Are you properly protecting your Website from hackers?
- David Puffenberger
- Web/Graphic Design, Technical Support
Ignorance is not bliss when it comes to Website safety, security and liability.
You hear it all the time. “XYZ Company’s Website has been hacked.” “Big data breach.” “Customer credit cards and social security numbers exposed.” It’s not going to get any better.
But this article isn’t about a big company with big data. Smaller Websites are vulnerable too, and site owners are at risk. Why?
Because ignorance not bliss.
We recently observed a client who had a password phishing attack that worked like this:
A small company’s simple WordPress Website had a weak password. (WordPress is vulnerable to start with from the way they manage administrator login, and if you have a weak password, it’s open season.)
So, this company got hacked, but rather than defacing or taking down the site, the hackers planted a hidden page and made it a forwarder that would take anyone hitting the page to another malicious Website that had an almost identical mock-up of a popular email service login screen.
The hackers would then either hack into email accounts they had compromised (using these techniques), or simply send spoof emails "on behalf of" a user, usually a friend of the recipient. (Spoofed emails can be sent even though the email account has not been compromised.) The malicious emails then try to trick the recipient into clicking a link that would take the recipient to a mock-up of their email or other service login screen, and if they signed in, they're hooked.
One of our clients is a real estate attorney, and it turns out a title agency they were working with fell for this and got hacked. Once they had access to the title agent's email, scammers read the email threads and learned of a real estate closing and wire transfer that was about to occur, and they created bogus email accounts (with slight misspellings of our client's and the title company's accounts) and created a fake email thread that lead to a request to send the wire transfer to a different bank! Fortunately they smelled a rat and asked us about it and we tracked down the issue so nothing bad happened, but we learned this "real estate title agency scam" has been going on a long time, stealing nearly $1 Billion a year.
Because our client is an attorney, we asked him about liability if the scammers had been successful. Indeed, it’s possible that the owner of the small website, for failing to secure it from possible breach by using an insecure platform and weak password, could be held at least partially liable for negligence if an action were filed.
Now this scam usually involves three accounts: (1) the hacked email account from which to send the scam email, (2) a hacked site (usually WordPress) that has a forwarder installed, and (3) the scammer's own site which does the dirty work of stealing the identity. The scammer's own site is usually blacklisted, so an email with the direct link will get quarantined. That's why they use the intermediate one (2) because it will have a good reputation for email filters. Of course the intermediate site soon gets blacklisted, and that will kill any SEO reputation the site has. The hackers then simply move on.
So, if you are the owner of a Website, big or small, you really need to harden your Website(s) to prevent attackers from hijacking your site. Here are a few suggestions:
- Change your Website's admin username to something OTHER THAN the default.
Don't use “root,” “admin”, “administrator” or anything else that sounds like it has an administrator function for the administrator username. Use something random like a cartoon character, a song title, or anything else you can think of. If you have a "superuser" account above regular administrator, be sure it's something else too.
- Change your site’s password to a long text passphrase.
If your system will allow, use 4 or 5 random, non-associated words that don’t make a sentence. That’s the current best practice for passwords. Some services have limits on password length, so go for as long a password as possible. Adding numbers, symbols and mixed case letters can add to the complexity. The longer and more complex the better. (Use a password manager to keep track of these long passphrases.) Do the same for ALL passwords with editing privileges on your Website.
- Don’t use the same password for other services.
Make sure that the passwords for administering your site are not used elsewhere. This helps minimize the threat if another service you're using gets hacked.
- Make sure your site uses secure protocols.
If your site is NOT currently protected by a Secure Certificate and using HTTPS by default, contact your hosting or service provider and get one set up. It will cost more money, but this will ensure that your login pages are encrypted which further secures your passwords and any other valuable information. And, not only does it make your site more attractive to search engines, it means you'll avoid the dreaded "THIS SITE IS NOT SECURE" message that modern browsers insert. If you’re concerned about credibility, get an EV (Extended Validation) certificate, which verifies that the site is legitimate, and not a knockoff. Also (for advanced tech), be sure the most recent version of TLS is in use, and the older protocols are disabled. (If you don't know what that means, ask your Website host.)
- Enable Multifactor Authentication if available.
Multifactor Authentication will send a code to your smartphone via text or special app. You have to enter the code to continue. If a hacker cracks the password, he still can't connect because he would not have the code that's on your phone. (If you get an alert without having first requested a login, it's time to change your password.)
- Make sure your CMS is up to date.
Most Websites use Content Management Systems (CMS) like WordPress or DNN. The CMS “software” is constantly being improved and updated with new releases. So just like your computer’s operating system and applications, your CMS needs to be updated regularly. This may involve redesigning and building parts of your site due to changes in the CMS software. Also be sure your database password is strong.
- Use a CMS that is less prone to attacks.
WordPress sites and even the DIY “Website Builders” are notorious for their lack of proper security. They are prime targets to hackers due to the substantial number of sites in use and the carelessness of those who own and maintain them. While no Website platform is totally immune, there are some that are more secure and reliable than others. Advent Media exclusively uses one of the strongest "enterprise grade" platforms on the market.
- Make sure your server is updated.
Your server's operating system is just as critical as your computer's operating system. It should be running the latest version of the server software because security is constantly being patched on current software. It's amazing how many Websites are running on obsolete, unsupported servers which are subject to attack from known vulnerabilities.
- Know Your Site's Back-End (Especially if you use WordPress)
Examine your Website's file structure and look periodically for phantom pages that you didn't put there, or for redirects to unknown destinations.
At Advent Media, Inc., we design, develop, host, manage and maintain Websites for businesses and organizations large and small. We do our best to make sure that each site we build and manage meets and or exceeds these security parameters and then some.
Discover our Web Services