Can You Get a Virus From Visiting a Website? Truth and Fiction

Computer Virus Malfunction

If you’ve ever asked yourself “Can you get a virus from visiting a website?” then you should know that this is possible, depending on some factors. Undoubtedly, many internet users would want to know the answer to this question to keep themselves safe.

Can You Get a Virus From Visiting a Website

If you are worried about this, read our complete guide with expert answers and tips to keep yourself safe on the web.

Can You Get a Virus When You Visit a Website?

Yes, you can get a virus by visiting a website. Malicious people use the internet to spread viruses to other internet users. While many people know safe browsing practices, it is getting harder and harder to avoid these problems. 

For instance, it is not recommended to open unknown links or ads or install any programs or software from suspicious sources. Many internet users avoid these practices but still get viruses from visiting certain websites. 

A virus is just a malware type, and malware is a code that takes over the functional part of your system, causing it to crash or malfunction. Did you know that there are over 1 billion malware programs?

Each day, about 560,000 new pieces of malware are detected, and worse, some malware have fancy names; thus, you cannot suspect them. This gives them the leeway to attack your system.

Because hackers are becoming smarter by the day, a lot of people are falling prey to their predatory ways. This exposes them to threats, and they can pick viruses from different websites without knowing.

There are many pitfalls awaiting you on the web. These pitfalls are the typical sources of viruses. However, it is worth pointing out that someone might have injected the virus into a website or hosting account if a website has a virus. Here are some ways that you can get a virus from a website.

– Exploit Kits

An exploit kit exploits the vulnerability of your device while browsing the internet. The kit is a hacker’s toolset that injects scripts on a vulnerable website. These scripts follow instructions to infiltrate, deliver a payload and place a remote access tool on your device.

Hackers love these kits because they are automatic. That means after deploying the toolset, it will do the heavy lifting by itself. Hackers install the kit on a vulnerable website, and the web page will discreetly re-route traffic to a different page.

Exploit Kits

When you visit the page, it is an exact copy of the page you intended to visit. Meanwhile, the exploit kit scans their computer remotely for vulnerabilities to take advantage of, mostly through applications that web browsers run, e.g., Flash.

When the kit spots a vulnerability, it sends a malicious code via the opening and installs itself on your device. After that, they send a payload.

A payload can be:

  • Ransomware applications that lock down your machine until you pay them
  • Trojans that log your banking information and steal your money
  • Botnet malware that takes control of your machine for other hacking purposes
  • Spyware that gathers information on your data or computer use
  • Keyloggers that track your every move, including your passwords

In some instances, legitimate websites can host an exploit kit. In this case, it is deployed via malicious popups/adware or popup phishing scams. Clicking to close the ads can sometimes initiate the malware download.

– Drive-By Downloads

A drive-by download is an unintentional malware download to your smartphone or computer that leaves your device open to attacks.

You don’t need to click on anything, open a malicious email attachment, or press download for your device to be infected. A drive-by is secretive and will infect your machine without your intentional intervention.

Once the downloads are in your device, they will exploit susceptibilities in your operating systems, web browsers, and applications. Also, it can take advantage of your system if you do not update it or if the updates are unsuccessful.

Typically, it delivers malware that controls your computer, steals important data, or interrupts your device’s functions.

Here is how a drive-by works:

  • Spy on your activity — to steal your online financial info, credentials, or identity.
  • Hijack your device — to infect other devices, build a botnet or breach your device further.
  • Ruin data or disable your device — to cause trouble to you.

A malicious drive-by works in two ways:

  • Authorize without knowing full implications: You take action leading to infection, such as downloading a Trojan or clicking a link on a deceptive fake security alert.
  • Fully unauthorized without notification: You visit a website and get infected without any prompts or action. These downloads can be anywhere, even on legitimate sites.

– Vulnerable Scripts

Website vulnerabilities are scripts that allow hackers to access your website’s control panel. This will mostly occur when a website’s content management system is outdated.

Hackers know the vulnerabilities of popular content management systems quickly. They, therefore, take advantage of the situation to access dozens of vulnerable sites.

Hackers can use these vulnerabilities in the following ways:

  • Implanting the virus into the website database
  • Backdoors and web-shells upload
  • Adding or removing administrators or theft of access to the administrator’s panel

As a result, your website is infected by viruses. When a user visits this website, they are exposed to viruses. To avoid this issue, web owners need to update their CMS regularly. A vulnerable website plugin, app, browser, or operating system that has not been updated has vulnerabilities that will leave the user open to these attacks.

The hacker can set up the program to load and execute automatically on your device in the background. A hacker can load up a piece of code that a web browser can execute when it comes across a website. The hackers can use malicious code to attack programs such as Flash, especially if the user hasn’t updated it in a while.


Can You Get a Virus From Visiting a Website on iPhone or Android Device?

Yes, your smartphone can get viruses when you visit an infected webpage. Hackers or malicious people embed malicious codes, mostly spyware, into compromised web pages. The malicious code will then attack the vulnerability in the mobile browsers alongside the mobile phone’s operating system. 

