Your Website Is Putting Your Business At Risk
As you read this your site is probably being attacked. Most attacks are automated, jumping from site to site looking for specific vulnerabilities. Thousands of sites are scanned by hackers each minute looking for targets. That’s the harsh reality of today’s online world.
In my experience in building and managing websites for the past 15 years, most business owners don’t take website security seriously. It’s a fact that sites are attacked by hackers on a daily basis. The good news is that you can protect yourself and greatly minimize your risk of being hacked and losing business.
It’s never been more important to secure your website. The best case scenario if your site is hacked is that your site is taken down temporarily. You may lose sales and customers while your site is offline. If your site is back online in a matter of hours your business can recover from the incident. Worse case: business and customer data is stolen. Hackers go on shopping sprees with customer credit cards. You’re found liable and sued. Your business never recovers and folds.
Take this information seriously and do something about it right now. If you are prone to procrastination, stop reading this article and contact me for questions or if you think you’ve been hacked. I usually put my contact info at the end of each article, but because this is an important topic, here’s how to reach me right now:
- Twitter: @tomlitchfield
- Private Instant Message: WordPress Site Hacked
This remainder of this article will serve as an introduction to the most common threats found online, and teach you how you can protect yourself.
In this guide you’ll learn about:
- What steps you need to take to ensure your website is safe from threats, and secure for visitors
- The most common ways hackers can exploit your website (using attacks like SQL injections and cross site scripting)
- How to keep your personal information safe on the web
- Why you should consider taking a restrictive approach to social media
- How to keep your computer running smoothly, and free from threats like viruses and other malware
- The software that helps you stay secure
- The best ways to store and dispose of personal or sensitive files
- The most common online scams, and what you can do to avoid them
- …and much more!
This article contains very basic information to intermediate “power user” tips. Not everything may make sense to you, if you have questions please feel free to get in touch with me using the contact information above.
Protecting Your Website
Keeping a website safe from hacking isn’t easy. There are many things to keep in mind, and you need to stay on top of the latest developments in web security if you want to be completely secure.
In many ways, the problem gets worse the more complex and popular your website is. A simple, purely informational websites built in HTML with only a few visitors will likely never be a target of hackers (but never rule out the possibility, it can happen). On the other hand, a very popular blog built on WordPress may see dozens of intrusion attempts on a daily basis.
However, there has been a number of developments in recent years that can greatly lower the risk of an attack, and if an attack does get through, easier ways to recover and restore your site.
In this section you’ll learn some of the methods I’m talking about that you can do to keep your website secure and safe from harm.
How to Properly Back Up Your Website
Before we even discuss how to secure your website we have to talk about backing it up.
While this may not seem like a “security” step, it is probably the single most important step you can take to ensure your website is safe. Your website will always be somewhat susceptible to a “worst case scenario.” Having a recent backup is the only way to 100% ensure you can restore your website.
Whatever you work on, it is standard to create a backup file. This is beneficial in case something inevitable happens. Even though creating a backup means additional work for you, you will be truly grateful if you ever have the need to use it.
Backing Up Your Website
Check with Your Host: The first thing you should do is figure out how your host handles website backups. Check and find out how often they do automatic backups. You can find this info on their website, you can call them or you can use the live chat support many web hosts have. You can still backup yourself to be doubly sure though.
These days some web hosts include daily backups as part of their service. If your web host does not offer this, or wants you to pay extra for it, your site may not be with the best company. Please contact me for my personal recommendations:
Private Instant Message: Contact
Try to make sure you keep backups around for some time, and don’t overwrite them every time with new backups. A successful exploit (like injecting links onto your web pages) may take you several weeks to detect, and if you don’t have backups stretching that far back you’ll definitely have your work cut out for you. In fact you may never be able to get your site completely “clean” after something like that, aside from rolling back to an old backup.
My web host provide me with daily backups, a weekly backup and a monthly backup. I save a copy of the monthly backup to my computer going back at least 3 months.
It’s not a bad idea to do your own site backups using a software tool. If you use WordPress, one of the best backup solutions is BackupBuddy.
BackupBuddy is a complete, easy to use backup solution. Great for easy backups but also useful for transferring sites to new web hosts.
If you use a CMS or blogging platforms, such as WordPress, you can export all your content. Thought not a true backup of your website, an content export can be useful in situations where you want to start with a clean slate on a new web host after being hacked. This is not a bad idea since your hosting account is now “infected” and after cleaning an attack you can’t be 100% certain the hackers didn’t leave themselves a way back in.
