Cybercrime is an increasing problem. What many Internet users don’t know is that the vast majority of users are being protected all the time by Website Reputation Services. These services are also called Blocklists and unfortunately it’s a poor choice word, Blacklists. We will call them Website Reputation Services.
Often these services are built into web browsers such as Chrome, Firefox, Edge and Safari and Anti Virus products such as Bit Defender, Norton, Avast and Mcafee. These services help protect end users against harmful materials by visiting dangerous sites.
How does a Website Reputation Service work?
Every time a user visits a website, the web browser or anti virus software will check the site you are visiting against a Website Reputation Service. The Website Reputation Service will decide if the URL is safe or not. If safe you won’t even notice as it all happens in a fraction of a second behind the scenes. If it is not safe the user will usually see an error message displayed informing them that the website is harmful. In some cases the user can still visit the site if they choose to, however most will usually block any further attempt to visit the site.
Website Reputation Services are good right?
Protecting end users Malware or Viruses is critical. Malware attacks can steal passwords, access all files on your computer, access all emails, connect to other devices spread through networks, and disrupt the daily operations of an organization or business. Malicious software is at the root of most cyberattacks, including the large-scale data breaches that lead to widespread identity theft and fraud. Malware is also behind the ransomware attacks that result in millions of dollars in damages. Hackers aim malware attacks against individuals, companies, and even governments.
For the end user this is great, assuming that the Website Reputation Services did their job as promised.
What could cause my website to be listed on a Website Reputation Service?
When this happens, users cannot access your site and traffic to your site will come to a grinding halt affecting your reputation. It will impact your conversion rates and you won’t be able to use services such as Google Ads service. On the internet, credibility is everything. If visitors can’t trust your site, they won’t risk using it. So if you rely on your website for your business you should avoid getting listed at all costs.
Here are the top 6 reasons why a site may find itself listed.
1. Poor website maintenance
Keeping software up-to-date is one of the most important things people can do to protect themselves from becoming victims of cybercrime. Your website is no different and it is exposed to anyone on the internet. Software is written by humans and is not perfect. Hackers exploit this by looking for sites that run outdated software. If your website is not maintained and updated regularly, you are exposing your site to increased risks of being hacked.
2. Poorly developed website
Sites that are poorly developed are often exploited by software. This includes the use of poor quality plugins. If you are using WordPress for instance, there are millions of plugins out there that perform various functions. These plugins are developed by people from all walks of life, from experienced software developers to those who have written their first plugin where security is the last thing on their mind. You should always use good quality trusted software, plugins and themes.
Another common issue is simply using too many plugins. Using too many plugins simply increases the risks of something going wrong because all those plugins have to work with one another. If you use plugins from various developers it can end up being a complicated mess getting them all to cooperate with one another.
Another issue is abandoned plugins. Sometimes developers simply no longer maintain a plugin. It may have too many issues and bugs, that it is simply abandoned. You need to keep track of the plugins you use on your site and replace or remove abandoned plugins as these will expose further risk of being hacked.
The biggest take away from this is to use a minimum number of plugins to perform the job and only use trusted developers who have a good reputation and actively support their plugins.
3. Poor content
If you are publishing regular content, you need to keep it under control. Make sure your publishers and editors adhere to strong security policies. We have seen on many occasions pages embedded with phishing links only to find that the editor is completely unaware. Make sure that your editors are using anti-virus software and check the content they are posting.
Another issue is the quality of outgoing links in your content. If you have many outgoing links to other websites, and the website for one of those links is listed on a Website Reputation Service, your page will be deemed as unsafe and you may find your site also getting listed quickly.
4. Poor security practices
You must always deploy strict security practices to keep your website secure. Use strong passwords. You should never remember your password and always use a password manager. Don’t share your account and password with other users. If you have multiple managers of your site make sure you only give the required level of access. Don’t make someone an Administrator if they only need to to be an Editor.
Use security plugins that keep an eye on any suspicious activity and control the amount of login attempts.
Consider using multi-factor authentication and check your web server logs on a daily basis for any signs of potential issues. The server that hosts your website will use log files to record any suspicious activity and unexpected outcomes, software bugs etc.
