The idea
Malware is short for malicious software. It is a catch-all word rather than one specific thing.
Some of it locks your files and demands payment. Some of it sits quietly and reads your passwords as you type them. Some of it turns your machine into part of someone else's network. What they share is that nobody chose to install them.
The old picture of a virus arriving in an attachment is only part of the story now. A great deal of it arrives through the web.
How websites get involved
This is the part most people miss. A site does not have to be shady to serve malware.
Legitimate sites get compromised routinely. An out of date plugin, a reused admin password, a vulnerable theme, and someone else now has write access. They inject code, and the site starts serving malware to its own visitors.
The owner often has no idea. The site looks completely normal from the outside, and the injected code is usually written to hide from the person logged in as admin. That is why a shop you have used before can still catch you out, and why browser blocklists exist.
Signs a site may be serving it
You will not usually see the malware itself. You see the symptoms around it.
- →A full page browser warning. Red screen, big text, telling you to go back. Take it seriously. It is not a formality.
- →A warning next to the site in search results. Search engines flag sites they have found problems on.
- →Unexpected redirects. You click one link and land somewhere else entirely, usually somewhere trying to sell you something.
- →Popups demanding a download or an "update". No real website needs you to install a player, a codec, or a browser update to read a page.
- →Fake virus alerts. A page that claims your device is already infected and offers to clean it. The alert is the attack.
Check a site without visiting it
If you are suspicious of a site, the worst way to find out is to open it and see what happens.
Check it from the outside instead. A reputation check queries the blocklists and looks at the site's records for you, so you get a verdict without loading anything risky on your own device. That is what our free check is for. Paste the address, get an answer, never open the page.
Our guide on how to check a website for malware covers the other places worth looking. And if the concern is a shop rather than a file, how to spot a scam website is the better starting point.
If you run the site
Assume it can happen to you, because it happens to sites that are looked after.
- →Keep the platform, plugins and themes updated. Old versions are how most of it gets in.
- →Use unique passwords for admin accounts and turn on two-factor authentication.
- →Cut down what your pages are allowed to load and run with a Content Security Policy. Injected code has to load from somewhere.
- →Have backups you have actually tested restoring.
- →Publish a security.txt so someone who spots a problem can tell you before your customers find out.
Why getting flagged hurts twice
Being infected is the first problem. Being blocklisted is the second, and it lasts longer.
Once browsers start showing a warning on your address, your traffic stops. Not drops. Stops. Cleaning the site does not lift the warning on its own either, because you have to request a review and wait. The gap between "we fixed it" and "the warning is gone" is where the real damage happens.
We have step by step instructions for every major platform, including the ones that will not let you.
See how to harden your site