When you are logged into the admin of one of a CMS, you can usually find an export function. For WordPress this is under Tools. Use the export function to create a copy of all of your posts, pages, categories and comments. Save this file in whatever way you want. In most cases you will get an .XML file, which your new site will be able to read.
You should note that some attacks embed links and scripts directly into your content. So by exporting your content to a new site you might be carrying the infection to your new site. Make sure you only import clean files. If you are unsure, get in touch with me and I will inspect your export file.
Encryption and passwords
If you collect money or data from customers, the first step in securing your website should be purchasing an SSL certificate and enabling SSL support. In a nutshell, this means that all communication between visitors and your website will be encrypted. If your website is simple and doesn’t require much user interaction (like registering, logging in, and so on), this isn’t as important, but if visitors are ever transmitting sensitive data it is an absolute must.
When users visit your website, they’re “routed” through a series of networks that transports their request to your site. If any of these networks are compromised by a hacker with malicious intent, all unencrypted communication routed through the network can easily be spied on. That’s why encryption is practically mandatory for commercial websites these days.
SSL certificates can be bought from lots of websites, including most domain registrars and hosting companies.
Always use encrypted methods to manage your site
The fact is that many web hosts still allow you to connect using the old FTP protocol, which sends all the data (including username and password) in plain text format with no encryption. Needless to say, you should avoid using that and stick to encrypted communication all around.
Require strong passwords (and keep them encrypted)
We’ve already gone over how important secure passwords are, but it’s not just the responsibility of the user. As a website owner, you have some control over the passwords you allow your users to set, and it’s partly your responsibility to make sure no one is using weak, easily guessed passwords. Remember, not everyone is aware of the dangers of using weak passwords, so you may need to do some educating as well.
You need a policy that strikes a balance between good security and not being annoying to users. Usually it’s a good idea to require passwords to be:
- At least 8 characters long
- Include at least one uppercase letter
- Include at least one digit or special character
You can’t really prevent users from re-using the same password everywhere, but you can at least let them know why it’s a bad idea and try to discourage it.
Storing passwords in plain text is also a really bad idea, as in the event of a compromised server the hacker would gain a complete, working list of usernames and passwords. Many of which could probably be used on other websites.
Instead, use password hashes. This means that when users login, the password string they entered is “hashed” (encrypted) and compared to the password hash value in your database. If you’re using modern software like WordPress, you don’t need to think about this as it’s already built-in.
Keep your software up-to-date
Just as it’s important to keep software on your PC up-to-date, the same also applies to the software that runs your website. Almost every major publishing or e-commerce platform in existence has had its fair share of security problems through the years, including the big ones like WordPress and Drupal. A fairly common occurrence today is hackers exploiting platforms like these to place hidden links to their own websites, in order to gain better rankings in Google.
Automatic updates can be useful in some cases, but since some updates may break installed plugins, themes and settings you’ve changed, it is recommended that you do it manually in most cases. You may want to subscribe to the mailing lists/blogs for your software to make sure you’re among the first to learn about new updates. The longer you wait to apply them, the greater the chance of having your website compromised.
Also, don’t forget to keep the underlying operating system up-to-date (if you’re using an unmanaged VPS or dedicated server). That’s just as important as the website software, or even more so in case you have several websites hosted on the same machine.
Remove everything you don’t use!
Every piece of software or script you have installed on your website is a potential security risk. To minimize the risk of being hacked, make sure you always remove software when you’re no longer using it.
Maybe you installed a WordPress plugin 2 years ago that is barely used today. Or, you installed a script to manage your SQL database with, but ended up using something else. Either way, you should consider removing it as it is just one more potential security risk you need to worry about.
Scripts and server-side settings
Avoid SQL injections and cross site scripting (XSS)
You may have seen these terms before when reading about website security. The first one, an SQL injection, is a scenario where user input isn’t checked/filtered before being integrated in an SQL query. A malicious user could include actual SQL in his input (for instance when submitting a form), which would then be executed in the database without first being checked. Needless to say, this can be very dangerous. Say you have a database of users, where admins have ‘admin = 1’ set on their row. Using an SQL injection, a hacker could set their own account to admin and thereby gain full control of the website.
