Websites are the official online presence of a business. However, websites sometimes get hacked, whether you have an HTML website built from scratch, a Content Management System (WordPress, Joomla, Drupal), or a cloud DIY builder (Wix, Squarespace, Weebly). A hacked website can hurt your business through lost website visitors, stolen customer personal data, infection of visitor devices with malware, and lost online transactions. Hackers can use bots to scan websites and then detect which ones have security holes, especially through outdated CMS plugins and themes.
How do hackers attack websites?
- Denial of service attacks: Hackers send a large amount of spam traffic at once.
- Brute force attacks: Hackers will test millions of username/password combinations at once.
- SQL Injection: Hackers will inject malicious code into a web form and submit it to the website.
- Social Engineering Attacks: Hackers manipulate users into divulging confidential information, such as a website admin panel password, by pretending to be a legitimate business partner.
What happens to the website after it is hacked?
- The website becomes an email relay for spam
- The website serves malware to unsuspecting visitors
- The website redirects to undesirable pages
- The website contains references to porn, drugs, and illegal activity
- The website allows hackers to scrape confidential information
What can happen to the business if its website is hacked?
- Lost visitors
- Lost e-commerce sales
- Lowered search engine rankings
- Lost time getting the site back up
- Visitor identity theft
- Lost/stolen data
- Blacklisting on anti-virus software and web reputation websites
- Ruined brand reputation
How can your organization protect its website?
- Create strong passwords for login pages: For securing access to your hosting and/or website login, make sure your passwords use a mix of letters, numbers, and symbols. Also, store the passwords in a password manager, such as LastPass.
- If you get a random request for your hosting or website admin panel login information, follow up with your webmaster.
- Do not store confidential information directly on the site: A skilled hacker can scan your website and extract your information through an unrepaired security hole. If you are collecting confidential data from clients, such as patient information for healthcare practices, link to a separate portal secured with an SSL certificate. The portal should also be compliant with data security regulations, such as HIPAA and PCI.
- Use HTTPS, if possible, especially if your site uses an e-commerce capability.
- Use VPNs to access any hosting and website admin panels on public Wi-Fi. The public Wi-Fi you access in a cafe or airport is not secure and subject to spying by a nearby hacker.
- Ensure that your IT department scans the computers used to manage the website with anti-virus software regularly.
How can you protect a static HTML and CMS website (WordPress, Joomla, Drupal)?
- Realize no website is too small for hacking: Owners of small business websites tend to not update and patch their websites very often. Hackers can use software to detect unpatched websites, and then attack the site through security holes.
- Use a security application: A cloud web application firewall, such as SiteLock, Cloudflare, and Sucuri, can block spambots before they reach your website. If you have a CMS website, you have the option of installing a plugin, such as WordFence for WordPress.
How can you protect a CMS website?
- Do not use the default username: Using the default username, such as admin for a WordPress website, makes it much easier for a hacker to guess your login information by testing many passwords in seconds.
- Change the website admin login address: Make sure to customize your login page URL and limit login attempts. For example, on a WordPress website, you can change your website login address to a customized URL of your choice. For example, you can change yourwebsite.com/wp-admin to yourwebsite.com/your-new-login.
- Control user role privileges on your website admin panel: Administrators have full control over the content, users, settings, themes, and more. Reserve administrator access to owners and webmasters. For the rest of your users, you can give them the privilege to create, publish, and/or edit content.
- Keep the CMS platform, plugins, and themes up to date: CMS platforms, such as WordPress and Joomla work around the clock to close security vulnerabilities. Make sure to update CMS software to the latest version as they become available.
- Be selective when choosing plugins: A CMS plugin repository has an endless array of plug-and-play functions available, such as contact forms, page builders, e-commerce, and slideshows. Make sure to check when you last updated the extension. If the last update was from a couple of years ago, the developer might not be working on the plugin anymore. Also, the plugin should have high reviews (4-5 stars) and thousands of installs listed.
- Remove unused and unsupported plugins: People tend to test out plugins and leave the rejects installed. If you tried out a plugin and it did not function well on your website, delete the program.
- Enable CAPTCHAs on your forms: CAPTCHAs can prevent spam submissions on your registration, contact, and comment forms. Traditional contact forms require visitors to solve a CAPTCHA by entering numbers and letters displayed on a small image. Google simplified this process by creating reCAPTCHA software that works in the background without any further action from the submitter.
- Keep backups of your website: Most web hosting companies will keep daily backups of your website ranging from two weeks to a month. You will also want to have extra backups available by using a plugin to send copies to a cloud provider (such as Amazon Web Services). If you get hacked, you can ask your webmaster to restore your website to the latest working version available and then repair the vulnerability.
To learn more about our website development services, contact us at info@swifttechsolutions.com or 877-794-3811.