Patching the Security of your Website

Security for your website should not be insignificant and isnt by keeping your system update and protect with some free security tools.
Back to Articles

[vc_row][vc_column][vc_column_text]Behind the scenes of your website, and indeed the entire online world, a battle is constantly raging. It’s not the kind of battle you see in the movies. There’s no blood, guns, or violence. But there are soldiers, weapons of mass destruction, and grisly battle scenes.

If you’re wondering what we’re on about, we’re of course referring to the malicious targeting of websites and software by computer hackers. The soldiers are programmers, the weapons are code, and the grisly battle scenes – well, only the IT team can attest to those.

At all times, invisible to the everyday world, thousands upon thousands of hackers are online, searching for weaknesses and vulnerabilities in computer systems that they can exploit. That includes individual websites (even those of small businesses), as well as large applications that are used by millions – applications like banking systems, website systems, security systems.

The rewards for finding such a loophole can be as varied as lifting credit card information, directing payments to a rogue account, using the website to promote a political agenda, stealing email addresses, or sending out spam mail. Sometimes, the rewards gained seem trivial or infantile – for example, spending hours hacking into a website in order to display a screen announcing ‘you’ve been hacked!’ along with circus music and a dancing cartoon (we’ve seen it happen). It’s not for us to question why hackers do the things they do. All we can do, in the immortal words of Mad Eye Moody, is practice ‘CONSTANT VIGILANCE!’

You may be forgiven for thinking this is all a little over the top. After all, how often does your own website get hacked? Surely this is something only the big companies, who store credit card information, need to worry about? Well, although we admit the tone of this article is a little tongue-in-cheek, it may surprise you to learn that your own website is most likely the target of a hacking attempt many times – even hundreds or thousands of times – every day. Even small websites with modest traffic. Even websites hosted in little old NZ. In fact, in the last month we’ve noticed plenty of malicious activity attempted on our own clients’ websites – small, local businesses with a trickle of traffic.

[/vc_column_text][vc_separator type=”transparent” position=”center”][vc_row_inner][vc_column_inner width=”1/2″][vc_column_text]Now, don’t panic. We said hacking attempts – that doesn’t mean they are successful. Most hacking attempts consist of a hacker trying to guess the password and login details to the backend of your website. They do this by running software that makes thousands of attempts at once, each time trying a different login and password combo. To summarise conventional password wisdom:[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″ css=”.vc_custom_1430464166691{padding: 15px !important;background-color: #eaeaea !important;}”][unordered_list style=”circle” number_type=”circle_number” animate=”no”]

  • don’t have a password that is easy to guess!

    So passwords shouldn’t be someone’s date of birth. Or ‘admin’. Or ‘password’.

  • don’t have a login name that is easy to guess!

    That rules out your first name, your website name, and once again, ‘admin’.

[/unordered_list][/vc_column_inner][/vc_row_inner][vc_separator type=”transparent” position=”center”][vc_separator type=”transparent” position=”center”][vc_column_text]Lifehacker has a great article on passwords and hackers. Amazingly, the article shows that adding a mix of capital and small letters, plus a symbol or two, into your password can make it exponentially harder for hackers to guess.

We mentioned that you’re probably not aware of all these hacking attempts going on daily under your very nose. Well, if you’ve got a good IT team, that’s because: 1) your website has been set up with some solid security features, and 2) you’ve got a good IT team who are certainly aware of suspicious activity and working constantly to limit it.

Now we’re getting to the heart of this article:

[blockquote text=’how small businesses can protect themselves from security breaches and hacking attempts. ‘ text_color=” width=” line_height=’undefined’ background_color=” border_color=” show_quote_icon=’yes’ quote_icon_color=”]

Big companies will have entire teams dedicated to this job (and much needed too – back in 2012, the Pentagon reported 10 million hacking attempts… per day).

Although choosing difficult passwords and login details is certainly a good start, that’s not the only way that hackers can compromise your website. Any content management software, plug-ins or themes you use can also be targeted, and if successfully hacked, can introduce vulnerability to every website which uses that software.

Again, this is more common that the average small business owner might realise. In December 2014, the security team at Sucuri discovered that Revolution Slider, a popular WordPress plugin, had a critical vulnerability that left it open to attack. January 2015, Magento reported a security issue. And on April 27 2015, just this week, a security breach was uncovered in the WordPress comments feature.

In most cases, the software owners quickly release a security ‘patch’ that will close up the loophole that has been exposed. However, the problem is that many small companies ignore the patch and do not implement it on their site – or, they don’t hear about the security breach and the subsequent patches required, so their websites remain vulnerable. That’s when hackers can swoop in, ironically using the information released and exploiting websites which haven’t moved to block the breach. To go back to our battle imagery, it’s like finding out you left the gate to the castle unlocked, holding the key in your hand, and then losing the race to lock it before the hordes arrive.

We monitor the activity on all our clients websites and have several strong security measures in place to block unwanted traffic and hacking attempts on individual websites. When security breaches are discovered in any of the software we use, we also implement the patches across all affected websites as a matter of priority. Here, then, is our checklist of what webmasters can do to ensure the safety and security of their website at all times:[/vc_column_text][unordered_list style=”number” number_type=”circle_number” animate=”yes”]

  • Keep your system updated
    Whether your site is operating on WordPress, Magento, Joomla, or even custom-made on a framework, make sure you are up to date with updates. With custom-made sites, be prepared to update your framework if necessary.
  • Protect your websites with free security tools
    We like WordFence and ModSecurity. ClamAv is also a good, free server antivirus program.
  • Sign up to some security blogs
    Make sure you’re in the know when security breaches are discovered and announced. That way you’ll be able to update your site with the patch as soon as it’s available. Sucuri.net is a great security blog with helpful information on what to do if your site is compromised by a breach.
  • Ensure your server is up-to-date with all security updates
    Your server is another point at which hackers can try and gain access to or compromise your system. Talk to your hosting company about any security features they have in place and don’t be afraid to complain if you feel security is not up to par.
  • Get your server logs and performance checked regularly by a specialist
    Your server logs contain valuable records of all the IP addresses that have tried to login to your servers, and where they are from. Thousands of failed login attempts from IPs outside of your own country are a clear sign of malicious hacking attempts. A slow server can also be a sign that your server has been hacked and is being used for ulterior purposes.

[/unordered_list][vc_column_text]By staying aware of crucial information shared online on security blogs, plus placing key defences on your website and creating strong passwords, you’ll go a long way towards protecting your website from malicious hacking attempts. Awareness and vigilance is key. If you don’t manage your website yourself, call your hosting company and web developers and find out what security measures they have in place for your site.

At the end of the day, we can only arm ourselves with the weapons available to us and continue to fight the good fight against online hackers. But DO make sure you equip yourself with the free weapons – that is, free security tools – that are available to protect your site! And don’t forget that if someone tells you you’ve left the gate unlocked – your first priority is to lock it back up![/vc_column_text][/vc_column][/vc_row]