Preventing malware infection

The price of freedom from malware is eternal vigilance. This article contains tips and pointers for preventing malware infection. However, it is by no means exhaustive, and Google encourages website owners to conduct more thorough research as well.

Monitoring your site health

Many of the features of Search Console can help you identify potential problems. For example:

  • Try a search on Google with the site: search operator to see what pages Google has found on your site. It's always a good idea to do this periodically to see whether anyone has snuck unexpected pages or content on your site. If you see unknown pages on your site, or topics that you didn't write, you may have been hacked. If you're not already familiar with the site: search operator, it's a way for you to restrict your search to a specific site. For example, the search site:developers.google.com will return results only from the Google Developers site.
  • The Security Issues report shows any hacked pages that Google has identified on your site, and instructions on how to fix the problem.
  • If Google detects malware on your site, we'll notify you on the Search Console home page, and send a message to your Message Center. To ensure that you're notified quickly, you can have your Message Center messages forwarded to your email account.

Security checklist

In addition to monitoring your site regularly, we also recommend the following:

All website owners

  • Choose good passwords. The Google account guidelines are helpful.
  • Pick third-party content providers very carefully. Make sure that third-party apps and ads on your site are from trusted and legitimate sources. A trusted and legitimate source provides support and contact information on their website.
  • Contact your hosting company or publishing platform for support. Most companies have helpful and responsive support groups and/or security pages. If a security page or site has an RSS feed, subscribe to it to make sure you stay up to date.
  • Keep all of your computers safe. Especially when working on a website, make sure that your local workstation has up-to-date software, is clean from viruses, trojans, or similar malware and has recently updated anti-virus software installed.

Website owners with server access

  • Check your server configuration. Apache has some security configuration tips on their site and Microsoft has some tech center resources for IIS on theirs. Some of these tips include information on directory permissions, server-side includes, authentication and encryption.
  • Make a backup copy of your .htaccess file (or other access control mechanisms depending on your website platform). Use your backup file to recover if the following fails. Be sure to delete the backup file once you are finished.
  • Stay up-to-date with the latest software updates and patches. There are lots of tools that make building a website easy, but each one adds some risk of being exploited. A common pitfall for many website owners is to install a forum or blog on their website and then forget about it. Much like taking your car in for a tune-up, it's important to make sure you have all the latest updates for any software program you have installed. Make a list of all the software and plug-ins used for your website, and keep track of the version numbers and updates. Even if you're diligent and keep all your website components updated, you may still be vulnerable if your web hoster has not installed the most recent operating system patches. This problem affects not only small sites; there have been warnings on the websites of banks, sports teams, and corporate and government websites.
  • Keep an eye on your log files. Making this a habit has many great benefits, one of which is added security. For example, unfamiliar URL parameters (like =http: or =//) or spikes in traffic to redirect URLs on your site may indicate that a hacker is exploiting open redirects. Also, bear in mind that hackers often try to alter log files. Take measures to protect these files from attack. For example, you can move these files from their default location, making it harder for hackers to find them.
  • Check your site for common vulnerabilities. Avoid having directories with open permissions. This is like leaving the front door to your home wide open.

    Also check for any XSS (cross-site scripting) and SQL injection vulnerabilities.

  • Use secure protocols. Google recommends using SSH and SFTP for data transfer, rather than plain text protocols such as telnet or FTP. SSH and SFTP use encryption and are much safer.
  • Keep up to date on the latest security news. The Google Security Blog provides useful information about online security and safety, as well as pointers to other resources. The government site US-CERT (United States Computer Emergency Readiness Team) provides technical security alerts and tips.