Preventing malware infection

The price of freedom from malware is eternal vigilance. This article contains tips and pointers for preventing malware infection. However, it is by no means exhaustive, and Google encourages encourage webmasters to conduct more thorough research as well.

Monitoring your site health

Many of the features of Webmaster Tools can help you identify potential problems. For example:

  • Try a Google site: search to see what's indexed. It's always a good idea to do a sanity check and make sure things look normal. If you're not already familiar with the site: search operator, it's a way for you to restrict your search to a specific site. For example, the search site:googleblog.blogspot.com will return results only from the Official Google Blog.

  • The Search Queries page lists significant keywords Google found on your site. If unexpected keywords (such as "Viagra") appear in the list, it's a signal that your pages have probably been compromised.

  • The Malware page (under Health) lists sample URLs from your site that have been identified as containing malicious code. Where possible, the page will also include samples of the problem code.

  • The Fetch As Google tool lets you see a page the same way Google's crawlers do. If you suspect a page is infected, you can use the tool to detect what Googlebot will see.

  • If Google detects malware on your site, we'll notify you on the Webmaster Tools home page, and send a message to your Message Center. (To ensure that you're notified quickly, you can have your Message Center messages forwarded to your email account.)

Security checklist

In addition to monitoring your site regularly, we also recommend the following:

All webmasters

  • Choose good passwords. The Gmail guidelines are helpful.

  • Pick third-party content providers very carefully. If you're considering installing an application provided by a third party, such as a widget, counter, or ad network, be sure to exercise due diligence. Ad space is often syndicated to other parties who are not known to the website owner. While there are many great third-party content on the web, it's also possible for providers to use these applications to push exploits, such as dangerous scripts, towards your visitors. Make sure the application is from a reputable source. Do they have a legitimate website with support and contact information? Have other webmasters used the service?

  • Contact your hosting company or publishing platform for support. Most companies have helpful and responsive support groups and/or security pages. If a security page or site has an RSS feed, subscribe to it to make sure you stay up to date.

  • Keep all of your computers safe. Especially when working on a website, make sure that your local workstation has up-to-date software, is clean from viruses, trojans or similar malware and has recently updated anti-virus software installed.



  •  
  •  

Webmasters with server access

  • Check your server configuration. Apache has some security configuration tips on their site and Microsoft has some tech center resources for IIS on theirs. Some of these tips include information on directory permissions, server-side includes, authentication and encryption.

  • Make a backup copy of your .htaccess file (or other access control mechanisms depending on your website platform). Use your backup file to recover if the following fails. Be sure to delete the backup file once you are finished.

  • Stay up-to-date with the latest software updates and patches. There are lots of tools that make building a website easy, but each one adds some risk of being exploited. A common pitfall for many webmasters is to install a forum or blog on their website and then forget about it. Much like taking your car in for a tune-up, it's important to make sure you have all the latest updates for any software program you have installed. Make a list of all the software and plug-ins used for your website, and keep track of the version numbers and updates. Even if you're diligent and keep all your website components updated, you may still be vulnerable if your web hoster has not installed the most recent operating system patches. This is not a problem only for smaller sites; there have been warnings on the websites of banks, sports teams, and corporate and government websites.

  • Keep an eye on your log files. Making this a habit has many great benefits, one of which is added security. For example, unfamiliar URL parameters (like "=http:" or "=//") or spikes in traffic to redirect URLs on your site may indicate that a hacker is exploiting open redirects. Also, bear in mind that hackers often try to alter log files. Take measures to protect these files from attack. For example, you can move these files from their default location, making it harder for hackers to find them.

  • Check your site for common vulnerabilities. Avoid having directories with open permissions. This is like leaving the front door to your home wide open.

    Also check for any XSS (cross-site scripting) and SQL injection vulnerabilities.


  • Use secure protocols. Google recommends using SSH and SFTP for data transfer, rather than plain text protocols such as telnet or FTP. SSH and SFTP use encryption and are much safer. For this and many other useful tips, check out StopBadware.org's Tips for Cleaning and Securing Your Website.

  • Keep up to date on the latest security news. The Google Online Security Blog provides useful information about online security and safety, as well as pointers to other resources. The government site US-CERT (United States Computer Emergency Readiness Team) provides technical security alerts and tips.