The cost of a website hack is more that just the price to clean up the mess. According to popular WordPress security software company Wordfence, there may be long-term consequences for Google rankings as well. This long-tail effect of a website hack can continue to haunt a business and it’s profitability long after the hack is repaired.
We believe that many businesses are insufficiently focused on the security of their website. Every business knows that they need antivirus software on their computers, they know that they need a secure passphrase for their WiFi network and they know they need a certain amount of physical security to keep miscreants from walking up to their computers and laptops and accessing their data. But we find that the awareness of the threats to small business websites is much lower and the understanding of the threat much more vague.
Directed Attacks On Your Site
Below are the failed login statistics from two business websites that we manage. Each of these failed logins represents multiple attempts by an unauthorized party to log in to the site as an administrator. We refer to these as failed logins, but this is really a euphemism for directed attacks.
These statistics are for just the last 2 weeks. Note there were nearly 50 attempted security breaches on one and over 100 on the other, that plays out to over 2,600 directed attempted intrusions in a year. If we had soft passwords or soft login names, how long might it take before someone gets lucky? And these are just login attempts, trying to come in through the front door. This doesn’t count attempts to exploit software or plugin vulnerabilities on these systems.
Neither of these websites have any financial data or e-commerce associated with them, they’re both local Lexington small businesses. Yet miscreants controlling computers as far away as France, Tukey and India are attempting to gain control of them.
Why Are They Doing This?
We get this question a lot. These attacks may well be from people sitting at a computer hammering away at a list of sites but probably they are automated as part of the whole internet underworld economy. I get this same, “Why are they doing this?” question from customer’s who have had their personal or business computer compromised by a virus. Well, the answers are linked together.
Many virus-distributors use their code to silently take over computers and make them part of what’s called a botnet. These botnets are then rented out to other miscreants for use in various types of attacks on websites, like yours. The person who controls the botnet will use its compromised machines, spread out all over the world, to attack other computers. These attacks will be based on a set of rules provided by the party controlling the botnet. If your website is on their list, it will be attacked randomly by one or many of the computers in the botnet.
If a botnet machine finds a vulnerability in your website, it will be reported to the bad guys and in all likelihood, automatically be incorporated into their botnet. Since the computer and network that support your website is probably significantly more powerful than just a personal computer, it will become a real prize to the attackers who gain control of it. Your compromised host may be used to host another website to distribute porn or to attract Google clicks or who-knows-what other nefarious activity. The bottom line will be whatever makes money for the attackers, your website and host will be assimilated to it.
How To Improve Your Website Security
Website security is a bit of a broad topic, but there are a few things you can do to get started:
- Get control of login and administrative rights to your site – Identify what IDs are used to access the web host and the website administration (these are likely different). Identify who knows the logins and what rights they have on the site.
- Use great passwords – Don’t use words that can be found in the dictionary, don’t use commonly guessable passwords. Use long, sophisticated passwords with a mix of cases, letters, numbers and symbols. Make them unique passwords that you do not use for any other system.
- Implement Password-Guessing Protection – Use software that logs IP addresses and limits the number of wrong password attempts to just a few. IP addresses should be locked-out after a trying a few times.
- Consider running antivirus software on your website hosting account – there are a number of good products for various platforms. Wordfence is a popular one for WordPress sites.
- Keep all your software and plugins up to date – Check them regularly. Remember though that every time you upgrade an item, there is some risk of breaking or changing the appearance of your website so don’t do this thoughtlessly
- Backup backup backup – Backup your website often, this could be your only solution in many cases. The backups should not reside on the same host as your website.
- Call a professional – Hartland Computer provides security reviews for businesses and we will be happy to review the security of your website.
Call Hartland Computer at 1.859.667.8999 if you would like help with your computer, website or IT security matters.