What Is Malvertising and How to Avoid It in WordPress
There are a lot of ways to monetize a website, and introducing online ads is one of the more straightforward ones. Now, the drawbacks of ads are clear, insomuch as virtually nobody likes them. Still, they are often the sole reason why you can access some quality, professionally made content for free, rather than it being hidden behind a paywall. Another drawback that often gets ignored, though, is malvertising – the topic of this very article. In this article, as the title suggests, we will discuss what malvertising is. But not only that: as is the case with nearly everything that starts with mal-, malvertising is bad. We will also attempt to explain how it can adversely affect your website, and what you can do to avoid it and protect yourself, your visitors, and your bottom line from ill effects.
Here’s what we’ll be discussing:
Put simply, malvertising is the use of internet advertisements to spread malware. The word itself is a portmanteau of malware, itself a portmanteau meaning malicious software, and advertising, making the term a sort of a double portmanteau – a portportmanteau, if you will.
Flippancy aside, the practice of malvertising is attractive to hackers because the content of the ad itself is most often beyond the control of the website owner or admin, while also being designed to be enticing to the website visitor. The hackers are also banking on it being very difficult for ad networks, and not just website operators, to check the contents of each ad for malware.
To examine how malvertising works, we must first examine how normal ads work.
Typically, if you are using ads on your website, you are not selling your online ad space directly to an advertiser: you are using an online ad network. You, as the owner of the website, dedicate some space to ads and apply to an ad network so that they can check whether your website fits their criteria. Once your website is accepted, the ads begin coming your way.
The advertiser, being the person selling something, also typically applies to an ad network with their own ads, rather than pitching ads directly to website owners. It is a numbers game, after all: there are, for practical purposes, infinitely many websites, and a finite amount of time. Once the ads are accepted by an ad network, the advertiser buys space on websites, and the ad network starts placing the ads.
So far, so good. But where does malware come in?
Online ads can be as simple as hyperlinks, but many, many of them have very complex coding, for tracking and effectiveness assessment, responsive design, as well as for other purposes. This means that any ad network, while having review mechanisms in place, often has a massive number of complexly coded ads to go through, and hackers use this to hide their malicious code.
This often includes forced downloads of malicious software, but can also take different shapes. It could mean misrepresenting a link and redirecting the visitor to a malicious website which may host illegal or fake products or content, or phishing or other scam websites.
The first impact you should consider is the psychological impact on your visitors: you may have nothing whatsoever to do with infected ads, but are your visitors aware of that? And, even if they are, does it matter? Your website will be perceived as untrustworthy or unsafe, and you will lose traffic, and, consequently, money.
Another thing you may count on is third party actions. Your hosting provider will want to protect their servers from malware, and will take your website offline once they detect malware on your website. While this is an expected safeguard meant to protect the hosting provider and their other clients, it still means that your website is offline, costing you, again, visits and money.
Apart from your hosting provider, Google also wants to protect its reputation for safety. This is why, if malware is detected, your website may get blacklisted by Google. While this is not the same as being completely inaccessible, your website will not appear in searches, and any visitors trying to access it will be greeted with a bright red screen warning them against it. Not a good look.
Finally, even if no malware is present, if ads from your website are redirecting your visitors to unwanted or illegal content, this will affect your bounce rate, and, consequently, your SERP rankings.
The first thing you need to do is have regular backups of your website. If malicious code infects your website, you may need to be able to restore it from a backup. It pays to play it safe.
Next, take a good look at your website. Do you really need all the plugins you have installed? If you don’t need a plugin, deactivate and uninstall it. The same goes for themes you may have installed but are not using. The fewer different software solutions you’re using, the fewer the entry points for bad actors.
Also, is everything up to date? Many updates for plugins, themes, and WordPress itself contain security updates, dealing with known exploits and weaknesses. Never use obsolete software, as it often means that a weakness has been identified by the developers, and subsequently corrected. Similarly, avoid abandoned plugins and themes – they will certainly lag behind WordPress updates. If you are using an ad management plugin, make sure you are using the latest version.
Your hosting provider will almost certainly offer regular malware scans as part of their service. However, they are doing that to protect themselves, and their detecting malware on your website might lead to your website being taken offline. To be on the safe side, you want to scan your website for malware on a regular basis. There are several reliable plugins we recommend in the linked article.
Finally, do your own research. Even the best make mistakes, and you might still end up inadvertently hosting a bad ad. If you can check the ad on a test website and then scan it for malware, do it. Also, when signing up to an ad network, research it yourself. Ask about their ad review process and what kind of protections they have in place to protect you from bad actors.
As you can see, malvertising is a problem which can affect your content, your reputation, and your bottom line. Nobody likes losing money, but it can generally be earned, and content can be restored from backups, if you have been circumspect enough to create them. Even so, it is much more bothersome than not having to rely on extra effort to fix an avoidable issue. As far as reputations go, we all know from everyday experience that they are far more easily lost than repaired. Be it your reputation with Google, your hosting provider, or your visitors, you’d be wise to protect it.