Is your website security up to scratch? Do you even know?
Why is website security always an afterthought? As a webmaster for almost thirty years, it never ceases to amaze me how ill-informed many people are when it comes to their website security. It’s okay to be blissfully unaware of what’s happening behind the scenes with your website… but only if you have protections in place working on your behalf. Do you?
Why are websites hacked?
Hackers crack websites for a variety of reasons. It could be to simply display propaganda. What better way to reach your audience than to spray your political message across the front page of a well-visited website?
Perhaps there is information the hackers want? Do you have user details? Credit card numbers? Corporate data? Information is big business–especially to the hacker that knows how to sell or exploit it.
A big reason for website hacking nowadays is to hijack the resources of your website, so as to generate SPAM. If you send a million e-mails with carefully crafted payloads of malicious links (such as a phishing scam), it only takes one unsuspecting user to click one and you score their credit card details. Even better if you can find some weakly protected website to send the million e-mails to begin with, right? Hacking a website to generate huge volumes of SPAM is especially insidious as you may not even know it has happened to you.
And then there are the script-kiddies–people that have nothing better to do. They score points with other script-kiddies or otherwise act randomly for the twisted joy of it all. There’s no way to defend against random acts like this.
How to hack a website.
Hackers don’t manually break into websites by hand any more. Long gone are the days of some shady character sitting in a damp basement in the dark and with nothing but a dusty old table lamp to illuminate their laptop. No, nowadays it’s all done programmatically using specially designed software. And the worse part about it all? You don’t even need to be clever to take advantage of these tools. It used to be that hacking was the realm of the super intelligent, somewhat geeky, socially awkward computer nerd with the twisted mind of an evil super villain. Nowadays, pretty much anyone can try their hand at hacking.
Sure, there might be some intelligent hackers out there with specific targets they want to break into, but even those are likely to use automation to get the job done.
If you know where to look, and trust me, the hackers do, there are special software programs you can find that do all the hard work for you. Automated software, sometimes referred to as bots, can scan websites all day long looking for vulnerabilities. They can get through thousands of websites systematically.
They don’t need breaks. They don’t have to stop to stretch their legs. They don’t honor national holidays. They do not understand national boundaries, and they certainly don’t care what you use your website for. Most importantly, they don’t stop. Ever!
Bots work tirelessly and relentlessly minute after minute, hour after hour, day after day, indefinitely until some external force shuts them down. Why bother with the effort of trying to get into a website manually when all you need to do is download a piece of software and hit ‘go’? Come back a few hours, or days, later and check to see which websites you’ve been able to crack. It really is that simple.
What makes a website insecure?
Bots systematically scan a website for a wide range of vulnerabilities. There are lots of ways to break in. It only takes one weakness, and it doesn’t matter where that is. If it exists, the bots will find it and exploit it.
Weak passwords are often cited as one weak spot. This is certainly true. Setting weak passwords is almost a guaranteed way to get your website hacked. Bots take advantage of databases of weak and known passwords. If your password becomes known to the hackers, you won’t necessary know about it. That password could be sold and stored in a database for other hackers to take advantage of. It may be in the hacker’s best interested for you to remain unaware your password has been compromised. They can attempt logins using this information. Given enough time and resources, bots will stumble into the right combination of credentials and the job is done.
Okay, so I just need to make my password secure, right? Wrong. First, do you even know which passwords exist? If you have a WordPress website, for example, there’s the admin login for the site itself. There might be default accounts you aren’t even aware exist. Then there are passwords created by users that might need a login to buy something from your website. Are you enforcing strong passwords for them? Do you use e-mail? What about the passwords for all your e-mail accounts? How about your hosting provider? Do you have cPanel? Plesk? WHM? Do any of these sound familiar? Therein lies the problem.
Even if you know where all the accounts are and secure them with strong passwords, you’re still not out of the woods–not by a long shot.
Weak passwords are but one of a whole battery of attack vectors bots can use to break into your website. Some others include:
- SLQ injection
- Cross site scripting
- Denial of Service (DoS) or Distributed Denial of Service (DDoS)
- Session hacking
- Man-in-the-middle attacks
- Phishing
- Vulnerabilities in out-of-date software
- Brute force attack
The above list is by no means exclusive.
How do I protect my website?
“What can I do to protect myself?” I get this question all the time–often when it’s too late. The right time to ask this question is BEFORE you get hacked. Once a website is compromised, it can sometimes be possible to clean the infection, but the only safe way is to delete everything and start from scratch. You had backups, right?
There are basic best-practices everyone should do to ensure they keep themselves secure:
- Use strong passwords
- Use multi-factor authentication
- Make sure your software is up-to-date. That includes things like your hosting platform, control panel (cPanel, Plesk, etc.), your CMS (WordPress core software, themes, plugins, add-ons, etc.)
- Install security software, like a firewall
- Add an SSL certificate to your website
- Implement robust and reliable backups
But I don’t have any sensitive data on my website. I’ve nothing to be concerned about, right?
Wrong. Bots don’t care what your website is doing. There’s no conscious mind behind the attack. It’s a mindless computer program looking to break in and steal resources anywhere it can gain a foothold.
This report shows how special security software we installed is working automatically in the background. It’s preventing malicious attacks from one of our client’s author websites. Each of these entries represents a failed attempt from a bot to penetrate the site. The security software is working:
Out-of-date software can often make it easy for bots to attack and penetrate your website. If you don’t know there’s a problem, you won’t know to fix it. The following scan result highlights where critical house-keeping attention is needed on this author’s website:
Bots are working hard to break in 24 hours a day. Installing special protective security software means you can sleep, but the software won’t. This next report is from one of our author client websites. It shows the number of recent attacks from bots that the security software has blocked. This isn’t a highly visible big-name author. It's just an average website owner. You don't need to be successful to attract the attention from the bots–your website just has to exist:
The numbers in the above report just go to show what’s going on in the background all the time–even if you don't know it. If you aren’t actively defending your website with something like a firewall, any of these attacks could get through. And it only takes one.
It all sounds like Greek. Where can I turn to for help?
There are a few places you can turn to for help. Your hosting provider is a good place to start. If you are handy with computers, implementing best-practices like changing passwords, updating plugins and so on, is easy to do.
There are things we can do to help. Dragon Realm Press can perform a onetime inspection of your website and provide you with a no-obligation summary of our findings. We’ll tell you what we found. You can then make an informed decision about where to go from there.
We can take preventative action on your behalf, like performing upgrades or installing special security software to protect your site from malicious attack.
If you want even more peace of mind, consider our periodic maintenance and health check service, which many of our clients have already signed up to. We’ll not only make sure your website is in tip-top shape, but we’ll check in on it regularly to make sure someone tends those all-important house-keeping tasks that might otherwise get forgotten.
What should I do?
Ask yourself this question: “How would it affect me if my website went offline right now and I couldn’t get it back?” Think about that for a moment.
Don’t delay. Now is the time to be asking this question, so act now.
Recent Comments