Simply following the below best practices will enable you to easily lower the risk of malware on your website without incurring much extra time, cost or resources. It is best to discuss this with your server administrators and determine if your organization needs to implement these suggestions.
If the worst case scenario should occur and you’re unable to simply delete the malware from your infected website, you need to be prepared. One of the most important things you can do is have a backup in which you can recover everything you need for your website. When you switch over to a clean backup server customers won’t experience any downtime.
Keeping a redundant backup server may take too many resources in which case you should backup all up-to-date OS and application software. This includes regularly backing up all data so if any is comprised, it can easily be restored without going offline.
Any administrators and developers must use strong passwords and change them frequently, or alternatively have their credentials provided to them by a trusted employee. It is always best practice to only provide server access to those who need it, only giving each employee the privileges that are required to get their job done.
Encrypt any file transfers with secure protocols and eliminate any vulnerabilities in back-end code. On the front-end of websites ensure that minimal information is shared with your users. If you’re displaying error messages, make them generic and refrain from sharing information that attackers could use.
Train your employees to recognize social engineering: the act of convincing someone to reveal sensitive information generally through the impersonation of an authority figure. This gives attackers the chance to install malware on your server without even reaching it; instead, they only have to convince a person in your organization to unknowingly install it.
You should trust all those with access to your server but at the same time it is good practice to log all actions made and user log-ins. Attacks made by employees whether disgruntled or convinced by an outsider can be prevented with trust and accountability. Make sure you organization has known alternate plans in case they are unable to reach server administrators when an issue occurs.
Never use your server to browse the internet, as it will only increase the threat of attacks. Make sure that only active programs are running on your server, and be aware that popular ones may have known vulnerabilities that attackers can exploit. As an extra precaution you can remove any application documentation from your server as it includes sensitive information like version info and bug fixes.
You should always keep up-to-date with version update/patches and ensure you know what software version number is running. New versions can include fixes to vulnerabilities that malware hackers know how to exploit.