How To Check Your Website For Malware
If your website is an essential part of your business, then you must regularly check your site for malware. What’s more, you need to do everything you can to make sure that the check comes back all clear. In addition to this, you need to protect your website against other threats such as DDoS and domain hijacking. Fortunately, it is possible to do all this with the sources available to the average SMB. Here is some guidance to help.
Check site for malware effectively
In practical terms, the relevant question is not “how to check a site for malware”, but “how to check a site for malware effectively”. The short answer to this, at least for the average SMB, is to sign up for a robust website vulnerability scanning service. It may, however, be helpful to understand at least the basics of what these services are and what they can do for you.
The term “website vulnerability scanner” covers a range of services offered by multiple vendors, hence they will all be at least slightly different. Any decent website vulnerability service will, however, include an anti-malware scanner (and also a web applications firewall). They will, however, not necessarily be of the same standard.
First of all, you need to check that you’re comfortable with the brand behind the service. Assuming, you’re happy with that, then you need to look at what it scans and how it undertakes its scanning.
Basically, you want to be sure that, as a minimum, it scans any software or web technology you’re likely to want to use now or in the foreseeable future. You also want to make sure that it can handle mobile-optimized sites.
On a similar note, you want to be sure that any anti-malware scanner you use protects you against the whole gamut of cyberthreats, of which viruses are just one part, albeit a large one. The likes of cryptojackers, spyware and, possibly above all, ransomware, are all threats your anti-malware scanner has to be able to handle. In addition to being able to deal with a wide range of threats, an effective scanner has to be able to go into enough depth to identify variations between different versions of the same threat.
You want your anti-malware scanner to operate holistically. In other words, you want it to use the results of scans to inform other scans. This will go a long way towards not only increasing the level of security it delivers but also reducing the number of false-positive results, which can be extremely frustrating. Ideally, you want the anti-malware scanner to be easy to use and to display information in a way that is easy to understand.
You still need to choose and manage your software with care
An anti-malware scanner is intended to boost existing security precautions, not replace them. It is not particularly unusual for anti-malware products to be used as a form of stop-gap protection against so-called “zero-day attacks” (which can actually take several months to resolve). The general idea, however, is that all users will promptly apply software updates that fix any known vulnerabilities and the anti-malware scanner will sit on top of that extra protection.
For completeness, this goes for all software, not just the software you use on your website. If you know that applying updates promptly is a weak point in your organization, then you need to address it. If you can’t find the internal resource, then you need to get a third-party vendor to manage it for you.
You need to extend your protection to local computers and mobile devices
Even if you don’t store credentials on your local computers and mobile devices, you will still enter them there. This means that if they are compromised, your website can be compromised too. It’s therefore vital to invest in robust protection for them, meaning, as a minimum, an anti-malware solution with an integrated firewall. If you have remote and/or mobile users, then you also need a VPN.
You need to manage your users, internal and external
The safest form of website is one that only allows for the passive consumption of data. Unfortunately, that is not an option for many businesses. Even if it is, it doesn’t solve the issue of internal users needing access to the site, especially those who need admin access to the site.
You must, therefore, do everything possible to limit what all non-admin users can do to the bare minimum needed to perform their essential tasks. Admin users must be chosen with care, monitored, and given clear instructions on the use of strong passwords and two-factor authentication.