Malicious Sites policy

Your first line of defense. Malicious Sites checks every outbound URL against multiple threat-intelligence feeds and flags any link pointing to known malware, phishing, scams, or compromised domains, in real time, as your visitors hit those pages.

Recommended

, enable this policy first, before anything else.

enable

What it does

The Malicious Sites policy continuously matches every link on your site against comprehensive databases of known malicious domains. When any match fires, you get a critical alert with the source page, the target URL, and the threat category.

Malware hosting
Distribute viruses, trojans, and harmful payloads
Phishing websites
Steal credentials and personal information
Spam & scam sites
Promote fraudulent schemes and traffic-pump networks
Botnet command centers
Coordinate cybercriminal activity from compromised hosts
Compromised legit sites
Previously safe domains hacked or backdoored

Why it matters

A malicious link in a footnote you published five years ago still carries your domain's reputation. If a reader clicks through from your site and gets phished, your brand is the one named in the post-mortem. This policy is the lowest-effort, highest-leverage way to prevent that.

Configuration

There's no config file to edit. Every policy is configured from its card in the dashboard, under Policies. Toggle it on, set the severity, choose which threat feeds to consult, and pick where alerts are routed. Severity defaults to CRITICAL; lower it to HIGH if you want the policy to fire without paging an on-call.

DASHBOARD · POLICIES · MALICIOUS SITESENABLED
SEVERITY
CRITICALHIGHMEDIUMINFO
THREAT FEEDS
Google Safe BrowsingPhishTankURLhausFeodo TrackerMalwareBazaarOpenPhish
NOTIFY
SlackEmail·Webhook

Changes save instantly and apply from the next scan. No deploy, no config file, no restart.

Severity levels

CRITICALPage on-call · Slack + email + webhook · default
HIGHSlack + email · no page
MEDIUMDaily digest
INFOLogged only, no notification

What you'll see

A fired incident includes the offending URL, the page it was found on, the threat feed that flagged it, the timestamp of the first sighting, and the suggested response. Incidents land in the dashboard at /dashboard/violations and (per your routing) in Slack, email, or webhook.

Best practices

  • Leave the default CRITICAL severity in place. False positives on a curated threat feed are vanishingly rare.
  • Route Malicious Sites to a paging channel. The half-life of a malicious link is hours, not days.
  • Use Custom Blocklist to add internal deny rules on top of the public feeds — your competitor's tracking subdomain, a recurring spammer, anything specific to your operation.