Stay organized with collections
Save and categorize content based on your preferences.
Preventing malware infection
The price of freedom from malware is eternal vigilance. This article contains tips and
pointers for preventing malware infection. However, it is by no means exhaustive, and Google
encourages website owners to conduct more thorough research as well.
Monitoring your site health
Many of the features of Search Console can help you identify potential problems. For example:
Try a search on Google with the
site: search operator
to see what pages Google has found on your site. It's always a good idea to do this
periodically to see whether anyone has snuck unexpected pages or content on your site. If
you see unknown pages on your site, or topics that you didn't write, you may have been
hacked. If you're not already familiar with the site: search operator, it's a
way for you to restrict your search to a specific site. For example, the search
site:developers.google.com
will return results only from the Google Developers site.
The
Security Issues report
shows any hacked pages that Google has identified on your site, and instructions on how to
fix the problem.
Pick third-party content providers very carefully.
Make sure that third-party apps and ads on your site are from trusted and legitimate
sources. A trusted and legitimate source provides support and contact information on their
website.
Contact your hosting company or publishing platform for support.
Most companies have helpful and responsive support groups and/or security pages. If a
security page or site has an RSS feed, subscribe to it to make sure you stay up to date.
Keep all of your computers safe. Especially when working on a website, make sure that your
local workstation has up-to-date software, is clean from viruses, trojans, or similar malware
and has recently updated anti-virus software installed.
Website owners with server access
Check your server configuration.
Apache has some
security configuration tips
on their site and Microsoft has some
tech center resources for IIS
on theirs. Some of these tips include information on directory permissions, server-side
includes, authentication, and encryption.
Make a backup copy of your .htaccess file
(or other access control mechanisms depending on your website platform). Use your backup
file to recover if the following fails. Be sure to delete the backup file once you are
finished.
Stay up-to-date with the latest software updates and patches.
There are lots of tools that make building a website easy, but each one adds some risk of
being exploited. A common pitfall for many website owners is to install a forum or blog on
their website and then forget about it. Much like taking your car in for a tune-up, it's
important to make sure you have all the latest updates for any software program you have
installed. Make a list of all the software and plug-ins used for your website, and keep
track of the version numbers and updates. Even if you're diligent and keep all your website
components updated, you may still be vulnerable if your web hoster has not installed the
most recent operating system patches. This problem affects not only small sites; there have
been warnings on the websites of banks, sports teams, and corporate and government websites.
Keep an eye on your log files.
Making this a habit has many great benefits, one of which is added security. For example,
unfamiliar URL parameters (like =http: or =//) or spikes in
traffic to redirect URLs on your site may indicate that a hacker is exploiting
open redirects. Also, bear
in mind that hackers often try to alter log files. Take measures to protect these files from
attack. For example, you can move these files from their default location, making it harder
for hackers to find them.
Check your site for common vulnerabilities.
Avoid having directories with open permissions. This is like leaving the front door to your
home wide open.
Also check for any
XSS
(cross-site scripting) and
SQL injection vulnerabilities.
Use secure protocols.
Google recommends using SSH and SFTP for data transfer, rather than plain text protocols
such as telnet or FTP. SSH and SFTP use encryption and are much safer.
Keep up to date on the latest security news.
The
Google Security Blog
provides useful information about online security and safety, as well as pointers to other
resources. The government site
US-CERT
(United States Computer Emergency Readiness Team) provides technical security alerts and
tips.
