Sometimes I scratch my head where exactly Google is going with its search console. While I do believe it's an amazing service to detect malware on sites and prevent those sites from being listed in search results, I'm not so sure I want Google actually scanning sites looking for issues.
Case in point was a premature alert that went out to me and, I'm guessing, tens of thousands of sites that stated they were running a version of WordPress that was not secure. The problem? It was a false positive and the vast majority of the sites were actually running the latest version of WordPress. While I'm not privy to the methodology Google was using to validate the sites, it does appear that caching may have been an issue. Since cached pages are common throughout the Internet and with WordPress sites, it caused quite a stir.
The problem, of course, was that many of the recipients of those emails were clients who pay for advanced hosting and security, and also have an agency, like ours, working to ensure our clients are safe. When they receive an email like that, it tends to cause quite a disruption. Thankfully, Google immediately responded in their webmaster forums that they, indeed, had caused the issue.
Hello all — on behalf of the teams driving this effort, please accept our apologies for the confusion we've generated. We do know of cases where we've sent messages to owners of WordPress instances that have been upgraded to a more recent version since our last crawl — we did suspect that there would be a number of these cases before we kicked off the messaging effort. Juan Felipe Rincón, Google
The mea culpa was appreciated, but still, it seems a bit bizarre that Google would just launch something like this on their own. A few threads later in the conversation, the WordPress security product manager connected with the Google team and said they'd love to work together on this. I'm not sure why that didn't happen first of all, but thank goodness it's heading in that direction.
While I have no doubt Google has the resources to accomplish such work, I'm really not sure I appreciate where the company continues to tread. I love the fact that Google provides tools like Search Console, Analytics, Tag Manager, and others to help us improve how users are interacting with our sites. But when they actually step over the line – as in this case and with AMP, SSL, Mobile, and other initiatives, it seems like they're stepping on our toes more and more.
Making recommendations is fine, and providing the tools to provide those recommendations is even better. But when Google begins warning or even penalizing sites that don't behave the way Google wishes them to seems a bit overreaching for me.