If you have a business website that has been hacked or one that hackers have attempted to breach (our website has attempts like these dozens of times per day), you might be wondering why they are targeting you. Make no mistake, if you’re a big corporate company these attempts would be happening on a regular basis, which is why they hire teams of network security personnel to monitor traffic, filter email, train users, etc.
Unfortunately as small business owners, we typically don’t have the extra resources available to bring in a team like this for our smaller operations. Does this mean we are doomed and at the mercy of the hackers and bad actors out there looking to gain access to our information?
Of course not!
But first, I’m sure you’re wondering why hackers are even attempting to access your website to begin with. Unfortunately, it’s hard to answer that one, because what I’ve found over the years is that even a brand new website with zero traffic can become a victim of a hacker. Are they bored? Maybe. Do you have something they want? Who knows. All I know is that once they are in your website it can be EXTREMELY difficult to clean up the mess. Sometimes the clean up involves simply fixing content altered by the intruder. In more extreme cases websites have to be entirely rebuilt on new web servers. That amount of downtime could cripple an e-commerce business. And we haven’t even touched on reputation being ruined and getting blacklisted by the search engines. All very possible outcomes of ONE breach. It’s important to stay vigilant and not treat the security of your website as some sort of optional task.
Public Service Announcement*** If you are NOT worried about the security of your website, you might as well shut down now and if you haven’t launched yet, don’t even do it. Save yourself the pain now. Seriously. Breaches happen on a daily basis and if you aren’t willing to spend some time on preventative measures, you shouldn’t have a website. Period.
Now, with that out the way, let’s get into how you can protect your website and databases.
One of the great things about running a small business is that it allows you to be more fluid and react much quicker than a big corporation would. A team of specialists is not needed when we have plugins that will remove spam before it’s posted (check out Akismet for WordPress), Security scanners that monitor your web server, and 24/7 monitoring services that watch for any downtime that might occur based on alarms you can customize (we set this up for our clients, btw.). The tools are right there available to you for use, and the crazy thing is most of them are free or very affordable. But you’d be shocked how many websites I come across that won’t even turn Akismet on, just because you have to spend 30 seconds registering for an account.
But I’m not here to blame anyone. I know most of the time small business owners will spin up a website (or have one designed) and just keep it moving from there. The problem is that web designers don’t stick around to maintain your website after the design aspects are completed. There job is done and now it’s generally your job to find a web content manager or webmaster to take over from there. Unfortunately, the latter step doesn’t happen often.
This is partially because the title of “webmaster” was WAY more prevalent in the 90’s and early 2000’s. But make no mistake, the role is still very relevant today. I’d go as far as to say the role is as important as that of a web designer. Be that as it may, the multitude of Do-It-Yourself website builders and their misleading marketing has made people think it’s easy to build a website. Sure, putting together a homepage and slapping a few images and a link on there IS easy to do, but I’d hardly call that a website. Especially if it’s supposed to represent your business!
It may sound like I got a bit sidetracked there, but I had to breakdown why a lot of smaller, newer websites fall victim to intruders. Simply because no one is paying attention or the website was never set up to be secure in the first place. Now, you very well may find yourself in one of those categories. If so, and your website hasn’t been breached, consider yourself very lucky! But you’ve got some work to do now to ensure your website is truly secure.
The first (and easiest) thing to do is keep track of who has access to your website. I’m not talking about who can visit, I’m talking about who can ACTUALLY log in/edit code and make changes. Breaches happen to networks all the time because of a single person opening a virus in an email or falling victim to a phishing attack. Believe it or not, the same can happen to a website by login information falling into the wrong hands. And once someone has that level of access, you’re pretty much left hoping they don’t destroy your entire website. Talk about a stressful situation!
Keep the amount of people who have access to a minimum if possible. And if you are using a CMS platform like WordPress, you have the ability to create multiple user accounts with varying permissions. This means you can give certain people the right to edit content, the right to simply view content, or even admin rights if you’d like. This feature is great for teams and we actually recommend and use this for all of our clients that have WordPress websites. We let them know what level of access we require, and they set up a webmaster account for us or allow us to create one for ourselves. It’s a pretty straightforward process.
