Security and Your Website
Having a website lets you reach the world, which is wonderful – however, having a website also lets the world reach you, and not everyone in the world is friendly. A hacked website can cause you many headaches. We’ll take a look at website security and the risks you face by having a website, where those risks come from, and most importantly how to reduce those risks.
- Defacement – Someone who gains control of your website can put unwanted content (text and images) on it. It may be put there to soil your public image, promote a cause (such as terrorism), or simply for hacker bragging rights and to mark territory, like a sort of electronic graffiti. Whatever the reason, you don’t want it on your website, for your customers or clients, staff, and the public to see!
- Data theft – An attacker who gains control of your website can gain access to everything on it or that passes through it, including information that is supposed to be secured behind password protected areas, unpublished or pre-published information, personal data of website users with logins, sensitive information about financial transactions, or even passwords to linked services that are integrated with your website.
- Turning your site into a tool for criminal activity – The hacker who takes over your website can use it for any purpose that it is capable of. They can host files (such as pornography, copyright violations, and/or their own web pages), they can use your web server to launch new hacking attacks against others, and they can send unwanted email. Malware can also be hosted on your website, so that visitors who visit your website with vulnerable browsers can find their own computer hacked, from tools placed on your website by the hacker.
- Blacklisting – If your site is identified (or reported) as being hacked and/or hosting malware, numerous services, including antivirus software and even Google search results, may warn visitors away from your website or even prevent them from visiting.
- Ransomware – A hacker who gains control of your website can encrypt your (or your employees, clients, or partner’s) data and demand payment to decrypt it. A variant is a demand for payment so that the attacker will not release your data to the public.
Who are hackers, and what do they want?
Hackers come in many forms, including curious pranksters, individual criminals, criminal organizations, and even foreign government agencies.
It’s important to understand that the vast majority of hacking attempts today are automated. Regardless of whether anyone personally targets your organization or not, computer programs scan the web looking for vulnerable software that powers websites. When these programs find vulnerable software, they attempt to use known exploits of the vulnerabilities to take control. The software can also attempt to “brute force’ guess administrative passwords.
Many attacks come from botnets – networks of hacked computers (“bots”; computers enslaved to act as “robots”). This makes attacks harder to defend against – the attacks, instead of coming from one computer, or even from one country, come from hundreds of thousands or even millions of computers distributed around the world.
So it’s (probably) not personal – but that doesn’t make it any less painful if you get hacked.
The benefits of having a website are too great to give it up just to avoid hackers. So how can you reduce the risks?
- Security-minded web hosting – A good web hosting company focuses on security, and keeps up with evolving security threats. They scan their servers for vulnerabilities, have a good set of automated security rules on the server, keep their server software updated, and are proactive in helping their customers keep secure websites.
- Keep your software updated – If your website is powered by a content management system like WordPress or Joomla, keep it updated! Over the years these systems are periodically found to have vulnerabilities, which are fixed in updates. If you don’t install the update, then you still have the vulnerability – a known vulnerability that automated hacking scripts can attempt to exploit. But don’t stop there, keep ALL add-ons to your website updated. Even if you keep WordPress up to date, for example, a vulnerable outdated plugin can be used to hack the website. If you rely on automatic updates, make sure that they are configured properly, and that any paid plugins have current licenses (if needed to receive updates).
- Minimize the attack surface and vulnerable assets – Remove any unused website add-ons. Don’t store credit cards or other sensitive information on the website. Only collect necessary information from your visitors.
- Website backups – Make sure that you have an automated system of taking and storing website backups. If your website does get hacked, you’ll want to be able to restore it to a pre-hacked state. And having copies of your data means that it can’t be held for ransom.
- Use non-standard usernames – If the admin user for your website is “admin”, you just made it a lot easier for an attacker to guess their way in. Choose an unusual username, and use a strong password, preferably generated randomly by a computer program. Attackers use huge dictionaries of passwords, and whatever password you think is clever probably isn’t!
- Additional security tools – Additional security tools are available, such as website firewalls – these filter traffic to your website through external servers that specifically look for and try to stop attacks, before they ever reach your website. There may also be security add-ons available for your website software, which add additional security features to your website.
Your experienced web developer can (and should) design and configure your website with security in mind. Courtland can help you navigate the complex world of website security. Want to read more of Courtland’s insights? Give us a call or email us today!
Written by Software Programmer Greg Holmes