Forty years ago, we barely had computers. Twenty years ago we were worried about the millenium bug. Now with the breaking of the Twenties, the age of cyber attacks is well and truly upon us. With daily attacks breaching major websites, revealing customer details in the news. And with an exponential increase in the attempts to crack into web based data. It’s time that the ‘It’s never happened to me yet’ attitude was replaced with a more proactive approach to managing threats.
So, lets take a look at the key threats, both to our security, and to that of our readers and clients thats out there right now, see what needs to be done
Where a breach has resulted in a loss of data or assets, the average cost of a cyber attack on a business has gone up by more than £1,000 since 2018 to £4,180. Business leaders are now being urged to do more to protect themselves against cybercrime.
Government > Cyber security
What updates do I need to manage with my website?
Developers provide updates to protect against the latest attacks. Some updates are ‘critical’ – these are often security updates. Some are less important.
Where updates are advised, first a check of the compatibility of any other plugin updates should be carried out. After any update, a full check of the website’s functionality, and look should be completed immediately, and any defects noted. If any failure of a part of the website is noticed, then a backup may need to be restored, and further investigation carried out before attempting the update again.
Why do I need an SSL certificate?
SSL certificated guarantee that information passed between the public and your website is sent in an encrypted way. This means that interception is prevented, so sensitive and personal data cannot be read by anyone except you, and the other party.
Browsers are increasingly warning readers of websites are not protected by SSL certification. Some security products will block pages and issue warnings to make you stop, and be sure you want to proceed. This, of course, will put off many visitors.
An SSL cert is often about £75/year, but dependent on the hosting, and the website’s set up. Converting a site takes some time, and associated fees. However, as Google, and others are down-ranking sites without SSL certs these days, its something worth considering to keep your search position.
What types of 'attack' can I protect against?
So, attacks on your website come in a number of forms. There are also the attempts which come through email, and via your phone. Here are the ‘most popular’ attacks on a website!
- Friendly Comments
- You see that someone has commented on a post or page on your site, and they have said though-provoking things. Oh, and they’ve included a web address in their comment.
- This is usually a trick to get you to accept the comment – Many a client I have rescued has talked of the Trojan horse comment, which sounds really genuine.
- My advice – turn comments off – less than 1% are true comments from actual readers.
- Brute Force
- So, lets say, I set up a ‘BOT’ (a programme) to test your website’s login security, and your passwords. I could ask this bot to try continuously forever, using different combinations, until it’s succeeds. Once in, virus code can be installed, and other info harvested – such as your customer data!
- What if you install a programme to allow only 3 attempts from an IP address before it blocks them for an hour. And what if after 3 lots of this attempt, it requires a two factor login (eg a text to your phone)?
- Security vunerabilities – As mentioned in the first section, updating your software is one of the key protections here. While you’re doing this, just review your plugins and themes, and disable, then delete any which are on longer used. A great example was a client’s site which stopped working because they hadn’t renewed the subscription to a plugin on the site, and it was vulnerable to attacks which were recently discovered, but unprotected against by old software.
Tell me about risks and measures I should take with usernames and passwords?
So, do you keep all your passwords saved on your computer? Do you use the same password for many sites?
Need I say more? – well, a little. One of the biggest risks may not be your website. It may be that some other site you subscribe to has your common user / password combo. It gets attacked, and reveals your usual logins, which hackers then use to try all sorts of other sites.
One of the best ways to protect against all these is to follow these steps…
- Dont repeat logins for multiple sites
- Have a ‘captcha’ or other login tool to prevent 100’s of attempts to login to your site
- Dont use the user ‘admin’ – make it harder to guess.
- Make passwords a combo of random letters, numbers, and characters.
- Change passwords every 6 months
What features, and measures should I look for in a hosting provider?
You get what you pay for.
Siteground and Heart Internet provide the following essential features.
- Daily backup of the site (for at least 2 weeks)
- Loginizer or other brute force attack prevention
In addition, Siteground offer the following on the best packages.
- Weekly scan for malware
- Auto update for selected software (with choices how soon it happens, and whether just core software, or all)
- Secondary areas for development – you can copy your site to a ‘staging’ area, and develop elements of it before moving it to the main live site.
Are there additional plugins or extensions to protect my site?
So, Loginizer is a good 1st step. It stops repeat attempts to gain access to your site, and takes a record of any IP address used in efforts to break in.
The free version is good.
Then there are more advanced plugins – Wordfence is a good one, with many features to protect your site from unauthorised logins.
How can I tell if I've been hacked?
Often you can’t!
Sometimes things will stop working. The best step here is to consult an expert, and undertake a review of your site with them. It may be a plugin which is no longer supported, allowing an entry to the dashboard. It may just look like things arent working, but again they are being interrupted by outdated software.
But the obvious one is that the site looks very odd, and you start getting call from people saying they can’t view your site, or that they are getting odd emails from the website.
Get it properly checked over! In most cases, the website is your key marketing tool – to have it posing risks to people isn’t good for business!
How can I protect any data submitted via the website?
Well, SSL means any data is encrypted as it come across.
But in many cases, data sent via forms on website, or shopping carts, is stored on the database. Most form plugins will have the option to delete entries, or delete certain elements of it to make it anonymous.
Make sure your privacy policy outlines how long data is stored, and stick to it!
For a full GDPR compliance review – just ask!
What else should I be thinking about apart from my website?
Hackers can also try to steal data in a number of other ways. We can help you review, manage and upgrade all of the following:
Emails: are your emails also protected with an SSL Certificate? Are they on secure servers with strong password requirements? Do they have the capacity and bandwidth to meet your needs? Are your servers blacklisted by other email providers so your emails keep getting rejected? Are you using the most effective email protocols for your current needs? How do you manage bulk marketing emails?
General Security, Anti-Virus and Backups: Are you using the most effective anti-virus, anti-malware and firewall solutions? Do you back up your most precious data off-site on a regular basis? Are you using the same, easy-to-guess, password for all your logins and do you change it regularly?