So, how can you get a virus on your phone by visiting a website? Spyware is a dangerous and invasive type of malware. Once in your phone, you will experience issues such as battery draining quickly, using too much data, and phone overheating. 

Spyware can access your phones in two ways:

  • Remote Access: This happens through visiting shady apps, bundled apps, or a suspicious email that misled you to install the spyware. 
  • Direct Phone Access: This option works in the same way as setting up parental control apps, but spyware is not readily available in the Play Store or App store . Someone will need to change your device’s settings for the spyware to work. 

You can also infect your smartphone when you link or connect your phone to another infected phone. Unlike computer malware and viruses, most phone-based malware is not designed to interrupt usage but to steal information silently.

Can a Web Browser Infect Your Devices With Viruses?

Yes, web browsers can be an entry point for viruses into your computer, smartphone, or tablet. Remember, the malware uses software vulnerabilities to infect your devices. Vulnerabilities are entry points in your software that give access to malicious code and software to enter your devices.

So when you visit a website, it can use the vulnerability of your web browser to infect your devices with malware. This is particularly so if you use an outdated web browser. However, modern browsers such as Google Chrome have better security features.

Although browsers are highly complex programs, they are susceptible to viruses in some instances. Typically, a web browser has different components: a JavaScript interpreter, HTML, CSS, image parsers, etc. Hackers can exploit a vulnerability in any one of these components to deliver malware or malicious code to web users.

Here are some way that a web browser can infect your device with a virus.

– Remote Code Execution (REC)

RCE is a cyberattack where attackers remotely execute commands to place malware and other dangerous code on your computer or network. These code execution exploits do not need users’ input.

Remote Code Execution (REC)

RCE is a full compromise of the affected system or application and can result in severe consequences like data loss, ransomware or other malware deployments, and service disruption.

These attackers use:

  • Zero-day software vulnerabilities: The attack occurs when hackers exploit flaws before developers have a chance to address them.
  • Arbitrary code execution: A hacker targets a specific network with dangerous code. All RCE attacks are arbitrary code execution, but not all arbitrary code execution is remote.
  • How It Works

Code execution exploits have three phases:

  1. Hackers identify a vulnerability in a browse or browser plugin or any browser component
  2. Attackers exploit the vulnerability by remotely placing malware or malicious code in the plugin or browser component.
  3. The malware gives the attackers access to your computer, where they will compromise your data or device for nefarious purposes.

Hackers use code execution exploits to target browsers or browser plugins such as JavaScript or Flash. This is when they see flaws in the underlying code, where they insert bits of malicious code to deliver malware to unsuspecting users.

The malware is programmed to wreak havoc on your system. The most dangerous consequence of code execution exploits is that hackers can deploy ransomware to your computer via a web browser, denying you access to the files until you pay them.

Furthermore, attackers may use infected plugins to run crypto-mining or crypto-jacking malware, which uses the computing resources of an infected device to mine cryptocurrencies for the financial benefit of the attacker.

Ordinarily, the malware can send information to other locations, steal user information, or take over user devices. Additionally, code execution exploits can attach malware to advertising networks and distribute it to otherwise legitimate and safe sites.

– Man-In-The-Middle (MITM) Attacks

A man-in-the-middle attack occurs when an attacker sits in a conversation between an application and a user. The attacker can be there to eavesdrop or impersonate one of the parties, making it look like a normal exchange of information is underway.

So a hacker can intercept web traffic from a server and forward it to a web browser using invalid or forged certificates. Remember, a server authenticates itself to a browser as a legitimate entity via certificates.

Therefore, when a web browser receives a certificate, it tries to validate its authenticity. If the certificate is not validated, the web browser prompts the web user that the certificate is invalid. Nevertheless, many web browsers choose to ignore the warning without realizing the potential threat of an invalid certificate.

The goal of an attacker in the MITM is to steal information, such as account details, login credentials, and credit card numbers.

So this attack is common for people using financial applications, e-commerce sites, SaaS businesses, and other websites that require logging in. Serious hackers may take a more active approach, such as IP spoofing, DNS spoofing, and ARP spoofing.

– Browser Hijacker

A browser hijacker is a dangerous program that alters a browser’s settings, behavior, or appearance without user consent. Your web browser is valuable real estate for advertisers, tech companies, and hackers attempting to command your clicks and attention. Therefore, they will try to hijack your web browser for their gain.

A hijacked browser will create advertising revenue for the hijacker. Furthermore, it can facilitate more dangerous activities like data collection and keystroke logging.

When browser hijackers get into your devices, they can spy and install Adware and other malware types of malwares. The Adware will flood you with popups that pay per click, while spyware will gather your private details for trade on data markets.

Moreover, browser hijackers can redirect you to malicious websites or shady search engines. Take note that Adware and spyware can mine your browsing history. 

  • Removing the Browser Hijacker

You can remove the browser hijacker, but that will require you to assess the browser plugins, add-ons, and extensions. Remove the software if you start experiencing issues after installing certain software. 

If you are experiencing browser hijacker on Windows, use the steps below to remove it manually:

  • Click the Windows Logo on your desktop and type Control Panel.
  • Go to Programs and choose Uninstall a program.
  • Find a suspicious program and uninstall it from the list of installed programs. 

