How Secure Is Your Website?
You may be the owner of a small business with a small website and think your website isn’t a target for hackers. After all, what would a hacker want with your website? Your website might be just about your services that doesn’t contain any customer information. Why would a hacker even bother with your “little” site? You might be surprised about what hackers can do with your site once they infiltrate it and what they can do.
We are sticklers about website security. We have also taken on customers that have had their site hacked. It’s no fun. Every site that we have dealt with that has been hacked did not have any person’s personal information whatsoever. So why did the hackers bother with these sites?
If you are using our favorite CMS – WordPress, it’s really very simple. It’s all about the numbers. As of last year (2016), WordPress websites accounted for around 26% of the websites on the web. So with over a Billion sites on the web that equates to around 250 million of them being on WordPress. It’s a numbers game for hackers, why not create one bot that can have the most effect and best chances of succeeding.
What Will Hackers Do With Your Site?
What does a hacker want with your site? Install malware to try and infect visitors computers, try and spread their political views, try and gain access to the server your site is hosted on, and probably sometimes, some geek with too much time on their hands.
So how do these hackers get into your site in the first place? A rather large list was made on WPMUDEV.org recently that has some of the most used techniques:
How Hackers Compromise Websites
When writing code, it’s near impossible to not create any security holes whatsoever. When hackers find these vulnerabilities, they exploit them and you’re left with a compromised site.
There are are also other ways a site could be vulnerable including human error such as using passwords that are easy to guess as well as insecure or unreliable hosting.
There are a number of commonly exploited and potential WordPress vulnerabilities including:
- SQL Injection (SQLI) – Occurs when SQL queries and statements can be entered and executed from a site’s URL
- Cross-site Scripting (XSS) – A hacker can inject code into a site, typically through an input field
- File Upload – A file with malicious code is uploaded to a server without restriction
- Cross-Site Request Forgery (CSRF) – Code or strings are entered and executed from a site’s URL
- Brute Force – Constantly trying to log in by guessing the admin’s account username and password
- Denial of Service (DoS) – When a site goes down due to a steady stream of traffic coming from a hackbot
- Distributed Denial of Service (DDoS) – Similar to a DoS attack, except the hackbot is sending traffic from multiple sources such as infected computers or routers
- Open Redirect – Occurs due to a vulnerability and it’s a site’s page that’s redirected to a different one that’s set by a hacker and is often spam or a phishing site
- Phishing (Identity Theft) – A site or page created by a hacker that looks like a well-known, commonly trusted site, but is used to collect login credentials by tricking a user to input their details
- Malware – A malicious script or program with a purpose to infect a site or system
Local File Inclusion (LFI) – An attacker is able to control what file is executed at a scheduled time that was set up by the CMS or web app
- Authentication Bypass – A security hole that enables a hacker to circumvent the login form and gain access to the site
- Full Path Disclosure (FPD) – When the path to a site’s webroot is exposed such as when the directory listing, errors or warnings are visible
- User Enumeration – Being able to determine a valid username to later use for brute force attacks by adding a string to the end of a WordPress site’s URL to request a user ID which may return an author’s profile with the valid username
- XML External Entity (XXE) – An XML input that references an external entity and is processed poorly by improperly set up XML parser and can lead to confidential information disclosure
Read The Full Article “The Ultimate Guide to WordPress Security“
That’s not even the entire list from the post, nor is the post every way that a site can be hacked. As time goes on, hackers get more sophisticated and develop new ways to get into sites to use them as they wish.
How To Keep Your Site Secure
Before you get into a full on panic, there are things you can do to help make sure your site doesn’t fall victim to hackers.
The first thing you can do is make sure you use strong usernames and passwords. Never, and we mean never, use the default “Admin”. Use very long passwords, maybe a snippet from your favorite song and add a few punctuation marks and numbers before and after.
The second thing and probably the most effective is……. KEEP YOUR SITE UPDATED! Whenever there is a new release of WordPress, make sure you install it right away. Whenever you receive an email that an update is available, get it done. But it doesn’t stop there, you also need to make sure that your Themes and Plugins are also kept up to date because they can be just as vulnerable. A classic example of this is the vulnerability in the Revolution Slider back in 2014 where as many as 100 thousand sites were hacked. You won’t receive email notifications for these types of updates, so we suggest checking at least weekly that everything is up to date.
Gail Gardner just posted an article today on another one of our top priorities of keeping your site secure with the importance of choosing a good server or hosting provider:
Choose a Secure Web Host
Web hosts vary greatly in how secure they are. Shared Web hosting is the most affordable option, since you’re sharing server space with countless other websites. But, that affordability comes at the cost of security in many cases.
Virtual Private Server (VPS) hosting is a middle-ground option where you’re still technically sharing a server with other websites, but you’re each given flexibility as if you were all running on a dedicated server. Dedicated hosting means that you’re the only website on the server, so it of course it comes at a premium.
To provide more security, but still keep costs relatively manageable, many web hosts are now offering managed WordPress hosting, which is similar to shared hosting. But by having them manage the WordPress installation itself, they can help avoid security breaches.
Read Gail’s full post “Web Security More Important Now Than Ever“
Gail also makes some good points in her article about you company’s security policy with employees that have access to your site.
Lastly, we want to point out that you should be making backups regularly. Why? Because if your site does get hacked, restoring your site to it’s previous condition will be a whole lot easier.
While you might consider your site not large enough, or have important data that hackers may want, it’s still a target. The most important and effective ways of keeping hackers out is to choose a good host, and keeping your site up date to help minimize the risks of your site falling prey. And in case it does fall victim, make sure you have backups!
To learn more about how we help keep our customers sites secure, as well as our web design services, visit our site MD Internet Marketing Solutions