Lock Down Google Blogger With These Hidden Security Settings

Enabling HTTPS on Custom Domains (Yes, It’s Actually There)

This is so dumb it circles back to brilliant: if you’re using a custom domain on Google Blogger (like mycoolblog.com instead of mycoolblog.blogspot.com), HTTPS support used to be buried like a cursed artifact. For years, the toggle for enabling it just wasn’t there for custom domains, then suddenly — poof — one day it started appearing. But it still doesn’t work instantly. It takes hours. And there’s no queue notification or anything, so you sit there wondering if it failed eternally or just being temperamental.

When I set up a new blog last month using a Google Domains name (RIP, now Squarespace), the HTTPS setting in Blogger was grayed out for a solid four hours. No error, no tooltip, just sadness. Eventually it lit up, and the cert was auto-provisioned. If you’re using Cloudflare DNS, that wait time gets longer, by the way. Double-chained proxies are not Blogger’s friend.

Here’s what to do if it stalls:

  • Make sure your A/AAAA records point to the correct IPs (check Blogger’s docs).
  • Use CNAME(s) exactly as prescribed, no mixups with www vs root domain.
  • Temporarily disable Cloudflare proxy (the orange cloud) if it’s interfering.
  • Force refresh settings by toggling HTTPS Off → Save → On again.
  • Wait. Like actually go get lunch wait.

Removing the “Edit” Pencil Icons from Public View

The little pencil that betrays your logged-in status isn’t a major security risk, but it’s dumb-looking, and when testing themes I find myself repeatedly inspecting the DOM trying to remember which div to kill. Blogger insists on injecting that menu edit icon unless you’re in incognito or not signed in. If you’re logged into Blogger and viewing your own site, you’ll always see it — and worse, you can’t truly preview your blog as a real visitor without extra steps.

Quick fix: add this to your theme CSS:

.item-control.blog-admin { display: none !important; }

This snuffs the icon on all views, regardless of login. Obviously, your own dashboard is still safe and editable — but at least you won’t send screenshots to clients with a tiny pencil wondering what the hell it’s for.

Fun glitch:

Sometimes when editing widgets inline, Blogger re-adds the HTML for the pencil icon back into the layout, so even if the CSS kills the default state, the hard-coded fragment sneaks back in. I found that hiding both .item-control and .quickedit at the same time keeps it from resurfacing.

Blocking Bot Access with robots.txt and the Terrible UI

Google let you edit your robots.txt file in Blogger. They even gave it a GUI under the search preferences tab. Problem is, it’s not clear what to whitelist if your theme uses weird directories (like scripts hosted on your own domain’s subfolders). I accidentally blocked access to my custom /assets/ path once and my nav menu stopped appearing on Firefox, because that user agent obeyed the block — and apparently no other one did.

There’s a seemingly undocumented quirk where blocking Disallow: /search can scramble breadcrumb-rich post listings on some templates. So instead of hiding tag-bloated pages from Google, it can also semi-break category filtering render logic. Yeah. Deliciously inconsistent.

Here’s the safe boilerplate I now use:

User-agent: *
Disallow: /search
Allow: /
Sitemap: https://yourdomain.com/sitemap.xml

Heads up — Blogger doesn’t automatically generate sitemaps for custom domain blogs unless you manually force ping it during backend sitemap re-generation. I’ve seen inconsistent index rates between sitemap submission and live fetch status.

Removing Google Account Recovery From Blog Contributor Invites

This one’s got me once. Invited a friend to help tweak a Blogger theme. Instead of contributing, she immediately got locked out of her 2FA-less Google Account trying to accept the blog invite. Lovely. Blogger sometimes treats pending contributor invitations as account ownership hooks, which triggers suspicious activity flags if the target email has long-standing inactivity. So yes, inviting someone to your blog can cause their Gmail account to get flagged.