While we’re still on password protection, make it a point to change your master password every 90 days if possible. I know it can be annoying to do, but trust me, it’s worth it. You’ll also want to make sure you disable user accounts that are no longer active (say after a consultant working on your site is no longer needed, etc.). Same goes for your databases and web server. You don’t want to leave potential backdoors open anywhere.
If you happen to use WordPress, make sure you’re updating to the latest and greatest versions of the plugins you use on a regular basis. I know there are times when a new update just isn’t compatible with your theme or causes some other conflict within your website. In those cases, make sure you keep an eye on the change logs from the developers just in case the most recent updates resolved any vulnerabilities. You also want to make sure regular scans are run on your complete website, just in case. Depending on the directories the scan targets these scans can take a long time, but it’s worth it. Better safe than sorry.
While we’re still on the subject of WordPress (which is fine, because it is one of the most popular CMS platforms out there), let’s talk about security plugins. A quick search will bring up a bunch of these, but how do you know which is the best? Personally, I like to look for these things:
- Number of downloads it has
- Ratings & reviews from current & former users
- WordPress version compatibility
- Most recent update/push
It’s important to definitely keep an eye on how many downloads/active users a security plugin has, as well as what the reviewers are saying about it. Chances are, if it’s a great plugin, people will be talking about it in a positive manner. The number of downloads/active users is important too, because it shows the level of popularity a plugin has. Version capability is next in line because if the plugin is older and is untested with your version of WordPress, then you won’t be able to use it anyway (well you can try, but you shouldn’t). Actually, the version compatibility ties in with the most recent updates for the plugin. Now sometimes, you’ll have developers who make a plugin that is just REALLY good. In these cases, you might not see too many regular updates and that is fine. If the developers put in the time and effort, the plugin should be good to go. But generally, you’ll notice multiple updates being pushed on a regular basis. This isn’t a bad thing because it means the developers are active in the development of their plugin and they want it to work well for users. Checking the change-logs when these updates come in will let you see the kinds of updates being made and can help you decide if you want to move forward with that particular plugin.
While there are definitely more items relating to the security of your website that we could discuss, I want to focus on one of the ways hackers gain access to your website….Web forms. Now you might be wondering how someone could gain access to your website data by sending you a “message” via a form. There’s no attachment for you to click, no links for phishing, nothing. Well, the way they do it is through an old method called a SQL Injection attack. Now SQL (pronounced “Ess-que-ell” by some and “Sequel” by others), is a language used by many popular databases, including the ones used by CMS platforms like WordPress and Magento.
The plugins you use on these kinds of platforms could very well introduce vulnerabilities into your website. An SQL injection attack will exploit these weak points on your website to gain access to important information like:
- Login Information
- Financial & Business Information
- Third-party information such as customer names, addresses, credit card & purchase data, etc.
- Private images & videos
In addition, with this level of access, hackers could monitor the traffic flow to your website and even utilize your machine to deliver malware to other computers! It’s a pretty scary scenario to think about. Remember the Akismet software I mentioned earlier? It will automatically silo off any spam comments for you to review so that they don’t get posted. It takes 30 seconds to turn this plugin on and if you have a blog where people comment, you’ll want to have this active on your website. Also look into a strong security plugin to monitor the traffic to your website, and any login attempts that may be happening behind the scenes. Wordfence is a GREAT plugin for this. We highly recommend it.
Making sure your website is as secure as it can be is something you should be aiming for at all times. If you are an e-commerce shop this is where all, or at least a majority of your business happens. If you have a physical location, your website is the way people outside of your local area find out about you. A lot of times people in town will search for you online first too. It doesn’t matter if your website is brand new or years old. Hackers pick the easiest targets first. Make sure if they come across your website, it’s fully prepared to handle them.
And if this is all too much for you to deal with and you’d rather let someone else handle it, reach out to us here at Webmaster On Site. Check out our plans here.
Owner and Lead Web Developer at Webmaster On Site.