What is Website Malware?
Website malware protection helps keep your site safe from malicious software that comes in a variety of forms more commonly known as a virus, trojan, worm, ransomware, spyware, adware and most recently cryptocurrency-miner. Delivered through infection or injection, malware usually spreads by taking advantage of a vulnerability in your website or server software.
It’s estimated that over 130,000 sites are hacked every day – that’s right, daily! You can see the live counter at Internet Live Stats. And all the millions of visitors to these 130K+ sites are being exposed to unsafe content.
As a site administrator or owner, it is important you take the steps necessary to keep your site safe — your brand and your site visitors are counting on it!
How To Protect Your Website
Website Malware Protection Top 10
- Limit and Audit Access to Website and Hosting
Do you know who has access to your site and your hosting provider? When’s the last time you checked? Developers, content editors, site admins and employees come and go. Their access should be removed accordingly. Review and audit who has access. Your site and host access is akin to the keys to your office or store. The more people who have it, the more likely it will fall into the wrong hands. You should monitor access no differently than you do with the keys to your business.
- Change Website and Hosting Credentials Regularly
Once you audit who has access, make sure everyone is updating that access on a regular basis. And encourage people to use strong passwords and not the same one they use elsewhere. The more unique, the better. If you have integrations that tie into your hosting using methods like FTP/sFTP, make sure these are also changed regularly.
- Use Two-Factor Authentication (2FA) aka 2-Step Verification
Chances are you already use this for some personal access such as financial apps. It is where you’re required to enter a secondary code, usually a number, sent to you via text, email or through an app like Google or Microsoft Authenticator. This extra layer of protection can help prevent access even if a username and password are compromised.
- Update Website Software
By far the most common cause of malware is out of date software. You can avoid this by keeping your Content Management System (CMS), eCommerce engine or Forum software up to date. All the popular platforms such as WordPress, Joomla, Drupal, Magento, WooCommerce, phpBB, vBulletin and XenForo are very good at fixing bugs and patching security issues. It’s your job to implement those updates. Make sure to get on their mailing lists to be alerted to updates as soon as they happen.
- Use Quality Software Add-Ons
Unfortunately, even if you’re diligent with keeping your site up to date, there are still ways you can be compromised. If the developer of that theme, plugin or extension doesn’t provide updates then you are effectively exposed. Make sure the developer is reputable, has a way to provide support and check the change log file for how often the developer does updates to the add-on. That can be a good indication of whether they will help protect your site if using their add-on.
- Update Website Add-ons
You must also be vigilant in updating all the add-ons like themes, extensions and plugins. Ignoring those can leave you vulnerable to cross-site scripting, SQL injections and other attacks.
- Update Hosting Software
Another often overlooked area is your hosting software – particularly PHP. Oh, thought your host takes care of that for you? Nope! Your host may provide the latest versions for you to use, but you need to do the work of updating. And it isn’t always as simple as flipping a switch. Your site may not be able to run on the latest versions of PHP depending on what you are using. Check for the latest information on PHP versions and update as appropriate. Note, you may need to change add-ons if the developers are using deprecated code.
- Run Malware Scans
You should proactively check for malware on a daily basis. Just like you do on your personal computers. You want to be alerted to and clean malware asap when and if it happens. There are some external scanners that are free. But be warned that scanning externally is very limited (learn more about malware scanners). You should look to getting something that resides on your server. One option is our Fortify system which scans multiple times a day and provides removal in the event of infection.
- Add A Web Application Firewall (WAF)
It is important you have in place a web application firewall (WAF). In essence a WAF monitors the traffic coming to your server and then blocks out anything that appears suspicious or malicious. It is a proactive way to keep your site from getting infected, instead of being reactive with a scan and clean. Even if you have a firewall on your server, a WAF provides a necessary additional layer of protection as it looks for traffic that is targeting vulnerabilities in your software. Our Fortify Plus provides WAF protection using real time information collected from over 80 million endpoints.
- Backup Every Day
No matter what you do, you can never be 100% certain you won’t get infected with malware. So plan for the worst case scenario and backup daily. And this is important, back up to a location that is not on the same server as your site! If you back up to where your site is, chances are your backup will be infected when your site gets infected.
It can take a bit of time and energy to initially set up, but the 10 steps above are manageable and will go a long way into providing website malware protection. Some of the above can even be automated. For those that can’t, just set up a calendar reminder. A little effort will go a long way to protect your site from website malware.
Suspect or know you’re infected?
The above is great website malware protection but what if you think you’re already compromised? Review my next post Website Malware Scan: Check If Your Site Is Hacked where I cover what types of scanners are available to you and how you can use them to check if you’ve been hacked.
If you already know you’re infected and are looking for a way to get the malware removed, I’ll be releasing a new post in the next couple of days that covers just that. So stay tuned!