Whatever your goal for your website, whether you’re a blogger, an e-commerce business, a community portal or the next big thing (Google, Facebook) a security breach can have far reaching consequences.
There are many ways someone can attack your website but the ones I’m talking about in this article fit into three groups (well at least in my mind). These are visible modifications, non visible modifications and data theft.
By a visible attack I am of course talking about a site defacement, that is someone manages to modify the look of your website. These attacks are generally either for notoriety or to send a message. Either way it is similar to graffiti on a building though much cheaper, quicker and easier to fix, but still embarrassing and probably more damaging.
Non Visible Modifications
This type of attack is more clandestine, while still modifying the code on your site these changes are generally not externally visible. Initially these were generally malware being added to your site either in downloads or within site markup, so they would infect your visitors devices.
A new variations on this has been to do Negative SEO by adding and modifying the meta data in your site markup. This type of attack can affect your google rankings and not in the direction you want. As if it isn’t hard enough to get high rankings in the first place. This attack can also be onsite or offsite, by offsite attackers add your site details to spamming directories that get you penalised by google.
A data theft attack is potentially the most damaging, especially for e-commerce businesses and of course any business model that relies on the confidentiality of information.
This information can be used for other attacks like identity theft or to empty your bank accounts. Imagine if your clients came under attack and it led back to your business as the source of the data the led to a successful attack. Not good.
While a site defacement is far more visible I would argue that data theft is far more damaging.
Why should I care, I’m not google?
One of the biggest mistakes people make is in thinking that because they are not the size of Google or as important as a corporate or government organisation hackers aren’t interested in you. The truth is most of these attacks are automated. That is programs scan IP address (the number behind your domain name) ranges for specific vulnerabilities in a specific platform, and if your site has that specific platform, and you lie in the IP range they are scanning then guess what?
What can you as a site owner do about it?
Well thankfully there are some fairly straight forward ways to keep the vast majority of attacks out.
The internet is an open place and hopefully will remain as such. However the down side of this is you have little control over which route your data travels when communicating with your website, especially if you a using an off-shore hosting provider. This means you may be sending data through hostile or compromised systems that are actively logging your traffic. If you have an Admin console or have members logging in you need to use SSL to encrypt the traffic.
While encrypting your traffic doesn’t guarantee that someone cannot decrypt your information they are far less likely to try if your traffic is encrypted and many others are not. The theory behind this type of security is to make you less inviting to attack than someone else.
Not doing so is asking for trouble.
P.S. It is not that hard to setup and fairly inexpensive if you are not securing credit card transactions. If you are then use an EV (green bar) SSL from a respectable source.
Create a strong login password
A strong password should be at least 8 characters long (I go for at least 10). These should be alphanumeric with symbols and upper/lowercase combinations. Do not use common words that are in your dictionary.
One way you can practice creating secure passwords is to go to a site like https://howsecureismypassword.net/. Note: do not type any of your actual passwords to another site.
Also platforms like WordPress have in inbuilt Strength indicator that you should take notice of.
Use something other that Admin as your login account
While not as common as it used to be. If your Admin console username is “admin” please change it, this is like the first username attackers user.
Have separate usernames for different contributors
If you have multiple people accessing your site make sure they each have their own login. So if by chance they leave or discontinue to be a contributor you can easily disable the account.
Also if these accounts have limited access any potential breach is greatly reduced in severity.
Disable accounts that are not used
If you are not currently using an account, disable or delete it.
Have a backup way for getting into your site
In the event that someone does get into your system make sure you have an alternative method for access. Just make sure you change the password from time to time.
Have site backups
I know this shouldn’t have to be said we have all been guilty of not maintaining backups to the level we should, and Murphy is going to ensure that any incident is going to happen at one of the times you have let it slide.
Keep your platform up-to-date
This is a common entry point with hackers. If your website platform, i.e. WordPress is not the latest version you are opening yourself up to known security vulnerabilities. Especially since most updates list the vulnerabilities that they attempt to resolve. Kind of like a menu of potential openings for your attacker.
If you’re using a modern platform like WordPress you really have no excuse for not keeping up-to-date as it tells you whether you are up-to-date right in the console, and if your hosting provider has the security permissions correctly set you should be able to upgrade from the console as well. At least you can with Altair Hosting. Note: Always backup first.
Use an active platform
If the platform you are using is no longer actively maintained it would be wise to move to another (and there is plenty of choice). It would be well worth investing the time and/or money to migrate to a well maintained platform. All the platforms we promote are actively maintained and we can certainly advise on a migration path. You can always visit https://www.cms2cms.com/ and see if they support a migration path.
And in closing
Now there are many more things you can do to protect your site however these are relatively simple to implement or at least get implemented by your hosting provider (see SSL). If you are a business thats livelihood depends on the security of your web systems you would be wise to get your systems independently audited.