Is your website secure?
How would you answer that question?
You might say, “I haven’t been hacked”, therefore drawing the conclusion that the site is secure.
Or you figure that there is nothing worth stealing on the website. “My site is too insignificant in the scope of the web universe for the bad guys to pay attention to.”
Maybe the real question is: Is your website secure or do you just not know that it’s been hacked yet?
Several years ago, I took over management of an organization’s website. It was due to be completely redesigned, as it was was built on an aging framework. But it still worked and a casual inspection showed nothing wrong with the site backend.
Yet, visitors reported seeing content on some pages that definitely shouldn’t be on a family-friendly website. It was clear the site had been compromised.
The question became one of “How fast can you build a new website?” Because the only solution was to take down the old site, remove all files and build a totally new website on the server.
Because of course there was no clean backup that could be reinstalled. (I mentioned that I’d just taken over managing the website.)
Ouch, that was painful. You really don’t want that to happen to your website.
But, you say, there’s nothing worth stealing on my little website.
Sure, you may not have scads of personal data stored on the website. You know, like people’s logins, credit card info, addresses, health info or other things we usually think of.
But your website is on a server. And servers have processing power.
It may not be your stuff that hackers want. (If you happen to have personal information or better yet credit card information stored on the website, that’s just a bonus.)
They might want the server capacity. To send out spam from it. The hackers want a server that they can configure to send out phishing emails. And if you never notice that you’ve been hacked, all the better.
That’s why small sites may actually be quite interesting to a hacker. Because the site owners are less likely to be tech savvy and the site may be poorly protected, making it an easy target. So “my website is too insignificant for hackers to care about” is really just wishful thinking.
Fortunately, there are some fairly simple things you can take to protect your website:
Strong passwords for all users
Force all users to have strong passwords. Also educate them on why it’s a really bad idea to use the same password in multiple places. (Because if I get your password for one site, I then have an easy way in to any other site you’ve used that password on.)
Strong passwords mean that it will take a lot more effort for a hacker to get in by just guessing passwords. Yes, they’re harder to remember, but there are tools to help with that.
No unneeded user accounts
Turn off user accounts that haven’t been used for a while, or even delete them. The more user accounts, the more opportunity to get into a website’s backend.
No “admin” user names
Raise the bar for hackers. Don’t include the word “admin” in any user name.
I see brute force attacks on websites all the time, as in multiple times every day on one site. All of them trying to get in with the user name “Admin” and then guessing at the password. So why give the attackers a half win?
Don’t display your actual user name on the website
Many blogs include the name of the post author. What shows up there, should not be the same as the user ID of that person. Because it’s all too easy to just take that name freely provided and now do brute force attacks on the website, trying to guess what the password is.
Besides, most blogs have only one person posting. So we all know who you are anyway. No need to display a name. And if you have multiple posters, it’s better to identify the poster with a byline (short bio) at the end of the post. That reveals nothing about any user accounts.
I love comments on my blog posts. So would not disable them. But also not letting just anybody in.
One option is to require moderation on all comments. That means any comments left will not display on the website until you review and approve them.
Another option (a bit less work for you), is to require moderation on all new comments from posters who don’t already have an approved comment. Commenters who already passed your review once will be able to post comments and have them show up immediately. Totally new commenters must be reviewed by you.
Yes, it’s more work, but seriously, when someone comments on your blog, you should respond to that comment at least by saying “Thanks” anyway. So manually approving it is no real burden.
Do be vigilant in deleting spam comments. Leaving them sitting unapproved on the backend is not a good thing to do. There’s always the potential that the comment will get accidentally approved and put on the website for all to see.
Identify spam comments
Does the comment itself make sense? “What you write here I search for long time. Very relevant.” Yeah, that sounds like spam. General praise, typos or strange word order. Nothing specific about your post.
While it’s tempting to have more comments show up on your blog, will comments like this really build your credibility? (The answer is “NO”.)
Plus it probably came from some odd name and has a link to a website with it. You really want to check what that website is (not saying to go there, but to look at the link carefully). Do you want to link to random/obscure website offering little pills that will supposedly make you do things you can only dream of? (Again, the answer is “NO”.)
Did you get a comment in language you don’t understand a word of? Maybe try translating a portion with Google translate to see if it makes sense. Definitely look at the links in the message. Absolutely never put anything up on your website for the world to see if you don’t know what it is.
Remember that spammers may not even intend the comment to get published, but for you, the website owner, to click the link in it, so you can be compromised.
Getting too much spam from comments or forms on the website? Get a good spam filtering service. A few $ per month will filter out most of the spam and you won’t ever have to see it.
Keep things updated
Should be self-evident, but do keep your website core and all plugins/apps on the server up-to-date. Including security patches. Because if you don’t fix something that is outdated or broken, somebody will find it and use it to gain access.
Your website should have security software/plugin installed. That can protect against attacks in many ways, including by locking them out.
One day I watched a site I manage receive a rapid stream of spam comments, all from the same IP address in St Petersburg, Russia. I could delete the spam as fast as it came in, or block that IP address. I use a blacklist, so they’re on that list now. That’s of course no guarantee that they won’t try from another IP address. However, this process can be automated.
Same thing with login attempts. Every site login should have some monitoring on it for where logins come from. If you’re the only person ever logging in to your website, the entire world doesn’t need to be able to try to log in.
I manage Salesforce installations for clients and part of basic security there is the ability to whitelist a range of IP addresses so only those can log in to the particular Salesforce installation. Plus, exceed a certain number of login attempts and you’re locked out for a period of time. Those are simple things that will greatly reduce risk and they can be implemented on just about any website.
Finally, the security software/plugin should also run regular scans for malware of your server and files. If you’re doing the other things right, there won’t be any. But better check and be safe, than not check and wind up really sorry.
What about the hosting provider?
You might wonder if the hosting provider shouldn’t take care of all this. The answer is that they generally provide (some) protection against hacking attacks at server level, but they don’t deal with anything directly on your website. For one thing, they don’t know the ins and outs of your website installation. At the end of the day, keeping your website protected is up to you.
These 8 basic steps can significantly harden your website and make it exponentially more difficult for a hacker to gain access. Which is important, because, remember, every website has something hackers want: A server that can run apps, processes and send email, all of which can be taken over or piggybacked on for spamming purposes.
Action point: Do a security review of your website and take any needed action. Timeline: Immediately.
Also check this post on cyber security: 4 keys to cyber security from James Clapper