The best way to avoid these problems is being very careful with data inputted by users. At the very least it should be filtered to remove anything resembling SQL, HTML tags and scripts. Again, if you’re using a third party platform, you may already be protected in most cases (keep in mind though that if you install plugins/add-ons, these may bring their own set of security issues).
Use vague error messages
One of the most common mistakes made by inexperienced webmasters is using specific error messages, maybe even outputting debug information when something goes wrong. These details can be used by hackers to gain more knowledge about your system, and make it easier to hack.
A common example is a login form. When a user inputs the wrong username and/or password, it may seem logical to tell them exactly what’s wrong, so you print out something like “Your password is incorrect” (which implies that the username is correct). Knowing the username exists on the server, a hacker can start guessing the password from that.
Much better is printing out a vague, generic message like “Incorrect credentials”. The hacker can conclude nothing from this message, and doesn’t know whether the username exists or not.
Validate data on the server side
Add extra layers of security
An easy way to make your website a bit more secure is sealing off administration areas with extra password security and/or IP restrictions. On the Apache web server, this can be accomplished using “htaccess” files. That way, even if you’re running software like WordPress, and there’s an exploit that could be used by hackers, they’d still have to get through your password/IP restrictions.
From Your Customer’s Perspective
The following are risks to your customers when visiting your site, and addressing these will help you protect your customer’s information and give them peace of mind.
– Could this be a phishing attempt?
Even if you know and trust the website you’re using, you need to make sure you’re actually submitting your info to them and not to an imposter. The easiest way is checking the URL bar. For instance, if you’re about to submit your credit card info to Amazon, and the URL bar doesn’t include “.amazon.com”, you should be highly suspicious.
If you’re not sure what the URL should look like in a particular case, do a Google search for the company and check the URL in the results. The domain name is the important part here. Keep in mind though that there are clever ways to get around this check – some phishing attempts have been known to open the real site in the browser, and then use a popup window to actually gather the information (so it looks like it’s coming from the real site).
– Is the connection encrypted and secure?
Most browsers will display a small “lock” icon in the URL bar when an encrypted (SSL) connection has been established with a website. That guarantees that no middlemen can intercept your sensitive data on the way from your computer to the website. If there is no lock icon, and you’re about to submit personal or financial information, the best advice is to just not do it. It’s not worth the risk.
As you’ve seen in the “Keeping your website safe” section, implementing SSL is not that costly or difficult, and there’s no excuse for websites anymore to not use encryption. Also keep a lookout for invalid certificates – the browser will usually warn you when one is detected, in which case you should think twice about submitting your info.
- Encryption is the first step in web security, both for user interaction and when performing administrative tasks
- Keep the software you use up-to-date at all times, and remove any software/scripts you don’t use to minimize risk
- Be suspicious of user data, and always validate and filter it on the server side before processing and using it
- Use vague error messages with little or no details to make information gathering harder for malicious users
- Backup your files and databases regularly, and keep the backups for a long time in case you need to roll back after an intrusion
Keeping Your Computer Safe
What does keeping your computer safe have to do with protecting your website? Well, a lot!
Hackers can steal information from your computer, including FTP logins, site and hosting passwords. If you download backups and customer data to your computer they can get at that too, and they don’t have to hack into your site to get it!
In this section I’ll cover the most common threats, and the ways to counter them.
Most Common Threats
Note: it is often difficult to accurately categorize different threats, and many actually belong in several categories. For example, a virus can also contain spyware. The generic term to describe software developed with a malicious intent is malware.
Computer viruses have been around since the 1970’s and are probably the most well known type of security threat. It’s impossible to know for sure how many that exist today, but new ones are created and released into the wild every day. Computer viruses are developed for a variety of reasons: some are designed to cause serious damage, others are mostly passive. All of them are designed to replicate themselves, however, often by copying themselves into other software installed on the computer. That’s why cleaning a computer from viruses can be difficult, as many legit files can be “infected” by the virus.
A worm is similar to a virus, but does not replicate itself into files/data on the computer it infects. The main goal is to just keep spreading to new computers, usually by exploiting security weaknesses over the network. Just like viruses, some worms are very harmful while others are mostly annoying.
A Trojan horse is a harmful program disguising itself as something else. They’re designed to look like legit, useful software, but when the user runs them they can steal data, harm system files or give the creator complete remote control over the infected computer. Unlike viruses, Trojan horses are not self-replicating.
