Protect your site from Malware
First of all, some may wonder why anyone would want to hack their website with Malware? Here are some of the reasons I have personally found, working to remove Malware from infected sites:
- Spam emails: The most common malware scripts I have found are designed to send unbelievable amounts of spam to everyday people like yourself. Could you imagine 10,000+ spam emails sent from your business email a day? It could completely ruin your reputation online!
- Fake sites: Some malware sets up a fake site within your site. Think of those annoying fake emails requesting you log in to your bank account to update your details! The sad thing is that a lot of people fall for it! The last thing you want is a scam like this being linked to your business.
- Zombie server: Part of the malware is designed to malicious, the other part is to heal and grow the malware. To do this it may be using your web server to spread the malware to other unsuspecting websites. Google can penalise your website if there are still scripts running to spread malware to other web servers. This can be tricky, as it can be hard to see if this if nothing malicious (like the two above) is being done.
- Changing your website: This is normally done by a hacker rather than malware, however new malicious scripts are starting to arise to automate this process infecting multiple sites with zombie servers. I had one client a while back who’s website was changed to a Al-Qaeda recruitment page! Imagine her disgust that her potential customers were seeing this on her domain name!
So what can you do to prevent Malware?
Preventive maintenance is the key.
- Backing up your site regularly can help in the event of your site getting hacked or even if you introduce a problem to your site while installing a new plugin. I use a script to automate my backups so I get a separate backup from Monday to Sunday. That way you have a full week to sort out the problem if one arises. You can use a plugin for this purpose (e.g Backup Buddy for WordPress), however, as Malware is designed for self preservation, I fear new wave malware would find a way to exploit this.
- Check your Apache logs. A look through your logs once a month may help you discover persistent IP addresses that constantly attempt to access pages that do not exist. You can then either block these IP addresses or install something like Fail2Ban to ban particular IP’s that try to access your CMS login page or pages that don’t exist.
- Update your plugins regularly. The old saying, “If it ain’t broke, don’t fix it.” doesn’t apply to open source CMSes, as hackers are constantly looking for a way to gain access. Backups are always handy here as updated plugins can introduce some new issues if you are not careful.
- Update your theme. Old WordPress themes can have a backdoor to your site. You should always use a child theme to make changes to your theme. That way you can update the theme without rolling back on any changes you have made
- Malware scans. I currently use a great WordPress plugin called Anti-Malware, which can scan your site and prevent brute force log ins.
While doing all of the above will not 100% prevent a site from Malware, it should dramatically increase your chances of not being hacked.