Some might ask the question “Is my website truly at risk?” with the thought that a small organization’s information-based website would never be on a hacker’s radar. The truth of the matter is that no one is truly safe. In fact, most website hacks involve small company websites, as they are typically the easiest to target and the most vulnerable. That does not however mean that the “big boys” are safe either, as massive organizations both public and private, who have large dedicated security teams with immense budgets are at risk as well. For example, just this past month, there was news that the N.S.A. fell victim to an attack, which left hackers with some severely sensitive and confidential data.
So, now that we have established that even behemoth sized organizations with virtually unlimited funds dedicated towards security protocols can fall victim to an attack, let’s go over what this means for you specifically in terms of the most frequent type of hack to the majority of websites. It is, in fact, quite rare that a hacker will go after a smaller scale website with the intent to completely obliterate it, and take it down. Rather, most hackers that go after these types of websites try to ensure that their hacks do not take down their victims website, and the reason for this, is that they actually make money from hacking your website. The typical protocol by which they operate is to inject code into your website, so that for example when real world users try to visit your website, they either get redirected to another website (of the hackers’ choice), or that your website’s textual content in altered to include links or wording to other websites. More often than not the websites that these hackers are trying to plug by hijacking yours are illicit in nature. Such websites include those that deal with or sell legal and illegal drugs, pornography, weapons, etc. Essentially your website will contain and be associated with material that you would not want anywhere near your company’s name. Besides your company potentially being associated with illicit material, often times the hacks will leave your personal information compromised, eventually completely take down your website, and result in your domain banned by Google and other search engines.
Obviously the above demonstrates how terrible things can get if an intruder is successful, so let’s try to avoid all of that nasty business and discuss what measures can be taken in a pro-active, preventative way.
The first thing that you want to check is if your hosting environment is as secure as possible. Since all websites must be hosted somewhere, this is the first crucial place where security features can either be weak, opening the door more easily to hackers, or strong, which will help give your website a strong foundation to stand on. As a rule of thumb, you want to try and stay as far away from a shared hosting environment as possible. I would say that in my experience, a poor quality, shared hosting environment is one of the number one causes for a breach. The reasoning behind this is quite simple; if your hosting provider has given you space on a server where you are sharing one physical machine and IP address with hundreds or thousands of other websites, as soon as one of them gets breached, the hacker gains access to all of them. This is also the reason why most hackers go after shared server environments, since it delivers them with the biggest bang for their buck. If you were a hacker, wouldn’t you choose to go after 200 websites at the same time, if it took you the same amount of time and effort as breaking into a single one? While completely dedicated servers are expensive, and difficult to maintain, a VPS, or Virtual Private Server, offers many of the benefits of a dedicated server, at a fraction of the cost, and will not leave you extremely vulnerable like a shared hosting package will. As such, I always suggest going with a VPS hosting package with a reputable hosting company that has a history of good technical support, and server side security features such as daily/weekly automated backups, strong internal firewalls and virus protection.
The second step to giving yourself a leg up in terms of being proactive about website security, is to install some sort of security related plug-in for your website. Many different CMSs (Content Management Systems) have a wide range of high quality security related plugins available that help you tremendously with features such firewalls, malware & virus scanners, brute force detectors, real-time threat defense, and password auditors to name a few. Most of these types of plugins can be obtained free of charge for the base package, which include the vast majority of the essential features. One of my favorite security plugins that I consistently use with clients is called WordFence, and is used with websites that are running WordPress.
The third and final step to giving yourself the best shot at being as protected as possible, is to make sure that your CMS, plugins, and anything else that is running your website is kept up to date as often as possible. CMSs such as WordPress, and their related plugins, are typically a larger target for hackers, since these applications are used across millions of different sites around the world. Once a weak entry point is found, it can be exploited, and replicated across all of the sites using the same set of software. Luckily most CMSs frequently update their software with security related features and fixes, but if you are not installing these on a regular basis, then you are wide open to exploits that hackers have found and documented. Unfortunately installing these patches and updates is not as easy as it sounds, as updates may result in functionality and/or layout issues caused by compatibility and feature set changes. Therefore, it is crucial that you have a professional perform these updates as frequently as possible, so that they can do so in a safe manner, such as installing the updates first on a development server to ensure no issues arise causing website downtime.
In conclusion, website security is something to be taken seriously, and there are a multitude of ways that you can go about ensuring that you are as secure as possible. I highly recommending either having someone on staff who is an expert in these fields and can deal with all of the various items listed above, or hire a consultant who can handle this for you in a proactive manner. Although it can be somewhat costly to be proactive about website security, it is exponentially more expensive to either lose your entire website to an attack, or for example have your company name tarnished by illicit material put up by hackers. So stay safe, be proactive and reach out to your Webmaster to find out how he or she is combating this currently and set a plan.