Spyware is software that, as the name implies, is designed to spy on computer activity. It often spreads by exploiting weaknesses in web browsers (Internet Explorer in particular) and other software, or through Trojan horses. Unless the computer is also infected with other forms of malware that causes slow-downs or instability, it’s usually difficult to detect spyware infection as it generally is designed to stay hidden and go unnoticed for as long as possible. The actual “spying” can be anything from stealing sensitive data (like personal information, credit card numbers or passwords) to tracking browsing habits.
Adware is similar to spyware, but the goal here is not to spy on the user, but to make money from showing ads. For example, one form of adware can sit in the background and trigger popup ads based on which websites the user visits. Another type of Adware overwrites ads from legitimate sources with their own – this can be hard to detect as it is usually not that intrusive or obvious to the user.
Keep your system up-to-date
The first step to take in protecting yourself against threats is making sure your system software is up-to-date, and stays up-to-date. This is important whether you’re on Windows, Mac OS, Linux or anything else. Usually when a serious security hole is discovered, it doesn’t take longer than a day before people start exploiting it for malicious purposes. The best way to make sure you’re always fully updated is to enable automatic updates in your operating system. While it may sometimes feel like a hassle (some updates can interfere with your workflow by requiring attention and sometimes rebooting), it is definitely worth it to prevent problems.
Use a firewall and secure your network
Securing your home (or office) network is just as important as your computer. If you use a wi-fi connection, make sure you’re using WPA security on your router, and that the wi-fi password and the router administration password are both long and secure. If you’re on a public wi-fi connection, do NOT share any important data unless you’re absolutely certain that the transfer is encrypted (such as browsing on SSL-enabled websites, https).
You should always use a firewall, either installed on your computer or on your router. A lot of software leaves open “ports” on your computer (think of them like doors in/out of your computer, through the network), accessible by savvy intruders. A firewall shuts these doors completely (while still allowing you to open some manually, if you choose to), giving you an extra layer of security.
Scan for viruses, spyware, etc regularly
To make sure your computer is safe from threats, you need to have at least one virus/malware scanner installed and use it regularly. Most can be set to scan your computer automatically when you’re not using it, and also immediately scan any new files you download or run. Of course, to ensure the scanner stays effective, you need to keep it up-to-date just like your system software. Almost all virus- and malware scanners these days include a feature to automatically update their “definitions” (files that describe the threats they should look for).
Use strong passwords everywhere
You’ve probably read about password security many times before. Most of us know that we should use secure, unique passwords everywhere, but as humans we’re naturally lazy. Not only do most people use weak, easily guessed passwords – they also use the same passwords everywhere. Let’s say Website A gets hacked and all their passwords are leaked. Now, if you use the same password on Website B and C, the hacker can also access your accounts on those sites. It’s a very real threat that many overlook. There are, however, tools that can help you secure your passwords with minimal hassle – see the next section for suggestions.
Think before you act
One of the best protections against computer threats is to be naturally suspicious of everything you encounter. Here are a few examples:
- When you’re browsing the web, always look at the destination URL in the browser status bar before clicking on a link. If it looks suspicious, don’t click.
- When you’re downloading software, make sure you’re doing it from a renowned or official website. Never download and run/install software from unknown websites. The same goes for websites that want you to install plugins or browser add-ons. Don’t do it unless you’re absolutely sure what it is!
- Don’t open email attachments unless you’re 100% sure of the contents. Even if it seems like the email originated from a friend, it can be a virus or hacker posing as them. If in doubt, just hit ‘reply’ and ask them what it is. If you get a weird reply, or none at all, it’s probably not your friend…
There are dozens of anti-virus programs on the market right now, each with their own pros and cons. Some are free to use, others cost money. Aside from downloading and testing them until you find your favorite, you can also look up reviews on sites like AV comparatives (which is a non-profit organization that continually tests these programs and report their findings).
Unless you have very specific (advanced) requirements, you can do just fine using the firewall built into your router, or the one included with your operating system. You can even use both if you want to. Just double-check so the firewall is really enabled and working.
A password manager allows you to use a unique, secure password for each service, while still requiring you to remember just one: the master password. This is a lot better than trying to keep hundreds of passwords in your head (which may also not be secure enough – with a password manager you can use passwords of 20-30 characters or even more, including special characters and digits).
