You hear it all the time. “XYZ Company’s Website has been hacked.” “Big data breach.” “Customer credit cards and social security numbers exposed.” It’s not going to get any better.
But this article isn’t about a big company with big data. Smaller Websites are vulnerable too, and site owners are at risk. Why?
We recently observed a client who had a password phishing attack that worked like this:
A small company’s simple WordPress Website had a weak password. (WordPress is vulnerable to start with from the way they manage administrator login, and if you have a weak password, it’s open season.)
So, this company got hacked, but rather than defacing or taking down the site, the hackers planted a hidden page and made it a forwarder that would take anyone hitting the page to another malicious Website that had an almost identical mockup of a popular email service login screen.
Our client then got an email from the scammer saying that a few hundred email messages were about to be deleted unless he “logged in and saved them,” and the link to log in pointed to the hidden page on the hacked Website. This bypassed spam and malware filters. If clicked, the forwarder page in the hacked site would send the unsuspecting user to the malicious Webmail sign-in page where it asked for the password to the account. It even had his username pre-populated by using a querystring in the email link. Had our client unwittingly entered his password, the scammers would have been able to access all his confidential emails.
Fortunately, our client was wise enough to ask us about this, so his email was not hacked. But, because he was an attorney, I asked him about liability if there had been a data breach. Indeed, it’s possible that the owner of the small Website, for failing to secure it from possible breach by using an unsecure platform and weak password, could be held at least partially liable for negligence if an action were filed.
So, if you are the owner of a Website, big or small, you need to protect your Website(s) against attackers, and here are some suggestions:
- Change your admin username to something OTHER THAN the default.
This includes “root,” “admin”, “administrator” or anything that sounds like it has an administrator function. Use something random like a cartoon character, a song title, or anything.
- Change your site’s password to a long text passphrase.
If your system will allow, use 4 or 5 random, non-associated words that don’t make a sentence. That’s the current best practice for passwords. Some services have limits on password length, so go for as long a password as possible. Adding numbers, symbols and mixed case letters can add to the complexity. The longer and more complex the better.
- Don’t use the same password for other services.
Make sure that the passwords for administering your site are not used elsewhere. This helps minimize the threat if another service you're using gets hacked.
- Make sure your site uses secure protocols.
If your site is NOT currently protected by a Secure Certificate and using HTTPS by default, contact your hosting or service provider and get one set up. It will cost more money, but this will ensure that your login pages are encrypted which further secures your passwords and any other valuable information. It also makes your site more attractive to search engines. If you’re concerned about credibility, get an EV (Extended Validation) certificate.
- Enable Multifactor Authentication if available.
Multifactor Authentication will send a code to your smartphone via text or special app. You have to enter the code to continue. If a hacker cracks the password, he still can't connect because he would not have the code that's on your phone. (If you get an alert without having first requested a login, it's time to change your password.)
- Make sure your CMS is up to date.
Most Websites use Content Management Systems (CMS) like WordPress or DNN. The CMS “software” is constantly being improved and updated with new releases. So just like your computer’s operating system and applications, your CMS needs to be updated regularly. This may involve redesigning and building parts of your site due to changes in the CMS software. Also be sure your database password is strong.
- Use a CMS that is less prone to attacks.
WordPress sites and even the DIY “Website Builders” are notorious for their lack of proper security. They are prime targets to hackers due to the substantial number of sites in use and the carelessness of those who own and maintain them. While no Website platform is totally immune, there are some that are more secure and reliable than others.
- Make sure your server is updated.
Your server's operating system is just as critical as your computer's operating system. It should be running the latest version of the server software because security is constantly being patched on current software. It's amazing how many Websites are running on obsolete, unsupported servers which are subject to attack from known vulnerabilities.
At Advent Media, Inc., we design, develop, host, manage and maintain Websites for businesses and organizations large and small. We do our best to make sure that each site we build and manage meets and or exceeds these security parameters and then some.
Learn about our Web Design Services