10 Steps to Preventing Malware from Infecting Your Website
If you’re a small business owner, malware infections may be the furthest thing from your mind. You’ve got products to make, customers to court and paperwork to complete – not to mention the technological demands you’re under already having to get your company’s website up-and-running.
But while all of that may be true, you can’t let your busy schedule get in the way of taking the necessary steps to secure your website and your customers’ data. Panda Labs reports that in the third-quarter of 2016 alone, 18 million new malware samples were captured. If even one of these manages to break through your website’s security features and infiltrate your visitors’ computers, you could find yourself facing website outages, lost trust and falling sales.
Fortunately, there are plenty of steps you can take to protect your site from malware infections. You don’t need to be a tech wizard to complete most of them, but you do need to be proactive about your site’s security.
Step #1 – Keep your site up-to-date
One of the most important steps you can take to prevent malware infections from affecting your site isn’t installing expensive firewalls or monitoring tools (though these things can be useful). It isn’t hiring a developer to pour through your site’s code – line-by-line – looking for weaknesses that could be exploited.
It’s simply keeping your site up-to-date whenever new versions or patches are rolled out.
If you’ve built your site on WordPress, for example, you’ll see a notification in your site’s dashboard whenever new updates are available (some sites may update automatically, depending on the features you’ve enabled):
Take these notices (or the notices supplied by your website builder) seriously. Not only can they contain new feature releases that’ll make the management of your website easier, they often repair loopholes and other weaknesses hackers have detected that could leave your site open to exploitation if they aren’t updated.
Step #2 – Use complex passwords
This tip applies not just to the login of your website’s back-end but to every service you use online. Weak passwords make it easy to break into your accounts, giving hackers virtually unlimited access to your site and its data.
A good, strong password is at least 8-12 characters long and contains a mix of lower-case letters, uppercase letters, numbers and special symbols (if your program allows these). If you aren’t able to generate and remember passwords like these on your own, a tool like LastPass can help.
Step #3 – Hide your login pages
One of the most common types of malware hacks is the brute-force attack. Like it sounds, this involves a hacker (or, more likely, an automated bot program run by hackers) guessing your username and password over and over again in the hopes that they’ll hit on the right combination and force their way in by brute force.
If your site runs on WordPress, one simple way to guard against this type of hack is to change the location of your back-end login form. This can be done with a plugin like WPS Hide Login, be ware that workarounds do exist that could allow truly dedicated hackers to uncover your login page’s new location. More secure options, per the WordPress codex involve modifying your site’s .htaccess file to:
- Password-protect your wp-login.php file
- Limit access to wp-admin by IP address
Full instructions for this process can be found here.
Step #4 – Lock down your file folder permissions
If you’ve ever accessed your site via FTP, you may have seen a string of three digits located near every file folder comprising your website. These numbers represent the permissions that have been granted to each folder, dictating who can access each folder and what each kind of user can do with this access.
- Individual numbers in this scheme range from 0 to 7 and determine the type of access being granted, with 0 representing no access and 7 representing full access to read, write and execute commands.
- The three positions in the number represent the permissions being granted you (the site’s owner), the group of users who have been given access to your site, and the world at large.
Under this scheme, the number 000 would give nobody access to the files, while the number 777 would give everybody in the world the ability to read, write and execute.
Review your folder settings carefully and try to determine whether or not every group you’ve granted access to your files and folders truly needs the level they’ve received. If you’re running WordPress, you may consider moving from the program’s default permission settings to the secured settings presented in the WordPress Codex:
Step #5 – Change your default database prefix
Web apps and programs that run from SQL databases on your server or hosting account are typically installed using default database prefixes. WordPress, for example, commonly uses the prefix “wp_” which makes sites running the CMS platform easily detectable by bots that may know how to exploit these sites with SQL injection hacks.
Updating your database prefix to something more complex (using the instructions found here) won’t guarantee your site’s protection, as motivated hackers could still access an open SQL connection on your site by querying the second half of your table names (such as postmeta and usermeta).
It will, however, deter those who perform only an initial bot query, making it one piece in your larger website security puzzle.
Step #6 – Install security plugins
One of the easiest ways to secure your website is to simply install a plugin or security tool that handles these kinds of concerns, among others.
Start with iPage’s SiteLock plan, and if you need more specialized protection beyond this, do your research, read reviews, and look for a solution that offers as many of the fixes recommended here as possible.
Step #7 – Use a web application firewall
Your chosen security suite may offer this feature; if not, you’ll want to consider purchasing a separate web application firewall (WAF). Like the firewall that protects your home computer from internet threats, a WAF sits between your server and its data connections, reading the data that’s passed to it and automatically filtering out anything that’s perceived as threatening.
WAFs can be added, plug-and-play style, on top of your website hosting account, and are generally quite affordable compared to the potential costs of having your site infected with malware.
Step #8 – Use HTTPS
According to Entrust, HTTPS is “an application-specific implementation that is a combination of the Hypertext Transfer Protocol (HTTP) with the SSL/TLS. HTTPS is used to provide encrypted communication with and secure identification of a Web server.” It’s especially important if you sell items on your website or collect financial data, but even beyond these cases, Google calls it “the future of the web,” making updating now a wise choice.
To move to an HTTPS connection, you’ll generally need to purchase a dedicated IP address and SSL certificate for your website (if you don’t have these already). Once added to your hosting account, you’ll be able to use the HTTPS implementation, which will protect both your website’s integrity and your users’ data.
Step #9 – Perform regular backups
Having an up-to-date website backup on hand makes the process of recovering from any hacking attempt (or even any errors made on your end) much easier to stomach. Rather than having to comb through every line of your code, having a regular backup gives you a “safe” version that can be reinstalled in the event of a hack.
To keep your website safe, iPage recommends our Website Backup & Restore plan, which takes daily backups automatically and gives you the option of restoring your site in its entirety or reverting back to an earlier version of an individual file.
Step #10 – Install a monitoring solution
In the same way that your computer’s anti-virus tool scans your computer’s drives regularly for threats, a website monitoring solution can let you know automatically if any suspicious behavior occurs on your site.
This is especially important, because malware attacks may not always be obvious or immediately apparent. The sooner you find an attack, however, the sooner you’ll be able to make the necessary fixes and start rebuilding trust with your users.
This list certainly isn’t comprehensive, but it should give you a starting point for the immediate steps you’ll want to take to keep your site safe. Begin here, and continue to update your site’s security plan based on your specific needs and risks as you go.
What other steps have you taken to protect your site from malware? Share your experiences and recommendations by leaving us a note below: