May 17, 2013
You can’t pick up a newspaper these days – psych, just kidding – who reads newspapers anymore? What I meant to say was, you can’t flip through Reddit anymore without seeing an article about the Chinese hacking into US websites, Anonymous shutting down a bank’s website or some Russian mobsters stealing a million passwords from a department store. Pretty scary stuff, actually. It really brings the notion to the forefront that the more we decide to store all of our information online, the more someone wants to steal it.
The scary thing: hackers seem to be targeting smaller sites as well, more and more. So, when our new clients ask us what they can do to prevent this sort of naughty behavior, we provide them with a few simple guidelines. They are as follows:
Realize that your Web Host Is Vulnerable
Quite frequently, many websites hosted by the same web hosting company are all hacked together. Go ahead, Google: Amazon cloud hosting hacked. Sit back and shudder - the cloud, my friends is opening up another avenue of threat. It’s not only Amazon, of course, they are just the most highly visible. What it boils down to though, is that in these cases, the problem usually lies with the host. Either their servers have some vulnerability which is being exploited by a hacker OR the hackers have figured out a way to gain access to one website on a server and then use that website to infect the other websites hosted on the server.
Do some homework on your hosting service. What type of monitoring do they offer, and if they do offer support, what are the average response times? Ask them - that’s a large part of why you are paying their monthly fees. Customer service is never more crucial than when something actually goes wrong.
Your Passwords Have Been Leaked or Are NOT Strong
When it comes to passwords, they can only protect your website if they are strong. This means that passwords must adhere to the following criteria:
- Unique. FTP, database, control panel, and email passwords should all be different from each other and not used on any other website.
- Complex. Passwords should not be easily guessed. The best passwords do not contain words and are a combination of numbers, symbols, and upper and lower case letters.
- Private. Be careful about who you share your passwords with and how you share the passwords. If sending a password via email, consider transmitting it as an image instead of via plain text. Or better yet, send it through several mediums: email and text message, for instance.
- Self-Selected. An easy trap to fall into is to use passwords that are generated by the service at the time of registration. And while these passwords are often very complex, hackers can sometimes guess these passwords. Why? Because they are trying to break the code the same way that it was created: computer generated sequences. Create your own complex passwords. Put a little personalized touch on them that will separate the passwords from auto-generated variables.
- Regularly Changed. By periodically updating your passwords, you lessen the chance that a leaked password can be used to gain access to your website.
Your Content Management Software Has Security Holes
Content management systems (CMS) are used by websites to make it easier to manage content or maintain other functionality. But there is a big downside. Regardless of which CMS is used, there are always security holes that can be exploited by hackers. Check out this article about WordPress for a little scare: WordPress Hack.
One of the downsides of using widely distributed CMS systems, is that they are on the radar for hackers because of their visibility. To keep a CMS as secure as possible, there are certain basic recommendations that you or your developer should always follow:
- Verify file permissions are correct and not too permissible.
- Hide your directory structure.
- Do not let two or more applications share the same database.
Additionally, the programmers behind your CMS may release updated versions or patches when vulnerabilities are discovered. And while it may be expensive or time-consuming to keep your CMS updated, it is worth the effort. After a new update is released, details about security flaws in the older version are often released. And what this means is that if you don't upgrade to the latest software version, hackers will literally have a roadmap to getting into your website.
Make sure that your website’s code is written properly
Poorly coded website forms, dynamic pages, and CMS plugins/modules could result in easily exploitable security holes. To prevent this from happening, make sure that all custom code is fully tested and coded with security in mind. And before installing a 3rd-party plugin or module for your CMS, review the feedback on a forum dedicated to web development (Stack Overflow, for instance) to make sure that the plugin is well-coded.
Remember, no website is hacker-proof!
Even after employing the best preventative measures, it is still possible for your website to be hacked. As a result, it is a good idea to regularly monitor your site and its log files so that you know if any changes have been made to its files or if hackers are trying to gain access. There are a variety of 3rd-party monitoring tools which can be used to alert you if your website has been compromised.
The good news is, that if you don’t have the time, or desire, the agency that built your website should offer this service as part of their maintenance agreement. In this case, the monthly fee should be well worth the peace of mind that you’re getting, knowing that professionals are watching your websites backyard for burglars - day and night.
Authored by: Attila Sary