If you're a Search Console user and are having trouble with persistent or unfixable security issues on your site, you can let us know.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-02-04 UTC."],[[["\u003cp\u003eThis guide offers essential tips and best practices for preventing malware infection on your website.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Search Console provides valuable tools, such as the Security Issues report, for monitoring your site's health and identifying potential problems.\u003c/p\u003e\n"],["\u003cp\u003eImplementing strong security measures like choosing robust passwords, carefully selecting third-party content, and regularly updating software is crucial for website owners.\u003c/p\u003e\n"],["\u003cp\u003eFor website owners with server access, securing server configurations, monitoring log files, and staying informed about the latest security updates are vital steps in safeguarding your site.\u003c/p\u003e\n"],["\u003cp\u003eIf you encounter persistent security issues despite implementing these recommendations, Google provides a channel to report them.\u003c/p\u003e\n"]]],["To prevent malware, website owners should monitor site health using Search Console features like the `site:` operator and Security Issues report. Key actions include choosing strong passwords, carefully vetting third-party content, and contacting hosting support. For those with server access, regular software updates, server configuration checks, log file monitoring, and vulnerability checks are crucial. Utilizing secure protocols like SSH/SFTP and staying informed on the latest security news are also recommended.\n"],null,["# How To Prevent Malware Infection | Google Search Central\n\nPreventing malware infection\n============================\n\n\nThe price of freedom from malware is eternal vigilance. This article contains tips and\npointers for preventing malware infection. However, it is by no means exhaustive, and Google\nencourages website owners to conduct more thorough research as well.\n\nMonitoring your site health\n---------------------------\n\n\nMany of the features of Search Console can help you identify potential problems. For example:\n\n- Try a search on Google with the [`site:` search operator](https://support.google.com/websearch/answer/2466433) to see what pages Google has found on your site. It's always a good idea to do this periodically to see whether anyone has snuck unexpected pages or content on your site. If you see unknown pages on your site, or topics that you didn't write, you may have been hacked. If you're not already familiar with the `site:` search operator, it's a way for you to restrict your search to a specific site. For example, the search [`site:developers.google.com`](https://www.google.com/search?q=site%3Asite:developers.google.com) will return results only from the Google Developers site.\n- The [Security Issues report](https://support.google.com/webmasters/answer/9044101) shows any hacked pages that Google has identified on your site, and instructions on how to fix the problem.\n- If Google detects malware on your site, you'll see a notification in the [message panel in\n Search Console](https://support.google.com/webmasters/answer/9388335). To ensure that you're notified quickly, you can have your messages [forwarded to your email account](https://support.google.com/webmasters/answer/140528).\n\nSecurity checklist\n------------------\n\nIn addition to monitoring your site regularly, we also recommend the following:\n\n### All website owners\n\n- **Choose good passwords.** The [Google account guidelines](https://support.google.com/accounts/answer/32040) are helpful.\n- **Pick third-party content providers very carefully.** Make sure that third-party apps and ads on your site are from trusted and legitimate sources. A trusted and legitimate source provides support and contact information on their website.\n- **Contact your hosting company or publishing platform for support.** Most companies have helpful and responsive support groups and/or security pages. If a security page or site has an RSS feed, subscribe to it to make sure you stay up to date.\n- Keep all of your computers safe. Especially when working on a website, make sure that your local workstation has up-to-date software, is clean from viruses, trojans, or similar malware and has recently updated anti-virus software installed.\n\n### Website owners with server access\n\n- **Check your server configuration.** Apache has some [security configuration tips](https://httpd.apache.org/docs/2.4/misc/security_tips.html) on their site and Microsoft has some [tech center resources for IIS](https://www.google.com/search?q=microsoft+iis+security+best+practices) on theirs. Some of these tips include information on directory permissions, server-side includes, authentication, and encryption.\n- **Make a backup copy of your `.htaccess` file** (or other access control mechanisms depending on your website platform). Use your backup file to recover if the following fails. Be sure to delete the backup file once you are finished.\n- **Stay up-to-date with the latest software updates and patches.** There are lots of tools that make building a website easy, but each one adds some risk of being exploited. A common pitfall for many website owners is to install a forum or blog on their website and then forget about it. Much like taking your car in for a tune-up, it's important to make sure you have all the latest updates for any software program you have installed. Make a list of all the software and plug-ins used for your website, and keep track of the version numbers and updates. Even if you're diligent and keep all your website components updated, you may still be vulnerable if your web hoster has not installed the most recent operating system patches. This problem affects not only small sites; there have been warnings on the websites of banks, sports teams, and corporate and government websites.\n- **Keep an eye on your log files.** Making this a habit has many great benefits, one of which is added security. For example, unfamiliar URL parameters (like `=http:` or `=//`) or spikes in traffic to redirect URLs on your site may indicate that a hacker is exploiting [open redirects](/search/docs/advanced/guidelines/sneaky-redirects). Also, bear in mind that hackers often try to alter log files. Take measures to protect these files from attack. For example, you can move these files from their default location, making it harder for hackers to find them.\n- **Check your site for common vulnerabilities.** Avoid having directories with open permissions. This is like leaving the front door to your home wide open.\n\n\n Also check for any\n [XSS](https://www.owasp.org/index.php/Cross_Site_Scripting)\n (cross-site scripting) and\n [SQL injection](https://owasp.org/www-community/attacks/SQL_Injection) vulnerabilities.\n- **Use secure protocols.** Google recommends using SSH and SFTP for data transfer, rather than plain text protocols such as telnet or FTP. SSH and SFTP use encryption and are much safer.\n- **Keep up to date on the latest security news.** The [Google Security Blog](https://security.googleblog.com/) provides useful information about online security and safety, as well as pointers to other resources. The government site [US-CERT](https://us-cert.cisa.gov/) (United States Computer Emergency Readiness Team) provides technical security alerts and tips.\n\n\nIf you're a Search Console user and are having trouble with persistent or unfixable security issues on your site, you can let us know.\n\n[Report a security issue](https://support.google.com/webmasters/contact/report_security_issues)"]]