5. Your site is perfectly fine
Your site may contain no malware and is listed incorrectly. This is also called a false positive and not uncommon and I have seen this on many occasions. In some cases you can get listed because someone has simply submitted your site without any verification or checking. In other cases they simply don’t like the content, the authors of content or the country you operate from.
Website Reputation Service providers operate in an unregulated and uncontrolled market. Some play fair and some don’t, there is no way to control that.
How do I know if my website has been listed?
I recommend that you perform a check on your website at least once a week, worst case once a month. Below is a list of the top 6 common providers in order of the number of subscribers to their services.
- Google Safe Browsing
- Norton Safe Web
- SiteAdvisor McAfee Trusted Source
- Sucuri Malware Labs
- Bitdefender
- ESET
It’s best to use the services provided by VirusTotal which will provide a consolidated community score of over 40 providers.
It is estimated that there are over 200 Website Reputation service providers. Remember, no one provider uses the same process or policies, so how a site gets listed and checked will depend on the Website Reputation service provider. Some will require you to sign up and some will require you to pay to use their service.
To make life easier, consider a website maintenance service that performs these checks for you on a daily basis. The thing not to do is to ignore the fact that you have been listed. If you don’t act quickly you will find yourself listed on multiple sites and will have to deal with bigger consequences and contact each provider to get your site removed.
How do I remove my website from a Website Reputation Service?
Once you’ve confirmed that your website has been blacklisted, the first thing to do is to debug and verify your website’s content. Go through your plugins, software, code and database looking for any malicious code. You may be tempted to simply restore your site from a backup, however the hackers will be back in no time to hack your site again.
You simply have to get to the root cause to get any chance of getting your site delisted. Depending on your skills you may need to reach out to your website developer or IT Manager for advice. This can sometimes take several days to complete as the normal process is to take your site offline, place a copy of your site on a staging environment and then work on the staging site diagnosing and fixing the issues.
When your staging site is fully clean of any malware you can then migrate it to your live site. You should only restore your site and bring it back online when the site is fully clean. If you attempt to get your site de-listed without fixing the malware issues, you may find that the website reputation service provider will ignore future requests to get delisted. You have been warned!.
In most cases the process of delisting is straightforward if you are listed with the top 6 providers above.
If your site is listed with other Website Reputation Service providers getting your website reviewed or removed from their list will be more challenging. Some of these providers are run by cowboys and you will be subjected to their terms and conditions. Some have no terms and conditions and provide no response time guarantee. Some won’t guarantee that they will respond at all. Some of them simply provide no means of getting your site removed and provide no email address or phone number and no forms to submit.
Again, It’s best to use the services provided by VirusTotal as a starting point.
In our experience we have had a negative experience dealing with the following providers which is worth mentioning.
- Phish tank – Once you get listed on Phish Tank, there is no way to contact anyone to your site reviewed. The site says you have to register but when you try to register you get a “New user registration temporarily disabled” . It’s been temporary since 2022.
- Telstra Broadband Connect – we tried to call 13 22 00 to get answers about getting a site removed but they didn’t know what we were talking about.
What if I don’t get my site removed from a Website Reputation Service?
Ignore the problem and you will more than likely see your site listed on multiple Website Reputation services. This will impact many users visiting your site and severely affect your website reputation.
In a more recent development in Australia, we have seen AUDA exercise its new powers to threaten to suspend an entire domain for being listed and not taking steps to get themselves removed. This impacts more than the website and will result in complete email loss for that domain.
How do I prevent my website from being listed on a Website Reputation Service?
Unfortunately, there is no guarantee that your website is 100% secure and free of this threat. Malware is ever changing and adapting to security plugins and software. However, using best practices will give you maximum protection.
- Ensure all software, plugins and themes are updated regularly
- Use strong security practices and policies and always use SSL links
- Only use strusted plugins and themes for your website, choose carefully and aim to use minimum number of plugins
- Backup and Backup This needs to be done regularly and stored on a different server to your site.
- If your site is built on WordPress, a WordPress Maintenance plan is your best option