

    But with that said, I am running tests on how to generate location-independent income and I’m now ready to open an online store. I am committed to becoming someone’s student and it will be with you!

    Can’t wait to see what happens :)
    Ree

    1. Hi Ree,

      Thank you so much for the kind words. I can tell by your personality that I would love to have you in the class someday:)

  2. Hey Steve,

    I’ve seen the suggestion to run javascript asynchronously before, but I don’t know how to actually make that happen. Can you give some guidance, or direct me to a tutorial that’s written in laymen’s terms?

    Also, most code that I add instructs to place it in the header. If I changed them to the footer would there be repercussions?

    Thanks,
    Carole

    1. Hey Carole,

      The javascript plugin needs to be written in a certain way in order for asynchronous loading to work. If the plugin is not asynchronous, it can block the loading of your site if placed in the header and something goes wrong.

      A long time ago before the Twitter widget was async, whenever twitter went down, so did all of my blog posts. That is how I learned my lesson.

  3. stephanie says:

    Very good and practical points!

  4. I love this one Steve, this is very helpful! Usually, before I installed a plug-in I read the description if it’s compatible with my theme. I had learned from my old client, there was an instance that I installed one plug-in and then the website got an error, I was scary I thought her website can’t be fixed anymore!

Leave a Reply

Your email address will not be published. Required fields are marked *