This should solve the issue. However, if a web browser is still buggy, check out the browser’s cookies section. Browser hijackers spy on the cache for tidbits about your browsing habits. Besides, they plant things within your cookies to help track you. 

But can you get a virus from a website without downloading anything? Yes, some malware do not require a user’s action — no link clicking or file downloading, and you do not have to permit them to run. This drive-by malware is the most insidious type because it will infect your device if you visit a site that is using it.

Can You Get Hacked by Visiting a Website?

In practice, yes, you can be hacked by just visiting a website, but in theory, that should not happen. Websites and web browsers try very hard to reduce the risk of their users being attacked when they visit, but security flaws within the website and web browser allow attackers to hack your system. 

Most commonly, malicious individuals and sites trick you into entering passwords or downloading some app. Since the sites disguise themselves as legitimate sites, you may assume you are safe. But in reality, you have been hacked. 

The worst part about this malware is that it can even be on a legitimate website. So for those wondering, can you get a virus from a secure website? The answer is yes. This mostly comes in the form of ads. 

The server for a website does not host advertising on the webpage you are visiting. Different web servers host these advertisements. Therefore, even if the website you visit does not have malware or is secure, the advertisements displayed when you load a page can contain malware.

What Are the Best Practices To Keep You Safe From Malware?

Regularly updating your system, installing more security, and creating stronger passwords are some methods you can practice to keep your devices safe from malware.

You should always know what to do if you visited a bad website because such a website causes serious harm to your information. Of course, what happens if you visit a malicious website depends on the type and sharpness of the malware.

Nonetheless, here are measures you can employ to protect your system from viruses, malware, spyware, and hackers:

– Update Your System 

Hackers take advantage of vulnerabilities in your devices. The most common source of such vulnerabilities is using dated software. Software developers such as Microsoft and Oracle routinely update their software to fix bugs that hackers could potentially exploit. 

MITRE Corporation catalogs and identifies (with a unique number) vulnerabilities in the Common Vulnerabilities and Exposures (CVE) list. The Cybersecurity and Infrastructure Security Agency (CISA), a known vulnerability repository, disclose cybersecurity vulnerabilities publicly.

Developers of the affected software get the information from this repository to patch the holes and issue an updated form of the software or patch for the vulnerable program. Therefore, ensure that you update and patch operating systems, applications, browsers, and programs when an update is available to protect your system from the identified shortcomings. 

You can schedule automatic updates, especially for Windows OS. You can also run patching automatically for Macintosh Operating System. For smartphones, make sure you install Android or iPhone updates distributed automatically.

– Install Layered Security

Layered security involves using multiple components to secure your system so that each aspect of your defense system is backed up by another should anything go wrong.

The tools you can use to create a layered security system include:

  1. Antivirus software: This software can protect your system from viruses and malware, so invest in robust antimalware to catch potential threats early. But remember to always keep your antimalware up to date to cope with the latest bugs on the internet. 
  2. Antispyware software: This program will remove spyware programs such as keyloggers from your system. While most antivirus has antispyware features, you should consider buying a robust standalone antispyware program for better results. 
  3. Adblockers: You must stop those ads embedded with malware (Malvertising) from reputable organizations. An ad blocker software blocks any ads from appearing on your devices. You can get them as browser plugins, or they can be embedded in cybersecurity solutions like VPNs, antivirus, and antimalware products.
  4. Firewalls: This is a hardware piece of software that prevents hackers from accessing and using your devices. The tool prevents your PC from communicating with sources you disapprove of. 

– Always Be on the Latest Operating System

Developers usually end support for previous OS versions when they reach end-of-life. This leaves you susceptible to viruses, malware, and spyware because any new vulnerabilities identified will not be addressed. For this reason, upgrading is an important step in patching vulnerabilities. 

However, some developers support the previous version for a set number of years before abandoning it. Check to be sure you are dealing with an OS that is still receiving updates. 

– Choose Stronger Authentication Methods and Passwords

Most social media, financial, and email accounts allow users to employ stronger authentication techniques. For instance, you can use one-time codes sent to your mobile number, face recognition, fingerprint, or any other feature that uniquely identifies you as an account owner. 

Along with that, choosing a stronger password can be lifesaving. Choose a password that can be hard for someone to guess. Most accounts will ask for at least eight characters and a combination of characters, numbers, and letters. 

Other safety measures to protect you from viruses include:

  • Remove unnecessary software from your device to reduce the risk of infection.
  • Pay attention to certificate browser warnings because these warnings show that there is an issue with the certificate.
  • Use only HTTPS sites as they are the most secure websites.
  • Do not click on any suspicious link, however urgent or important it sounds. 


Here are the highlights from the complete guide above:

  • Your devices can get viruses from an infected website or browser.
  • Viruses from infected web browsers and web pages access smartphones and computers.
  • Once a virus infects your device, it can expose it to many dangers, including loss of financial data.
  • Always update your systems and use a robust antimalware system to keep viruses at bay.

This is enough information to help you keep your devices safe from malicious malware and viruses. Read the guide carefully and start applying it today!


Please enter your comment!
Please enter your name here