Cyber-Attacks
29Jun

9 Key Must-Do Things To Protect Your Website From Hacking

by Franco De Bonisin Important-Cautionary, The Web 0 Comment(s)

If you don’t protect your website, what you are basically saying to hackers is:

WELCOME TO MY WEBSITE – TAKE WHAT YOU WANT!

This guide explains why it happens and what you can do to stop it.

The instances of websites being hacked is on the rise! A recent US survey of 583 businesses conducted by Juniper Networks showed some alarming data. 90% of respondents said that their network had been breached at least once by hackers in the previous 12 months. 60% reported two or more breaches and staggering 50% said they didn’t feel they could stop future attacks.

Other data by security analysts shows that 75% of all hacking attacks target web applications and obviously the majority of these are websites. The incidence of hacking attacks is on the rise and they fall into three main categories:

  1. The Casual/Vandal Attack

    The hacker gets into your website in order to disrupt the operation of the site. Typically carried out by people learning how to hack and those that just want to cause damage.

  2. The “Redirect” Attack

    The hacker wants to change content in order to direct visitors to malicious pages of their own creation. This may be to try to sell fraudulent products or to then spam the visitor.

  3. The “Viral” Attack

    The most worrying of all the hacking attacks. The attacker installs a virus or trojan into the site’s code. Typical viruses will then take over your PC and tell you that you have been infected and try to sell you the “cure”. A typical trojan will download silently into the visitor’s PC and begin to log every keystroke, which it then sends to the perpetrator through a log file on a remote server. This means that when the visitor next types in their online banking address, username and password, it is then sent to the attacker who can log in and access sensitive information.

Worse still is that many of these website attacks are detected by anti-virus programs, which means your website will be flagged to the visitor as having been infected. Also if not resolved quickly, Google itself will detect the infringement and notify visitors that the site is unsafe.

How likely would you be to ever visit a website again if you were told by Google not to visit it?

So why are these instances of hacking attacks on the rise? It is my firm belief that OpenSource software has been the fuel to this firestorm of activity. OpenSource is an initiative where a group or “community” of coders work together to create a web application. Joomla, WordPress, Magento and Drupal are all examples of open source content management systems.

The problem is the fact that so many people have worked on and documented every aspect of how the system works. This means that anyone who has a desire to can easily learn how to hack a website on one of these systems. For instance I ran a few searches on Google using the search terms below and here are the results:

  • “How To Hack Joomla”

    This search returned 7.76 Million results that included instructional videos on how to hack a Joomla site!

  • “How To Hack WordPress”

    This search returned a staggering 48.7 Million results and also included instructional videos.

  • “How To Hack Magento”

    This was an interesting one because there were just over 2 Million results and included on page 1 of the results was a company that provided a cleanup service for hacked Magento sites. Clearly a lucrative business.

  • “How To Hack Drupal”

    Almost 5.7 Million results with instructional videos included.

 

“So what should I do?”

Bottom line is that you need to protect yourself. Think of your website like your home. You could leave all the doors unlocked and have no alarm and no insurance. You might get away with it for years, but at some point (sooner or later, based on where you live) you are going to be robbed. Your website is the same principle. You need to do whatever you can to protect it and have ‘insurance’ in the event that it does get attacked or hacked.

The people behind these systems have worked very hard to improve security, but the fact remains that, just like your home, you need to do more if you take security seriously. This is especially true if you are running a business website on an opensource platform. So here’s what you need to do:

  1. Change the standard location of the admin folder

    Hackers scan website automatically for login files at standard locations. If you change the folder from /Login or /Admin to say /NothingToSeeHere then it’s less likely for your site to be hacked. In most cases your web company will have to do this for you.

  2. Change the standard login username

    Most systems use the same username to login as admin and it’s typically ‘Admin’. If hackers find the location of your login page then they cycle through these standard usernames. So if your username is weird and obscure, it is again less likely that they’ll figure it out. So ‘BananaMan’ or ‘Goldilocks’ is good or anything else that someone would never think of.

  3. Use a complex password

    I really, really, really cannot stress this enough. If you use ‘admin’, ‘password’, ‘letmein’ or any other obvious and simple password, then the chances of you being hacked goes up exponentially. Use a VERY random and VERY long stream of letters, number and special characters. You can save it somewhere on your PC and simply paste it in whenever you need to login to the website. So a good password is something like YnGtP!b1F2c4A2w0*29-06-2015*G4I!

    This looks really complex and it is (it would take an automated program a few years of trying random combinations of ever increasing complexity to guess it – if they had years – see below), however I used a memorable phrase to create it:

    You’ll never Guess this Password! because 1t’s Far 2 complex 4 Anyone 2 work 0ut*<Memorable Date>*Go 4 It!

    See?

  4. Add protective code to HTACCESS and header files and remove possible exploitable code

    This is not something you can do unless you’re a web developer/coder. Your web company should already be doing this as standard, so if you approach them with this and they don’t do it, and worse still they say ‘huh?’ then leave and find a company that knows what they are doing.

  5. Add security plugins

    Due to the inherent holes in opensource systems, many coders have created commercial security plugins. Use them! They are not expensive and they are worth their virtual weight in gold. They work to block various usual exploits that hackers use and protect the site from things like SQL Injection techniques. Again, your web company should do this as default (providing you are using a reputable and knowledgeable company).

  6. Change default prefix for WordPress tables

    In the database which contains all of the content for your website, there are many tables. Each of these tables has a prefix which in many cases is “wp_”. Hackers know that most installations use “wp_” as the default prefix for the database tables and they exploit this commonality. Changing the prefix can be done in the WordPress installation process. You can also change the database prefixes after by making several manual changes to the database or by installing a WordPress security plugin. This may also be the case for other opensource systems, but I am not an expert in those, so cannot confirm.

  7. DO NOT USE FREE/OUT OF DATE PLUGINS!

    The amazing thing about WordPress is its extensibility. You can find plugins to do pretty much anything you want to on your site. BUT not all plugins are safe. In fact some are even created with built-in backdoors so that once installed, the site can be tracked and compromised with ease. This is not fiction. It happened to a client of mine that decided to install a free image gallery plugin and was then plagued by hacks until we eventually had to rebuild the site from scratch.

    If you need a plugin, buy a commercially distributed one. They are not expensive, they come with support and they are updated regularly to avoid other exploits.

  8. Update your CMS installation and plugins regularly

    There are teams of people who work hard to make WordPress and other systems ever more secure. They release updates on a regular basis, that once installed, make your site more resilient. The same goes for plugins. So at least every 3 months you should apply updates and patches as required.

    There is a small risk that an update will break the functionality of a plugin, so it’s best to let the web company do this for you and better still if you have a maintenance agreement with them whereby it just happens. That way, if something breaks, they can fix it.

  9. BACKUP, BACKUP, BACKUP, BACKUP

    There’s a reason why I wrote it 4 times. I worked in the backup software industry and there was a mantra we had; ‘If you don’t have at least 4 copies of a file then it’s not an important file.’

    The same goes for your website, so you need a backup regime that gives you 4 recent copies of your file (say at least a copy for each day going back 7 days), plus 4 monthly backup snapshots. This minimum setup means that you can roll back your site to prior to a hacking attack if the worst happens. Obviously the more daily backups you have the less likely you’ll lose updates that you did and have to redo work on your site.

That’s it! 9 steps, some of which you can do yourself and some that your web company will have to (and should) do for you. If you do them all I can almost guarantee that your website will not get hacked (none of the sites I managed ever did after implementing this.

Good luck!

, , , , ,
LEAVE A REPLY

** *

9 + eleven =

Your email address will not be published. Required fields are marked*