How to protect your site from infection

How to stop hackers from inserting malware on your site

  1. Make sure your software is reliable and secure.

    • Only download web app setup files and extensions/plugins for your CMS from verified sources.

    • Make sure your CMS and server software is up-to-date, keep track of any potential vulnerabilities in your CMS.

    • Regularly check whether your servers have been compromised.

    • Delete the installation and debug scripts once your CMS has been installed.

  2. Protect the web server with a secure password (FTP, SSH, hosting admin panels and CMS).

    • A secure password should comprise at least 11 characters and include both uppercase and lowercase letters, numbers and symbols.

    • Don't use to the same password to access different services.

    • It's recommended that you change even the securest of passwords every three months to protect yourself from potential leaks.

    • Don't save important passwords in web browsers, file managers, or FTP, SSH and other clients.

  3. Keep all your computers secure.

    All the computers that interact with your server (machines belonging to the webmaster, administrator, content manager, sales manager etc.) should have an up-to-date antivirus installed. The operating system and any applications must also be updated regularly.

  4. Manage the information entered by users.

    • Filter the HTML markup of data entered by users that may embed itself in the pages of your site.

    • Then check on the server that the data received complies with the permissible size, values and intervals .

    • Never place information received from users directly in eval() calls, SQL-requests or type conversions. Always verify and clear the information received of potentially dangerous elements.

    • Don't leave parameters used for debugging, experiments with new or disabled functions in the final version.

    • Use WAF (Web Application Firewall).

  5. Control user access rights, and in particular protect yourself form Cross-site request forgeries (CSRF).

    Restrict access to CMS and Database panels (for example, phpMyAdmin), as well as:

    • code backups;

    • config files;

    • version-control metadata (for example, to the .svn or .git catalogs).

  6. Hide the server software version if possible (CMS, web server, interpreter, DBMS).

  7. Configure your firewalls and network infrastructure only to let through the connections you need.

  8. Try to avoid clickjacking. The simplest ways of doing this are:


    • Javascript constructions such as
      if (top.location != window.location) top.location = window.location
      top.location = ''
  9. We recommend web hosts check supported sites regularly, for example, using the Yandex Safe Browsing API or Yandex.Webmaster API.

How to prevent users from inserting malware on your site

Malware may be present in uploaded content (unintentionally or intentionally) if your site gives users the option to upload text or files.

  1. Protect your site from bots.

    You can use special CMS plugins or search blacklisted users to protect yourself from bots.

  2. Verify the information uploaded by users.

    • Don't give users the chance to embed JavaScript code inside <script>, tags or links.

    • Don't include code from the <iframe>, <object>, <embed> tags directly on your webpage and don't upload .jar, .swf or .pdf files (because your site may use such files to generate these tags automatically).

    • Keep a "Whitelist" of all the permitted HTML tags to make filtering out all the rest easier.

    • Check the links pasted in by users, for example, using the Yandex Safe Browsing API .

How to avoid infecting your site accidentally

  1. Verify your software.

    • Download CMS, widget and library setup files from official sites or verified sources only.

    • Always scan setup files for viruses if you have to download them from an unknown site.

    • Always examine the code of any additional components thoroughly before adding them to your CMS.

  2. Watch out for ad blocks and code.

    • Only include ad blocks provided by trusted ad systems on your site.

    • Looks for reviews and content examples before cooperating with new ad networks.

    • Avoid offers that are too good to be true (suspiciously high rewards for counters and blocks, monetization of mobile traffic etc.).

    • Embed static content on your site where possible (links and images). Avoid downloadable <script> and <iframe> elements. Only accept Flash, Java and ActiveX components as source code that you can check and compile manually.

    • Avoid partner ad programs that use hidden blocks.

  3. Carefully control access to your service interfaces. Only those who really need access to your site should have it.

    • Revoke access from specialists carrying out one-off work, former owners and people who are not responsible for running the site (such as marketing specialists or supervisors).

    • Try and get recommendations about anyone you hire before letting them work on your site. Once the work is complete, disable their accounts or change your passwords.

    • Some ad partner programs may request access by FTP if your site is static so they can change the banners displayed. Granting this type of access can be dangerous: if the partner system database is broken into, hackers could gain direct access to the files on your site.

  4. Find a secure and reliable hosting service. Not all services can ensure the security of their servers, while others may even intentionally insert malware on your site.