There’s no warning. It’s not even a Blogspot thing — it’s a side effect of Google’s increasingly aggressive activity tracking APIs talking to each other. No fix inside Blogger itself. You’ll need to revoke her invite, have the person log into Gmail again from a recognized device/IP, and then re-send after 24 hours. Or just export your template and get them to tinker offline.

Banning Comment Spam Without Breaking RSS

Blogger’s comment moderation is kind of ancient. You can enable comment moderation and captcha, but sometimes that combo breaks RSS feeds by accidentally serving spam-filtered comments in post footers. I once had my entire feed show empty posts with just a garbage spam link around midnight. Turns out, comments await moderation, but still appear in RSS previews if the user is using a third-party reader that doesn’t respect the feed cache-update interval.

“Something is in the feed before it’s in the blog.”—me, to myself, at 2:41 a.m.

To avoid this:

  • Turn off anonymous commenting.
  • Set Comment Location to “Embedded”.
  • Enable “Always” moderation.
  • Avoid 3rd-party embedded comment platforms (Disqus re-injects all sorts of JS).
  • Clear the Blogger cache by republishing the blog (changing and saving anything in Settings triggers it).

Bonus bug: editing a post too quickly after deleting a spam comment causes Blogger to lose your draft revision. I lost actual paragraphs this way. The only workaround I’ve found is to wait 30-60 seconds between comment moderation actions and post editing. Ridiculous but effective.

Deleting Unused Blogspot Addresses to Avoid Spoof Risk

Let’s say you used to blog at catsandjavascript.blogspot.com and moved to a custom domain. You delete the Blogspot domain from Settings but forget to release the address. Bad idea. Nothing prevents someone from reclaiming the old address, slapping a clone of your old theme there, and redirecting posts to scam sites or worse.

Blogger doesn’t retain ownership protectively once you delete the address from a blog — even if your account created it. This is barely mentioned anywhere official. If you don’t plan to use the Blogspot address ever again, create a disposable blog and re-assign it there just to park it.

Snippet:

// Backup the blogspot name
Create a dummy blog
In Settings → Publishing → Blog Address, input your old blogspot name
Save
Boom. Now you control the alias again, even if unused.

The Theme Editor Deletes Whitespace On Save

This one isn’t security-related, but it will screw up your life when you least expect it. Blogger’s theme editor rewrites your XML layout with its own formatting engine after any Save. You can’t opt out. It often deletes line breaks and white space, collapsing multi-line JS snippets into unreadable blobs. Worse, it sometimes reorders elements in non-obvious ways if your theme has nested include tags.

My hacked-together GDPR banner (yeah, hand-rolled, don’t ask) broke entirely because the layout engine removed a spacing-dependent block from inside a CDATA section. No warning. The preview looked fine, but the live site didn’t show the banner. Dug into HTML View, and the inner code had been stripped down to a single unreadable line with broken attribute quoting.

If you’re doing any sensitive layout scripting — especially cookie banners, auth popups, or form injections — do it with external script sources. Do not rely on inline code persisting consistently between saves.

Rolling Back a Hacked Blog When You Can’t Log In

This deserves a section for how frustratingly opaque it is. If someone gets into your Google account and boots your access — not just Blogger but the Gmail attached — recovery flows slam into a wall. Blogger doesn’t have a separate user database; it piggybacks entirely off Google Accounts. So restoring blog access = restoring Gmail. And if your recovery info is out of date? You’re toast.

I once helped someone who had their blog hijacked via a SIM-swap attack. Gmail was locked; Blogger was still publishing crypto Nonsense posts. Google Support required both the original recovery email (which wasn’t updated) and at least three old blog post URLs that hadn’t been archived anywhere. Archive.org came in clutch. But barely.

Safety net tips:

  • Export your blog layout and posts regularly (Settings → Backup → Download XML).
  • Disable SMS-only 2FA; use an authenticator app.
  • Add a second Google Account as an admin on each blog.
  • Enable login alerts—even if it floods your inbox.
  • Set blog post drafts to private with a schedule delay (buys you time if hacked).

Similar Posts