Preventing badware: Basics

Preventing badware: Basics

Badware takes advantage of technical vulnerabilities and human behavior to find its way onto computers, websites, and networks. Any website and any networked device is vulnerable to badware infection. Even large, extremely popular sites can be hacked–and have been. 

So what can I do to protect my site? While nothing guarantees absolute security, a few basic practices and principles can help you prevent website badware and protect your visitors. Preventing badware on your website requires protecting three things: your site itself, the password(s) used to upload content to the site, and the computer(s) used to upload content to the site.

Protect your site

  • Back up regularly. A clean backup is the easiest way of restoring your site if something goes wrong. Backup can be performed manually or automatically.
  • Keep ALL your software updated. This means your website software, like WordPress, Drupal, or Joomla; it also means any plugins, themes, extensions, scripts, or other software. Many content management systems (CMS) have a user-friendly admin panel that notifies site administrators when software updates are available. Update right away! This is one of your best defenses against badware looking to find a way into your site.
  • Remove any scripts, plugins, or other software that you are no longer using. If you install a theme or plugin and decide not to use it, remove it right away instead of letting it languish unused on your site. You don’t have to be actively using software for bad actors to exploit it.
  • Use caution when deciding which third party scripts and plugins to install. Popular website content management systems, like WordPress and others, allow site owners to customize their sites by installing third party software, like plugins or themes. It’s important to remember that most plugins, themes, and other scripts are NOT created by the developers of the content management systems. They are written by outside developers and programmers, and they can contain security holes, too. You should always check the reputation of third party software and its developer(s) before installing it.
  • Consider using SSH or SFTP instead of FTP. Sensitive data, such as your login credentials, transferred via FTP is not typically encrypted. This can enable attackers to steal your login credentials or other important information.
  • Sign up for Google Webmaster Tools. Google is a StopBadware Partner, but even if they weren’t, we’d still tell you that creating a Webmaster Tools account is a good idea. Webmaster Tools will give you access to a number of useful tools and related information to help you monitor your site’s performance and contents. And, if Google’s scanners detect anything suspicious on your site, you’ll be able to find that information easily via your dashboard.
  • Consider using a website monitoring service. There are a number of reputable companies for hire who can monitor your website for suspicious activity and notify you of security vulnerabilities. Using a paid service to proactively detect security holes or threats can save you the frustration and hassle of cleaning up a hacked site and trying to undo reputational damage. If you would like to learn more about this option, Google's webmaster forum on hacked sites would be happy to recommend a vendor. A search engine can also point you in the right direction.

Passwords and permissions

  • Use strong passwords. Make sure you change all default passwords right away, and be sure NOT to store passwords on your computer. You should delete the default username, too. Change your passwords regularly, even if you have no reason to believe they have been compromised.
  • Don’t use the same password for multiple accounts–ever, and especially if those accounts can all be used to access your site! If you have trouble remembering or creating secure passwords, there are some free or low-cost password management tools that can help you manage your logins.
  • Consider using two-factor authentication to log into your site’s dashboard or control panel. Many content management systems and control panels support two-factor authentication. There are a number of ways to do this (e.g., using a .htaccess password, using Google Authenticator), but securing your admin panel(s) will ensure that even legitimate users have to enter a specially generated code or other form of authentication before successfully logging in.
  • Use appropriate file permissions on your web server. If a bad actor gains access to your site, that attacker can sometimes change your folder or file permissions so that he or she has access to your site even if you change the passwords. There are different views of what the best permissions are for folders and files, and this can differ by system, as well. Our community moderators generally recommend setting files to 644 and folders to 755. Note: You should never change permissions if you don’t know exactly what the effects will be!

Protect your computer and network connections

  • Your website can become infected if you use an infected computer (or computers) to update your site. This is a common cause of site hacks. As many Internet users know by now, badware infection on PCs is not always obvious. If you aren’t already using at least one reputable antivirus product, we highly recommend you find one and regularly scan every PC used to update your site. This is only a start: for more information, see Protect your PC.
  • Use secure network connections. Using unencrypted WiFi networks can leave your sensitive information, such as your website login credentials, open to attackers. With the proliferation of ultraportable laptops and mobile devices, it’s increasingly easy to maintain or update a website on the go; make sure that everyone who updates your site uses a secure network connection.

Now that you’ve got the basics covered, learn to prevent badware by tightening security on your content management system (CMS).