Thumbnail for video explaining how to check website for malware

Is Your Website Infected with Malware? Free Tools to Help You Check.

And You Don’t Even Need to Be “Techy” to Use Them!

Scroll down to watch the video (audio transcript is below that)

Do you know that “bad actors” on the internet will try to infect your site with malware and spam in ways so subtle that you don’t even know they’ve done it? And often they aren’t after your secrets, they just need your website to help them blast spam emails, practice negative SEO, or host hundreds of advertising pages you don’t even know about.

In they process they can hog your website resources and earn you or other websites a bad reputation with Google. For that reasons you need to be able to quickly check your website for unwelcome intruders. Of course there are lots of more technical tools for doing this (if your site is running WordPress our favorite tool for checking and protecting is Wordfence).

In this video we take a look at a number of other tools that require no technical expertise to use, and we find that they are not all created equal.

By the way, if you discover that malware is infecting your website, you will need technical help, so be prepared. But whatever you do, don’t ignore this issue. It’s one of the first things we do when we’re doing an SEO Audit.

Audio Transcript

Hi, everyone. I’m Ross with Horizon Web Marketing, and I’m here with another SEO Audit How-To. So, we’ve been working our way through the SEO audit checklist that we use internally when we do an SEO audit on a site and giving you little tips on how you can clear items from your audit checklist. Let’s take a look at the checklist. As we scroll down under the technical factor section of the checklist, you’ll see that one of the sections is security issues, and I’ve done another video that talks about how we can clear these two items. Is the site using https, and is that being served consistently?

detail image of seo audit checklist with the security issues highlighted

Today, we’re going to talk about this question, is the domain clean of hidden malicious code? Now, you may think that your domain is as clean as a whistle, but on the other hand, the people that are out there planting malicious code on websites often do a pretty good job of not letting you know that they’re around. And don’t be going according to the assumption that every time someone hacks into your website, they want to steal something from you. Often they’re hacking into your website so they can do things like blast out spammy emails or put up advertising pages that you don’t know about using your domain, and now also they might use your domain for something called negative SEO, where they plant a whole bunch of really lousy links to other websites to try to take them down, and you’re just the unwitting host of this.

So, here’s how we go about checking a site, and before I do that I’m going to show you this article here and I’ll put a link to this article. It’s a pretty good one, “11 Awesome Tools for Website Malware Scanning.” So I went through there, and I actually saw some tools that I didn’t know about before. They’ve got a list of some. Now, many of these tools are ones you have to install on the backend of your site. What we’re going to focus on today, with the exception of Google Search Console, we’re going to show you tools where you don’t have to have login privileges in order to check out a site.

So, if you do have, when it comes to your own site that you own, probably the first place you’re going to go is to Google Search Console. Now, if you’re not familiar with Google Search Console, you need to change that, and we’ve got some videos that show you how to get set up with it.

When you’re within Google Search Console, on the left you’ll see that there’s a choice called Security Issues, and when we click on that, if Google has picked up on any malware, any malicious code on your site, they’re going to give you a notification here. So typically, they’ll push a notification to you if you have your email entered into Google Search Console, but as a matter of course for sites that we maintain, we make it a practice to check this at least once a month, make sure that Google hasn’t picked up on something that we’ve missed. However, this is a cursory check. It doesn’t catch a lot of stuff. I have had it catch security breaches before, but I don’t think it always does that.

The security issues screen in Google Search Console

Now, some of the checkers that are listed on that page that I showed you are not that great at catching code, so what I did is I decided to go to a website that I know has malware infection because I’ve been following this website for years because they’re a host for what we call negative SEO and have actually been used to launch attacks on at least one of my clients. So, I’m going to go to this website, and here it is. It’s called coopercomputers.com. It’s still up and online. You can see that it’s like an abandoned site. If you dig down into this domain, you’ll see pages like this where basically the pages have been hacked, and then all sorts of images have been placed. And if you dig down into the code, you can find all sorts of shady stuff going on. So, I decided to take this and do a little test on some of the malware checkers that are listed in the article I showed you.

The first one that I went to is this one here called virustotal.com. I ran that site through it, came back pretty clean. This is basically a meta check, so it goes and it goes through a lot of different checks. Notice it shows Quttera’s listing this as suspicious. Quttera is another one of the sites that we’re going to take a look at.

Web Inspector, another one here we go to, and boy, it looks like it’s pretty clean so far. And then I’ve gone to Rescan.Pro, which is another resource. We’ve scanned the site and once again, looking good. Alright. Now we’re going to go to the site that we always use when we do a check like this on a client’s website or on a prospect that we’re looking, for example, for a link partnership arrangement. We’re going to go to Sucuri, and a lot of developers know Sucuri. They really know their stuff pretty well. Plugged in the website. Notice, not so clean. “Warning: malware detected. Critical Security Risk. Known Spam detected. Your site is hacked and needs immediate attention. Malicious code was detected on your site.” Notice down here, “Malware detected by the scan and injected spam detected.” So, obviously this site is not as clean as some of these tools would have made it out to be.

picture of results page of check on coopercomputers

Our Go-To Web-Hosted Site Check Is Sucuri

Now, I have plugged this same homepage of this site into Sucuri, and it’s come back clean, even with this tool. As a matter of fact, just last week I was doing a demo where I plugged this computer in. Sucuri came back and said that the homepage was clean, so I had to go and put an internal page into the checker in order to discover the code. The moral of that is when you’re doing a check on your site, don’t stop at the homepage. Pick a couple of internal pages and run them through a couple of different checkers.

Now here, Google has their own what they call a Safe Browsing Report. Notice Cooper Computers came back clean with Google’s own report. But, Sucuri is not the only one. There is Quttera. Remember they were mentioned. It says, “Potentially suspicious content detected on this website.” And you scroll down here and it’ll tell you that it has potentially malicious files that it found on this site.

Also, Siteguarding here, another tool, actually gave me an extremely good readout on this site although it’s a little bit on the technical side. It says, “The website is infected.” Now, this is the one that was probably the most surprising to me because they actually identified the infection as “Spam SEO Linking Anomaly,” which goes along with the negative SEO. That’s a subject for another time, but basically the bottom line is they were able to pick up on the infection at Siteguarding. I think I have one more example here. Nope. No more examples.

So, there we’ve just walked through a few tools. I would say if you’re in doubt, I would typically recommend Sucuri as my first bet go-to site. But as I’ve shown you, these tools are not entirely perfect, and they don’t claim to be. There’s only so much that a tool can do running a scan, but this will give you a good start in checking whether your website is infected.

So, I hope this has been useful to you. Let me know if you have any comments, suggestions for this video or for any others, and definitely subscribe with the big red button. Next to it there’s a little bell icon. Make sure you click on that too because that’s the only way you’ll actually get notifications pushed to you from Google.

I also drop a few more resources and links down in the description, so be sure that you click on the ‘Show More’ button underneath the description to see everything that’s available with this video. And definitely come back and check out our other videos when you have a minute. I’ll see you next time.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *