Badware takes advantage of technical vulnerabilities
and human behavior to find its way onto computers,
websites, and networks. Any website and any
networked device is vulnerable to badware infection.
Even large, extremely popular sites can be hacked–
and have been.
So what can I do to protect my site? While nothing
guarantees absolute security, a few basic practices
and principles can help you prevent website badware
and protect your visitors. Preventing badware on your
website requires protecting three things: your site
itself, the password(s) used to upload content to the
site, and the computer(s) used to upload content to
the site.
Protect your site
Back up regularly. A clean backup is the easiest
way of restoring your site if something goes wrong.
Backup can be performed manually or
automatically.
Keep ALL your software updated. This means
your website software, like WordPress, Drupal, or
Joomla; it also means any plugins, themes,
extensions, scripts, or other software. Many content
management systems (CMS) have a user-friendly
admin panel that notifies site administrators when
software updates are available. Update right away!
This is one of your best defenses against badware
looking to find a way into your site.
Remove any scripts, plugins, or other software
that you are no longer using.
If you install a
theme or plugin and decide not to use it, remove it
right away instead of letting it languish unused on
your site. You don’t have to be actively using
software for bad actors to exploit it.
Use caution when deciding which third party
scripts and plugins to install.
Popular website
content management systems, like WordPress and
others, allow site owners to customize their sites by
installing third party software, like plugins or
themes. It’s important to remember that most
plugins, themes, and other scripts are NOT created
by the developers of the content management
systems. They are written by outside developers
and programmers, and they can contain security
holes, too. You should always check the reputation
of third party software and its developer(s) before
installing it.
Consider using SSH or SFTP instead of FTP.
Sensitive data, such as your login credentials,
transferred via FTP is not typically encrypted. This
can enable attackers to steal your login credentials
or other important information.
Sign up for Google Webmaster Tools. Google is a
StopBadware Partner, but even if they weren’t, we’d
still tell you that creating a Webmaster Tools
account is a good idea. Webmaster Tools will give
you access to a number of useful tools and related
information to help you monitor your site’s
performance and contents. And, if Google’s scanners
detect anything suspicious on your site, you’ll be
able to find that information easily via your
dashboard.
Consider using a website monitoring service.
There are a number of reputable companies for
hire who can monitor your website for suspicious
activity and notify you of security vulnerabilities.
Using a paid service to proactively detect security
holes or threats can save you the frustration and
hassle of cleaning up a hacked site and trying to
undo reputational damage. If you would like to
learn more about this option,
Google's webmaster
forum on hacked sites would be happy to
recommend a vendor. A search engine can also
point you in the right direction.
Passwords and permissions
Use strong passwords. Make sure you change all
default passwords right away, and be sure NOT to
store passwords on your computer. You should
delete the default username, too. Change your
passwords regularly, even if you have no reason to
believe they have been compromised.
Don’t use the same password for multiple
accounts
–ever, and especially if those accounts can
all be used to access your site!
If you have trouble
remembering or creating secure passwords, there
are some free or low-cost password management
tools that can help you manage your logins.
Consider using two-factor authentication to log
into your site’s dashboard or control panel.
Many
content management systems and control panels
support two-factor authentication. There are a
number of ways to do this (e.g., using a .htaccess
password, using Google Authenticator), but securing
your admin panel(s) will ensure that even legitimate
users have to enter a specially generated code or
other form of authentication before successfully
logging in.
Use appropriate file permissions on your web
server.
If a bad actor gains access to your site, that
attacker can sometimes change your folder or file
permissions so that he or she has access to your
site even if you change the passwords. There are
different views of what the best permissions are for
folders and files, and this can differ by system, as
well. Our community moderators generally
recommend setting files to 644 and folders to 755.
Note: You should never change permissions if you
don’t know exactly what the effects will be!
Protect your computer and network connections
Your website can become infected if you use an
infected computer (or computers) to update your
site.
This is a common cause of site hacks. As
many Internet users know by now, badware
infection on PCs is not always obvious. If you aren’t
already using at least one reputable antivirus
product, we highly recommend you find one and
regularly scan every PC used to update your site.
This is only a start: for more information, see
Protect your PC.
Use secure network connections. Using
unencrypted WiFi networks can leave your sensitive
information, such as your website login credentials,
open to attackers. With the proliferation of
ultraportable laptops and mobile devices, it’s
increasingly easy to maintain or update a website
on the go; make sure that everyone who updates
your site uses a secure network connection.
Now that you’ve got the basics covered, learn to
prevent badware by tightening security on your
content management system (CMS)
