There are people out to get you on the Web. No, this is not paranoia talking – it’s real. The sooner you realize that, the better you can protect your website.
Hackers are not just after big businesses, government and the military. Even websites owned by small businesses are at risk for hacking and other malicious attacks. They can deface your website, replace your content, redirect your website to their domains, inject malware and other harmful files, and even change your login information. You can also become a target of denial of service attacks that can cripple your server and bring your site offline.
Not only will you lose income when your website is down, but you risk losing the trust of your visitors and customers. Trust is the most important online value, especially since visitors cannot easily judge a business on the Web. Unlike traditional businesses, a visitor can come and develop certain perceptions about the business simply by looking at the store’s outside and inside appearance, talking to the sales people, and physically checking out the products.
On the Web, all you have is your website to create a good impression and give the feeling that this is a website the visitor would want to deal with. But if instead of finding your homepage, they find a notice that the website has been hacked, they’d be clicking the back button faster than you can say “Don’t go; we’re fixing the problem.” Unless they have previously been to your site and wowed by your online business, chances are high that they will not come back again. And down the drain goes all your marketing efforts.
You may be thinking, “Why will I be hacked? I’m not a big name website that these hackers should waste their time on to try to hack my website!”
Why you? Well, simply because your site is on the Web and that makes it fair game for the cyber low-lives to go after you. Don’t take it personally: some of these hackers may not even have visited your website. Many of them are robots sniffing around for vulnerabilities in your server and in your website. They’re looking for holes in your system, vulnerabilities in your server, outdated plugins and software. These hackers are also looking for weak login information to content management system and databases. Here’s a screenshot of recent attempts to login into a WordPress website using “admin” as the username:
It is important to remember that not all hackers leave obvious signs like defaced homepage or redirected homepage. There are some hackers that you may not even know were inside your system. But what they did — e.g. implant malicious scripts and php files into your website’s folders — will be felt in the next few days or months. Imagine going to your website expecting to see your pages, only to be redirected to this warning page from your browser that your website has malware:
If your website has a strong brand like Youtube, chances are the visitor will just think that it’s an error somewhere and will still come back to the site. But if you are a website that they’ve never heard of, you lose your chance to impress them and they may never want to visit you again.
One way hackers get access to your site is through brute force attack. Brute force attacks occur when some entities repeatedly tries to login to your system using a variety of usernames and passwords over and over again done typically through automated programs or bots. Using content management systems such as WordPress makes your site vulnerable to brute force attacks. These attacks can cause your server to become slow and unresponsive. In cases when the attacks are intense (coming at an interval of one login attempt every 1-2 seconds for an hour or more, this type of brute force attack can even bring your site down.
Another form of attack is denial of service where nefarious entities on the Web overload your server in an attempt to bring your website down. Since your hosting account, whether through shared or dedicated hosting, has a set number of bandwidth, denial of service attacks aim to overload your server so when legitimate users access your site, they will find it totally unresponsive, website down or excruciatingly slow to load. While denial of service attacks are typically aimed towards big businesses, high profile websites, banks and others, small businesses cannot afford to ignore the possibility that their websites could be targeted as well.
Make no mistake about it: your website is at risk — even if you are just a small online entrepreneur. You need to make sure that you are proactive in protecting your website.
1. Quality of the web host
Security and protection starts with the quality of your webhost, the server they provide, and how they configure that server (and just because you are on a dedicated server doesn’t mean that your site is well protected). The server that your website is in must have top-notch server security systems and firewalls in place, with updates and patches applied as soon as available. Your web host must be proactive in ensuring the security of your server and capable of blocking brute force attacks.
2. Use strong usernames and passwords
Whether you are using WordPress, Drupal, Sitecore or whatever content management system you have, use really strong passwords. Never, ever use “admin,” “administrator” or even your domain name as your login name. WordPress uses “admin” as the default username of the administrator. Be sure to change this and choose a username that is not publicly shown on the site. Passwords must be complex and (no “momof3gr8kids” or common words types of passwords).
3. Keep your systems updated.
If you are using WordPress, keep your plugins and WordPress versions upgraded. Delete plugins that you have deactivated and no longer use. Security by misdirection does not really work (e.g. plugins such as Stealth Login) as those work only on humans (remember, most hackers use robots).
4. Have an arsenal of softwares and plugins to secure your systems
In addition to the firewall and other security protection provided by your web host, you need to install software and plugins that will protect your system. If you are using WordPress, some must-have plugins include Wordfence Security and Anti-Malware (Get Off Malicious Scripts). Wordfence Security has a live traffic monitoring that shows you login attempts to your system, including the location and the username used in the attempt. The Anti-Malware (Get Off Malicious Scripts) is very good in cleaning up malware and infected scripts in your system. There are several must-have scripts with WordPress, but these two are top-notch in terms of protecting your WordPress-based website.