There are basically two approaches: storing the password database locally, or in the cloud. Mostly it’s a matter of taste, as both approaches have pros and cons. Cloud based usually costs money, and gives you less control than locally stored, but is also often easier to use and there’s no risk of losing your database due to file corruption or viruses. The most popular cloud based password manager right now is Lastpass, and the most popular using local storage is KeePass.
Storing information safely
Avoid storing sensitive documents on your computer
The truth is that there are no guaranteed secure ways to store information on your computer. Even if you store your documents on an encrypted drive, a hacker may be able to spy on your activity to capture your encryption password, or read your files while they’re open and unencrypted.
However, if you employ the advice given in the “Keeping your computer safe” section, and store your most sensitive documents on an encrypted USB stick, you’ll be almost completely safe. Don’t forget to unplug the stick when you’re done with it, and store it somewhere safe (perhaps even in a safe). Now, if you’re working on top secret documents or you’re developing a cure for cancer, you may want to keep your computer completely offline to be 100% safe.
Dispose of your digital devices safely
Many of us store a lot of personal information on our computers, phones and other devices. Even if it’s not really sensitive data, you probably still don’t want strangers to be able to look at it. That’s why you need to take some special care when you’re about to throw away or recycle one of your old devices.
The fact is that even if you delete your files from your hard drive or phone, they can often still be recovered due to the way file systems work (the part of the operating system that is responsible for file operations). To be completely sure your files are 100% deleted and unrecoverable, you need to either destroy the hard drive or device physically, or use specialized software that overwrites your files several times with garbage data.
Consider restricting access to your profiles
Unless you’ve really thought about it and know what you’re doing, you should consider locking down your social media profiles and make them accessible only to people you know. Even if you would think you’re only sharing non-important bits and pieces that no one cares about, the truth is that when every little update is put together, it can paint a pretty detailed picture of your life, habits, friends and family. In the wrongs hands, that information can be used for a number of malicious purposes. People have been blackmailed or even lost their jobs over things they’ve posted on social media, and the worst part is that something you’ve posted two years ago can come back and bite you at any time. In this case it’s better to be safe than sorry!
Beware of impostors
There have been many cases where someone has gotten a message from a close friend, asking for personal information or money, only to later find out that it wasn’t from the friend at all. Someone had hacked their social media account and used it to scam their friends, exploiting the fact that people trust their friends and aren’t suspicious when talking to them on social media.
If you ever receive a suspicious message like that, perhaps written in a tone different from how the friend usually writes, consider asking them a few questions only they would be able to answer. That way you can double-check and make sure they’re really who they say they are. If their response doesn’t convince you, don’t hesitate to report the incident to the website staff. Otherwise the hacker may just keep going through the friend list, and their next victim might not be wise to these tactics.
- The term for software with malicious intent is malware
- The purpose of malware can be anything from simply spreading to as many systems as possible as a proof of concept, to stealing sensitive user data like credit card details
- Keeping your system up-to-date, enabling a firewall and regularly scanning your system for threats is the best way to keep malware out
- Good password security is the best defense against hackers accessing your user accounts (and it can be easier accomplished through third party software)
- Be on guard and always think twice before acting on something that seems suspicious or “too good to be true”
- Make sure you don’t leave your sensitive data readable on your computers, phones and other devices when sending them off to recycling
- Consider restricting access to your social media profiles, and think twice before posting personal information
- Be suspicious if you receive a strange message from a friend – their account might have been hacked and now the hacker is trying to scam you
As you’ve seen, there are many dangers on the Internet, and you need to be vigilant to stay out of harm’s way. The first line of defense is educating yourself, and after reading this guide you should know enough to be able to avoid most threats. Unfortunately, scams, viruses and data thieves will probably never go away, and the best we can do is learn to deal with it.
Second to education, the most effective way to stay safe is using your common sense and always thinking twice before clicking that link, submitting that form or installing that program you’ve downloaded. It’s been said numerous times already in this guide, but it’s worth repeating that “if it seems too good to be true, it probably is”.
Finally, it’s important to realize that not everyone or everything online is out to get you, and being too paranoid isn’t good either. As long as you use common sense, and follow the best practices (using a virus scanner, keeping your system up to date, and so on), you’ll most likely be quite safe.
There is certainly much more I could have covered. Again, if you have questions about any of the information in this guide or about online security please contact me. If you suspect your site has been hacked, or if you KNOW it has, please get in touch with me right away, I will help you:
- Twitter: @tomlitchfield
- Private Instant Message: WordPress Site Hacked