If your computer has ever become infected with malware there’s a good chance it came from a dodgy website. Web pages are a major vector for viruses, trojans, spyware and other nasties as they provide an easy way to spread infections on a huge scale by exploiting buggy browsers, compromised servers and weak security.
But you can minimise the risk of falling victim to a malware ridden web page by taking some relatively easy (and free) steps to improve browser security.
While we are focusing on Windows, Chrome and Firefox here some of the applications (or an equivalent) are also available on Apple Mac OS, and browser settings and extensions should be broadly similar across multiple platforms and browsers.
General tips for better web security
Keep software up to date
Updates are very important for safe web browsing as they provide security patches against newly discovered exploits. Whenever possible use automatic updates for all software, or at the very least check for an option to be notified when an update is available.
If you have a home or mobile broadband service with limited data allowance you may not want to automatically download patches to avoid unexpectedly exceeding your data usage limit. In that situation you could instead set updates to notify before downloading. It's not ideal however, and we would always recommend unlimited broadband over those with usage caps.
Don’t click suspicious links in emails
Scammers love to share their infected web links over emails. Sometimes it’s obvious; a nonsensical subject line and incoherent message followed by a link is probably not to be trusted. But they’re getting smarter about it and using personal data to target victims.
Email addresses can be easily spoofed so messages appear to come from people we know, or they might copy the style and look of legitimate services to trick us into clicking. Be wary of any link or attachment sent in an email, even if the sender is a friend.
Avoid Java and Flash
The Java and Flash plugins are notoriously bug-ridden and often exploited by malware authors to infect systems. Ideally you should not have either installed, but if you do need them make sure you keep them bang up to date, use an anti-exploit program (see below) and only allow trusted sites and services to use them.
Don’t auto-run plugins
Further to the above, browser plugins such as Java and Flash should be set to run only on demand rather than starting automatically. That way if you do visit a sketchy site they won’t be able to automatically exploit any security holes the moment you land.
For Firefox, go to Add-ons > Plugins and select Ask to Activate on the drop down menu next to each plugin.
On Chrome go to Settings > Advanced Settings > Privacy > Content Settings > Plugins and select Let me choose when to run plugin content.
You might notice some odd behaviour from sites which rely on plugins after this. If a page doesn’t appear to be loading or is missing content and you cannot see a ‘click to play’ button on the page itself, check your browser toolbar for an icon to activate plugins for that site.
Block suspicious sites automatically
Potentially harmful sites can now be blocked by browsers and search engines without any additional software. Google, Bing and others will flag sites which have been suspected or reported for dangerous activity, so don’t just ignore their warnings. Most browsers have an option to block them too. In Chrome it’s found in Settings > Advanced Settings > Privacy (“Protect you and your device from dangerous sites”) and in Firefox it is in Options > Security.
Look out for the padlock
The padlock symbol in your browser address bar indicates you are on a secure connection. This is particularly important when sending private or personal information, such as signing up for a service or shopping online.
Avoid sites which do not offer a secure connection for important communications, and watch out for security warnings on incorrectly configured connections.
Essential Software to secure your browser for free
As well as cleaning up an infection and protecting against viruses in files, some anti-virus packages will include web protection, blocking malicious sites before malware has a chance to attack.
Everyone should be using anti-virus already. There are some excellent free tools so there’s no need to pay for the likes of McAfee or Norton. Avira Free Antivirus, Avast! and Panda Free are all very good options.
Also, all versions of Windows from 8 ownward include the free Microsoft Defender anti-virus and this is activated by default. It does not offer the additional web protection of other AV tools but it is a perfectly good AV for general use, though you'll want to combine it with other tools and browser add-ons to shore up your web defences.
While viruses are a type of malware, and anti-virus programs do defend against a broad range of malware, anti-malware applications are distinct from anti-virus in that they aim to provide security against newer threats which anti-virus may have trouble detecting. They are also good at tackling ‘PUPs’ - Potentially Unwanted Programs - and that covers the likes of browser toolbars and search hijackers which can be anything from an irritation to a major privacy risk.
Note that while you should not run multiple anti-virus programs it is safe to use an anti-malware tool alongside anti-virus.
Malwarebytes does offer a premium version with real time protection where the application automatically scans for threats on both your own system and web sites, but this is certainly not essential. An ‘on access’ anti-virus combined with an ‘on demand’ anti-malware application offers sufficient protection, though you will need to remember to manually scan for threats.
Anti-exploit software is designed to plug holes in the operating system and applications to block brand new exploits (known as ‘0 day’ attacks) without waiting for an official patch.
Malwarebytes Anti-Exploit is a free tool that quietly sits in the background monitoring web browsers and - crucially - plugins such as Java and Flash for suspicious activity. It’s a useful extra layer of protection to bolster your web browsing security against threats that might sneak past other defenses. For more detail about how it works check out this in-depth HowToGeek article.
Browser security extensions and add-ons
Browser add-ons are not only useful for adding features and improving your web experience, they can also help with browser security.
NoScript / ScriptSafe
Flashblock / Flashcontrol
Flashblock (or Flashcontrol on Chrome) works similarly to the built-in plugin controls on a browser, with the valuable addition of being able to whitelist trusted sites. If you use one of these extensions disable the browser plugin settings for Flash or you’ll have to allow everything twice.
This powerful ad blocker not only prevents you from seeing unwanted advertisements, it can also be configured to block known malware domains.
This will force the browser to use a HTTPS connection for web sites whenever it is available, even if you did not click a HTTPS link.
Some malware sites will try to fool you into downloading an infected payload, often by attempting to install a ‘download manager’ or other seemingly helpful app. This simple little extension places an icon next to your mouse cursor to indicate what lies behind a link before you click it so you don’t run into any surprises.