When it comes to website security, it’s a scary truth that most of us would rather put out of our minds – hackers are on the rise, and it’s far too likely that at some point your sensitive information will end up with someone up to no good.
Whether it’s your log-in information, your bank details or even more personal information like your date of birth and national insurance number, cyber criminals can run up debts, take out credit cards and steal your identity. A little bit of common sense online can help avoid a lot of the danger, but what if the danger comes from a business you know and trust?
Data leaks from large companies are often in the news, and it’s basically the worst press a company can get. TalkTalk was recently hit by its third cyber-attack, but it’s far from the only one. As this programme on BBC’s Panorama discusses website security, virtually any website, from the US government to a small business, can be hit by an attack. We definitely recommend that you watch the programme as it gives a great insight into how internet users can protect themselves online.
For website owners, there is a whole host of extra concerns. Hackers only need to find a single overlooked vulnerability, and they can get into your database, accessing customer details, passwords, and credit card information easily.
So, how do you stop your website from joining the ranks of the hacked?
This is a key issue for anyone on the web. Most website hacks are due to administrators with profoundly easy-to-guess passwords. Hackers can use a simple guessing technique whereby a program repeatedly asks the secure login page “is this the password”, using a dictionary of words. Using this approach, known as brute-force cracking, the program processes tens of thousands of different words in one second. It’s not enough to avoid using the word “password” as a password.
Use unique passwords for each log-in area, and ideally use long randomised passwords containing letters, digits and symbols. Force any website users to have secure passwords as well – they may not enjoy having to include a capital letter and a symbol, but it will massively increase your website security.
Adding Captcha fields to your forms can prevent hackers from brute-forcing it, as well as deterring spambots. These are getting slicker and more stress-free for the user all the time, like Google’s reCAPTCHA field.
The log-in issues don’t stop at your password. Log-in pages themselves are the easiest way into your website – if a weak password is leaving your front door unlocked, an unsecure login page is having a glass front door – enough smashes and it will crack.
There are tons of ways to tighten up the login process. Like with the password, use a non-obvious username (i.e. not “admin”) as it doubles the difficulty for users. Also make sure it’s not possible for people to find out usernames from email addresses or URLS.
You can add restrictions to IP addresses if a user attempts to log-in too many times, or even restrict it by country if necessary. You can track any IP addresses blocked to determine if they’re hackers or just forgetful users.
If you’re using a non-bespoke system, the login pages will have generic URLs. Change these to unique ones to make it hard for hackers to find the way in.
If you’re using one of the many off-the-shelf tools out there such as WordPress, you’ll occasionally get notifications that aspects of it need updates installed. Just as there are many viruses for Windows because it’s so popular, there are a lot of hackers out there trying to specifically break into WordPress and other popular Content Management Systems. But the size of the CMS communities means that even more people are constantly working to fight this threat – and they roll out this work using the Updates system.
As well as adding new features, fixing bugs and improving compatibility, one of the updates’ key roles is to patch website security vulnerabilities. It may seem a drag to have to run updates so regularly, but the alternative is missing out on a better protected site. It’s not just the CMS itself: any plugins, themes and additional features also need to be updated.
A website is a piece of software just like any other. And like any other piece of software, it can get viruses. They can mess up your databases and even ruin the server where your site is stored. They could also get into your content to be downloaded by users. Search engines may pick up on this and flag it when users try to visit your website, which can hugely damage your search traffic as well as your reputation.
Just like a computer, your website should have a firewall. By putting your firewall code into a special file called the htaccess file, which is the first file to be processed whenever anyone accesses your website, the firewall will act before any potentially malicious scripts can attack. This can do a huge variety of things, including blocking fake Googlebots and tracking IPs. There are also just as many anti-virus scans for websites as there are for computers.
If you’re on a shared server, it’s important to let your hosting company know about the virus in case it has made its way onto any of the other sites hosted. The bug could make its way back to you if the entire server isn’t virus free, and it’s possible that the virus originated on one of the other hosted sites.
Hacking is on the rise, as the amount and type of information on the internet gets more important and as the population gets more computer savvy. It’s never pleasant to be on the receiving end of a hack, for the website owner or its visitors, so it’s increasingly important to take as many precautions as possible to ensure your business and your customers stay safe on the web.
Check back soon for part 2 of Site Security, on how negative SEO can trash your search rankings.