They’re all nightmares waiting to happen:
- “This website May Be Hacked” is prominently displayed on Google’s search results for your website.
- An error message saying, “The website cannot be displayed” shows up when you’re trying to view your site in a browser.
- You and your visitors experience long and unusual delays in website performance.
- Unexpected error messages pop up when surfing your site.
And there’s certainly no mistaking the nightmare message that can make any website owner’s heart stop:
- HACKED BY HdHUgØWU (or some other apparently meaningless) signature replaces your website content.
You’ve undoubtedly seen at least some of these signs of hacking while surfing the web.
If you’re like most website owners, though, you’ve probably thought “My site’s protected, so that could never happen to me” or “My site is so small, no hacker would ever bother with it.”
Those are very dangerous assumptions to make.
Just about any website can be hacked, especially if it’s built on a common platform with well-known security holes like WordPress or Joomla. And most attackers aren’t crooks looking for valuable data to steal, or people with an axe to grind against the website owner.
Here are some 2016 statistics from Sucuri website “March 2016, Google reports that over 50 million website users have been greeted with some form of warning that websites visited were either trying to steal information or install malicious software. In March 2015, that number was 17 million. Google currently blacklists close to ~20,000 websites a week for malware and another ~50,000 a week for phishing”
Some hacks, like the ostentatious ones that look more like graffiti than web content, are the work of “kiddies” who are showing off for friends in hacker communities. But most intrusions are conducted by malicious, automated software which crawls the web 24 hours a day, searching for website vulnerabilities that can be easily exploited.
The goal of the software’s owner may be finding websites to;
- unknowingly host sketchy files
- adding sites to a botnet
- sending out boatloads of email spam
No matter who’s to blame, a website owner is usually no match for today’s constant barrage of hacking attempts – despite promises from a web developer or hosting company. After all, if Sony, eBay, JP Morgan and the US Government can be hacked, so can you.
Your web host or developer can’t guarantee that you won’t wake up next month, next week – or tomorrow – to find that your site has been compromised, defaced or destroyed by a hacker.
- Your website could be completely unavailable to visitors
- Impossible to read and navigate
- Your customers’ personal data could be stolen
- Potential clients might even be warned against visiting your site by Google.
In short, the beautiful site you’ve created, the customer base and loyalty you’ve carefully cultivated, the data you’ve painstakingly accumulated over years could all be gone forever, with no warning.
What’s the best defense against website hacking?
There are a number of steps that you can take immediately to deter all but the most dedicated and experienced hackers.
Here are the five most important.
1. Update, Update, Update
Most websites run on a software platform. WordPress is the most popular of all time; nearly 20% of all current websites, including such giants as The New York Times and Forbes, use it. For that reason, WordPress sites are the most common targets for hackers. But all other platforms like Joomla and Drupal, and even custom-coded websites, can fall victim as well.
Web platforms/content management systems update their core versions constantly. Some of the updates are designed to add new functionalities, but most releases are intended to plug security holes discovered by hackers. The most important step you can take to protect your website is to ensure that you’re always running the very latest version of your platform, and immediately install any patches that are released.
The same advice holds for all components, plugins, extensions and other software being used on your site. Bad actors spend lots of time trying to discover methods of cracking widely-used website software; one of the best ways to foil them is with newer versions they haven’t yet broken into. If your platform/CMS supports automatic updates, take advantage of the feature. And check your existing software regularly, since many plugins or extensions are no longer supported or updated. Anything that’s outdated or unused, even website themes that aren’t active, should be replaced or removed since they’re an open invitation to hackers.
Finally, if you have a custom-designed website, it’s worth the cost of having a security expert go over it regularly to discover any potential vulnerabilities and make any necessary patches.
2. Add the “S”
After years of cautions and warnings, most of us now know to look for the “padlock” icon on any site where we type in personal information or make purchases because the padlock indicates a secure site.
You may have noticed that you only see that icon on sites with URLs that start with “https://” instead of “http://”. Https is a web security protocol (the extra “S” stands for “secure”), so sites that use https are said to be using a secure server. All website data communications are encrypted before they’re sent or received, ensuring the security of the data users type into website forms, and the information they receive in return.
Until fairly recently it cost hundreds of dollars per year to obtain a certificate to run a secure site. Today, however, you can get an https certificate for free, and many hosts have automated systems that will set up a secure site for you.
That means https is no-cost protection and a no-brainer for all e-commerce sites. But there are good reasons to use https on all sites. Hackers have ways to read all information sent and received on non-secure websites; even if there’s nothing particularly sensitive being transmitted, they can still steal a user’s information and use it to take over that user’s account or online sessions. Https makes sure everything is secure.
There’s one final benefit to adding the “s”: Google gives more credibility to https sites and claims to rank them higher on their search engine results, and often warns users using its Chrome browser that the site they’re visiting isn’t secure.
3. The Password Is “Security”
No one likes creating unique passwords with 8-12 capital and lower-case letters, numbers and special characters. Everyone should do it, though, including your website users. Your site should require complicated passwords and properly encrypt them before transmission and storage. Otherwise, user accounts could be stolen and used for nefarious purposes.
4. Restrict User Uploads
It’s cool when a website allows users to upload files to share with others. Unfortunately, it’s also dangerous.
Here’s the problem. Hackers have figured out how to sneak malicious scripts into innocent-looking files like pictures and videos. When the files are opened, their scripts are executed, installing malware or other bad stuff on your site. They can even give the hackers full access to your web server. It’s almost impossible for a web server to detect the scripts until it’s too late.
The best way to avoid this problem is to ban all user uploads or set server permissions so they can’t be executed. If the functionality is important to your site, uploads should be stored in a secure location outside the web root (where they can’t damage the website damage if run) and fetched separately. At the very least, files should not be user-executable. Consult with your developer or server administrator to figure out the best way to handle this issue, if you must allow user uploads.
While you’re doing that, also ask them about preventing SQL injections that can mess with your database and cross-site scripting (XSS) which allows hackers to place their scripts directly onto your pages to target other site users. Each can be done through improperly-protected comment boxes or similar input fields on a site.
5. Know When to Seek Help
Launching a new website is a time-consuming and complicated venture. Security should theoretically be uppermost in the minds of developers and coders, but it often takes a backseat to simply getting the site active and traffic flowing on schedule.
Sooner or later, though, hackers will find your website. And if it’s not properly protected, you’ll wake up one morning to a disaster. At that point, you’ll know that it’s time to call a security company for help.
The better idea is to look for assistance as soon as you notice that something’s “odd” about your site. Perhaps it’s taking way too long for a page to load. Perhaps you’re starting to receive complaints from visitors or customers about unwanted emails. Or perhaps your search engine rankings have unexpectedly fallen or disappeared. Don’t wait for the other shoe to drop; it’s time to take action before the situation gets worse.
The best idea is to be proactive because an infected site will cost you visitors, customers, money – or all three. Cleaning a hacked site is going be way beyond your abilities as a site owner, and it’s likely to be beyond the scope of your website developer’s or hosting company’s duties.
Once your site is up and running, consider protecting it immediately. Pre-eminent web security companies don’t just do a quick and professional job cleaning up after the fact. Their real-time monitoring, malware detection, and scanning systems discover, deflect and stop attacks aimed at infiltrating or corrupting your site, all at very reasonable prices.