If you have a website, you likely worry about things like attracting and keeping readers, making sales, and whether or not to update your design. But there’s something else you need to consider. Making sure that a cyber-criminal cannot access your website is critical to keeping it secure. The idea that if you get infected, your website is no longer yours, should always be at the front of your mind.
In most cases, people do not equate protecting their website with protecting their clients. This is a complete fallacy, and I will tell you why!
We all use a website of some kind to show our wares, our services, our products and what we have done for our clients through testimonials and recommendations. To most of us, our home page is our calling card, even though the digital world, the internet and web traffic no longer use that as a reference on who we are. SEO and impressions are driving your website traffic, and of that traffic, your home page is not usually the first place a visitor visits, it could be that article you wrote, that interesting video you uploaded or your latest podcast.
That is for marketing to understand, but at a security level, there are major problems on the horizon. The automated systems that are everywhere on the internet (ah, the dangers of a bored 12-year-old) are looking for exploits on websites. Those exploits are based in three areas: administrator access, installed infected applications and badly written code and back door access. Let’s look at each of these in turn.
Administrator access: When a system is installed, even by professional web designers, there is always an initial account that has global administrator access. In most cases, especially in content management systems like WordPress and Joomla, there is an admin user. Furthermore, this account is usually given a simple and easy password so that anyone who needs to can get into it straight away. That’s a bad idea. Whenever you install a CMS, you need to slow down and think about not only a complicated password, but a hard-to-guess username. The days of “admin” are numbered—administrator_me-32# for a username and a complicated password is a good place to start.
The dangers of small applications: Well, now you have your content management system running, and you can start setting up pages and articles to boost your SEO. But there are still areas where you need to do your due diligence.
In the case of Joomla and WordPress, there are small programs called plugins and widgets that add functionality to your website. For instance, you want to increase your user participation, so you also need to add some way of capturing mail addresses. Other widgets can add surveys, link to social media or display recent tweets. Further functionality like YouTube, membership, affiliates and forums are just a start.
These applications have to come from somewhere; the reputation of the supplier is critical. When you are looking for that additional functionality, the first thing to check after what the application can do is how it is rated. In our website design business, we only use plugins that have more than 4.5 stars, are later than version 1.0 and have a high reputation. In most cases this keeps you safe, but even this is not foolproof.
The last component is updates. Like all applications and software systems, plugins and widgets all need to be updated. A recent attack method for WordPress was an automated system that checked a WordPress site for “admin” usernames and blank passwords. WordPress released an update immediately afterward that would no longer allow a new WordPress account to have a simple password.
Backdoor access. Some organisations hire a web development company to manage every aspect of their website. In these cases, in addition to the above components you have to be aware of back doors into the system. If your website is based on your domain, then you should always have super user access. No matter what, if you have paid for the domain, paid for the hosting and paid for the production of the website, there is NO excuse for the web building company not granting you administrator access to your site.
Of course, web companies may worry about technically incompetent business owners making harmful mistakes. It should be specified in the service-level agreement that any damage done by the super user is rectified at a cost, but the owner should always have access—DO YOU?
So, why am I discussing all this? Without these protective features, a cyber-attack will not only cripple your website; if the bad guys gain access to your website, they have the ability to attack all of your visitors and add malware to their computers.
A good web host will have a paid-for system that monitors your website for infections. In some cases they will clean it, and in others they will simply inform you. If your web host doesn’t have some sort of monitoring system, you can install your own with applications like Securi.com.
Running a website is just like any other form of online interaction: Diligence, common sense and paranoia are your best protections.