How to secure your web browser and stay safe online

If your computer has ever become infected with malware there’s a good chance it came from a dodgy website. Web pages are a major vector for viruses, trojans, spyware and other nasties as they provide bad guys with an easy way to spread infections on a huge scale by exploiting buggy browsers, compromised servers and lax security.

But you can minimise the risk of becoming a victim to a malware ridden web page by taking some relatively easy (and free) steps to improve browser security.

While we are focusing on Windows, Chrome and Firefox here some of the applications (or an equivalent) are also available on Apple Mac OS, and browser settings and extensions should be broadly similar across multiple platforms and browsers.

General tips for better web browser security

Keep software up to date

Updates are very important for safe web browsing as they provide security patches against newly discovered exploits. Whenever possible use automatic updates for all software, or at the very least check for an option to be notified when an update is available.

If you have a home or mobile broadband service with limited data allowance you may not want to automatically download patches to avoid unexpectedly exceeding your data usage limit. In that situation you could instead set updates to notify before downloading. It's not ideal however, and we would always recommend unlimited broadband over those with usage caps.

Don’t click suspicious links in emails

Scammers love to share their infected web links over emails. Sometimes it’s obvious; a nonsensical subject line and incoherent message followed by a link is probably not to be trusted. But they’re getting smarter about it and using personal data to better target victims.

Email addresses can be easily spoofed so messages appear to come from people we know, or they might copy the style and look of legitimate services to trick us into clicking. Be wary of any link you’re sent in an email.

Avoid Java and Flash

The Java and Flash plugins are notoriously bug-ridden and often exploited by malware authors to infect systems. Ideally you should not have either installed, but if you do need them make sure you keep them bang up to date, use an anti-exploit program (see below) and only allow trusted sites and services to use them.

Don’t auto-run plugins

Further to the above, browser plugins such as Java and Flash should be set to run only on demand rather than starting automatically. That way if you do visit a sketchy site they won’t be able to automatically exploit any security holes.

For Firefox, go to Add-ons > Plugins and select Ask to Activate on the drop down menu next to each plugin.

On Chrome go to Settings > Advanced Settings > Privacy > Content Settings > Plugins and select Let me choose when to run plugin content.

You might notice some odd behaviour from sites which rely on plugins after this. If a page doesn’t appear to be loading or is missing content and you cannot see a ‘click to play’ button on the page itself, check your browser toolbar for an icon to activate plugins for that site.

Block suspicious sites automatically

Potentially harmful sites can now be blocked by browsers and search engines without any additional software. Google, Bing and others will flag sites which have been suspected or reported for dangerous activity, so don’t just ignore their warnings. Most browsers have an option to block them too. In Chrome it’s found in Settings > Advanced Settings > Privacy (“Protect you and your device from dangerous sites”) and in Firefox it is in Options > Security

Look out for the padlock

The padlock symbol in your browser address bar indicates you are on a secure connection. This is particularly important when sending private or personal information, such as signing up for a service or shopping online.

Avoid sites which do not offer a secure connection for important communications, and watch out for security warnings on incorrectly configured connections.

Essential Software - secure your browser for free

Anti-virus

As well as cleaning up an infection and protecting against viruses in files, some anti-virus packages will include web protection, blocking malicious sites before malware has a chance to attack.

Everyone should be using anti-virus already. There are some excellent free tools so there’s no need to pay for the likes of McAfee or Norton. Avira Free Antivirus, Avast! and Panda Free are all very strong options.

Also, all versions of Windows from 8 ownward include the free Microsoft Defender anti-virus and this is activated by default. It does not offer the additional web protection of other AV tools but it is a perfectly good AV for general use, though you'll want to combine it with other tools and browser add-ons to shore up your web defences.

Anti-malware

While viruses are a type of malware and anti-virus programs do defend against a broad range of malware, a anti-malware application is distinct from anti-virus in that it aims to provide security against newer threats which anti-virus may have trouble detecting. They are also good at tackling ‘PUPs’ - Potentially Unwanted Programs - and that covers the likes of browser toolbars and search hijackers which can be anything from an irritation to a major privacy risk.

Note that while you should not run multiple anti-virus programs it is safe to use an anti-malware tool alongside anti-virus.

Our current recommendations for anti-malware are Malwarebytes Anti-Malware or AdwCleaner. Either will do a good job of detecting and cleaning a malware infection.

Malwarebytes does offer a premium version with real time protection where the application automatically scans for threats on both your own system and web sites, but this is certainly not essential. An ‘on access’ anti-virus combined with an ‘on demand’ anti-malware application offers sufficient protection, though you will need to remember to manually scan for threats.

Anti-exploit

Anti-exploit software is designed to plug holes in the operating system and applications to block brand new exploits (known as ‘0 day’ attacks) without waiting for an official patch.

Malwarebytes Anti-Exploit is a free tool that quietly sits in the background monitoring web browsers and - crucially - plugins such as Java and Flash for suspicious activity. It’s a useful extra layer of protection to bolster your web browsing security against threats that might sneak past other defenses. For more detail about how it works check out this in-depth HowToGeek article.

Browser security extensions and add-ons

Browser add-ons are not only useful for adding features and improving your web experience, they can also help with browser security.

NoScript / ScriptSafe

Firefox | Chrome

The essential NoScript add-on prevents scripting content such as Javascript and Java from running until you explicitly give permission, blocking many web based attacks completely. NoScript is Firefox only but Chrome users have the similar ScriptSafe.

Flashblock / Flashcontrol

Firefox | Chrome

Flashblock (or Flashcontrol on Chrome) works similarly to the built-in plugin controls on a browser, with the valuable addition of being able to whitelist trusted sites. If you use one of these extensions disable the browser plugin settings for Flash or you’ll have to allow everything twice.

uBlock Origin

Firefox | Chrome

This powerful ad blocker not only prevents you from seeing unwanted advertisements, it can also be configured to block known malware domains.

HTTPS Everywhere

Firefox | Chrome

This will force your browser to use a HTTPS connection for web sites whenever it is available, even if you did not click a HTTPS link.

Link Alert

Firefox | Chrome

Some malware sites will try to fool you into downloading an infected payload, often by attempting to install a ‘download manager’ or other seemingly helpful app. This simple little extension places an icon next to your mouse cursor to indicate what lies behind a link before you click it so you don’t run into any surprises.