Website Security

By Mary Oquendo
March 24, 2016

I set my free security plug-in to alert me whenever someone tried to hack into my website. I would get the occasional notice so it wasn’t annoying, until one night there was over 30 alerts. My phone dinged all night long. The free plug-in I installed would lock out a user after 20 failed attempts. That means there were over 600 attempts at logging on to my website. And that’s hardly unusual.

Most websites are subject to hacking. You may not even realize your site has been compromised and malware has been installed. Malware is software or code that is embedded into the files of your website and is designed to disable or spy on your site, log keystrokes, install links, and retrieve sensitive data such as passwords, client emails, and financial information.

If your site appears untouched, why should you care?

Because search engines such as Google and Yahoo will blacklist a website if it is infected with malware. Blacklisting means that the search engines put your website on page 100 of a search or place a warning notice on the search listing that your website may be compromised.

Why do hackers hack? 

1. Malicious competitors, disgruntled ex-employees, or bored teenagers looking to disrupt your business.
2. To obtain financial information for identify theft and email lists for phishing. Phishing is when emails are sent to appear as if coming from a legitimate company asking for account information. In addition to phishing, as most emails are sent in HTML code rather than plain text, even opening an email may result in viruses and other forms of malware that may taint your computer. That’s due to a hacker intentionally adding an infected hyperlink embedded in any graphics in the email. That hyperlink automatically opens to the internet and may start the download of viruses or malware. In your email control panel, you may be able to change the settings from HTML to plain text. https://www.us-cert.gov/publications/virus-basics
3. They want your host internet server to conduct business without it being tied to them. Hackers are looking to hide their identity. Most cheaper hosting sites do not dedicate a server to your particular website. You share the server with hundreds of other websites. While it keeps the cost down, your website is located on a busy highway instead of a private road. Private servers usually run at least $50 a month or more.
4. Install hyperlinks to their business. You may not even see them, but anytime someone visits your website, the search engines pick up the links, which improves the ranking of the hyperlinked site.  This is why Google and Yahoo are now penalizing websites that have an excessive number of embedded hyperlinks that are not related to your business.
5. Embed viruses or malware on your computer and website that record your keystrokes or even have the ability to transfer a virus onto the computer of your website visitor.
6. Steal your images. Images are very easy to lift off of a website.

How can you check to see if your site has been compromised? 

1. To check for stolen images, go to http://images.google.com. In the search bar is an icon of a camera. Click on the camera and the option to upload or paste an image appears. Once you add your photo click the search image button. Everywhere that photo appears will show up in the search results.
2. A free site to check if your website has malware is www.quttera.com. If your website is infected, there are service providers that can help you. You could start with recommendations from your website hosting company or friends.
3. Google Analytics can check for malware as well if you have set up an account and installed the tracking number onto your site.

What can you do to prevent your website from being compromised? 

1. Do not open emails from unknown sources and be wary of unexpected emails from friends.
2. Install firewalls or other computer security software from reputable companies.
3. Update, update, update. The reason for most computer, phone, website, and plug-in updates are due to security weaknesses. It does not take long for hackers to find holes and exploit them.
4. As shared servers can impact your website, use reliable hosts. Cheaper is not always better.
5. Keep plug-ins and widgets to a minimum on your website and only install them from reputable sources. Read the reviews and visit their websites.
6. Install a recommended security plug-in or program for your website. There are free and paid versions of most applications. I upgraded to the paid program after my phone dinged all night long. Paid programs have more options. I now have login attempts set at 5 instead of 20.
   “When it comes to website security, don’t cut corners or look for deals. This is the biggest investment I’ve made in my business and it was worth every penny when my site was hacked. There was no downtime and I didn’t lose my work. Considering what I gained, this investment is priceless.”
   — Kimberly Gauthier, Dog Nutrition Blogger for Keep the Tail Wagging
7. Back up your website. You can do this yourself as Adam Lohr does for Barkleigh Productions.
   ”We take protecting our data very seriously and take a few different precautions in case of a computer failure or if something would happen to the building. We do a daily backup that is stored in the office in a fire proof safe and then at least once a week we do a secondary back up that is stored in a separate off site location. Much of our data that we have complied over the years is only stored electronically so we need to make sure that we take precautions to protect it.”
   — Adam Lohr, Barkleigh Productions
   There are backup service providers who will do this for you and store your backups. However, choose carefully. If the provider goes out of business, you may lose access to your files. For all three of my websites, I use a free plug-in that backs up the entire site (not just the database) to my Dropbox account. In addition, I use a paid service for my larger website that backs up to my provider’s cloud service.  A lot of hard work and time goes into designing and maintaining a website, you want an easy way to recover and upload all your hard work back to the server should it become necessary.
8. Do not use obvious user names such as admin or your email.
9. Passwords should be at least 8 digits with all sorts of capital letters, numbers, and symbols. There are services that will remember your crazy password such as LastPass. Passwords should not be the names of your pets, date of births, mother’s maiden name, or any word or phrase that can be found in a dictionary. Here is an easy way to make a complicated password by converting a sentence. I’ll convert Let’s Go Fido to L3t^$G0F!d0 by using similar numbers or symbols to replace the letters. This password now has 11 digits with 3 numbers, 3 capital letters, 3 symbols, and 2 lowercase letters.
10. Log out of shared computers and delete inactive users and ex-employees.

Hackers do not want to spend a lot of time trying to get into your website. They have thousands of sites to choose from. Do not make it easy for them. If they have to work at it, most hackers will move on to easier quarry and leave your site unaffected and thereby not blacklisted by Google and Yahoo.

Few Internet Data states that over 3.5 million people use search engines looking for products and services every single day. So where on the search list do you want your business featured: Page 1 or Page 100? ✂