Every summer the weather hits: thousands of websites are hacked by ‘ script kiddies ‘, or young guests who can program a little, who get bored during the holiday season.
Therefore make sure your website is secure. In this article, you can read how.
The consequences for the owners of hacked websites are often severe.
In 2011, the Diginotar company even went bankrupt because of a relatively simple hack of their website.
Security is, therefore, an essential part of the sustainable management of your website.
Most ‘ normal ‘ websites do not have the budget needed to exclude every risk.
If a highly secured website is hacked, it is usually the work of professional cybercriminals.
You can do a lot against that, but it also costs a lot of money. The vast majority of ‘ normal ‘ organisations do not have the budget needed to exclude any risk.
Just as you do not secure your office in the same way as a bank protects its safe, but as soon as you leave your office, do you still turn on the alarm? And do you check that no windows are open?
Most hacks of ‘normal’ websites are easy to prevent
As I mentioned in the introduction, most hacks of ‘normal’ websites are easy to prevent. They are not interesting enough for professional cybercriminals to spend a lot of time on.
In 99% of the cases, it concerns hobby hackers or professional hackers who mostly use automated security leaks in the software on which your website runs — usually a CMS such as WordPress.
WordPress, in particular, is popular with hackers because around 60% of all websites run on it. The downside to the ease with which you can install plugins in WordPress is that they are often vulnerable to security leaks. Internet security experts discover new security breaches every day, or ‘exploits’. Especially in plugins.
Also, we see more and more automated, professional attacks to use the server on which your website is hosted in a ‘ botnet ‘ to send spam or to participate in DDOS attacks.
What can you do?
Below are five measures you can take to ensure that your website is challenging to hack. In any case, it is so tricky that the vast majority of hackers will not start (or they have to want to grab your website for whatever reason).
You can take the 6th measure if you prefer not to take 2-5 yourself.
1) Handle your login name and password wisely
Make sure that your management environment can only be accessed via a secure connection. The data is encrypted, making it impossible for an outsider; for example, someone eavesdropping, to know what data you are sending.
If possible, use multi-factor authentication. In addition to the password, an extra security layer is also used based on (one of) the following criteria:
- Something the user knows (e.g. password, PIN)
- Something the user has (e.g. bank card, smart card, mobile phone)
- Something the user is (e.g. biometric properties, such as a fingerprint)
Never use a login name as admin or administrator. Use a hard-to-crack password. The disadvantage is that it is also challenging to remember.
But if you use a service such as LastPass or 1Password you can unlock several complicated passwords via one secure, but the crucial rememberable password. That way, it is not that difficult to change your password every quarter, for example. But, alas, this also has to be careful.
2) Make sure your CMS software is up-to-date
The actual cause of the vast majority of hacks is that the website administrators have failed to install the security updates that the software vendors release promptly.
In the case of Diginotar, the CMS had not been updated for three years, so there were countless known security breaches.
Every 14-year-old nerd in the cap was able to hack this website with some information gathered together.
So make sure that your CMS software is always up-to-date with the latest security patches.
Make sure that when you make an update on your website, you always test whether everything is still working correctly.
At Tag tech, we work with an accepting environment that is a copy of the live website to first test every update on the site and submit it to our customers.
Only if that went well, we would transfer the changes to the live site. And then we also test whether everything is still working correctly. You can see our workflow for this in the image below:
3) Protect your website against ‘brute force attacks.’
An average webpage receives a few tens of thousands of failed login attempts per day. Yours too.
If all goes well, your web host will ensure that every source of many failed login attempts is automatically blocked.
This is rather technical work and the further away from your website in the network you intervene, the more effective it is.
What you can do yourself anyway is to change the URL of your administration login page, so that it is no longer the default URL. For example, in WordPress, change /wp/wp-login.php to / control / or similar, hiding the wp-login.php page. That saves a lot of automated brute force attacks on your website.
4) Protect your website against malware
Malware is malicious software that hackers place on your server to infect the computers of your unsuspecting visitors.
Google scans sites for the presence of Malware and blacklists around 6,000 websites every day because they are infected. Not a beautiful picture if your website visitors see this:
Preventive scans your website regularly for the presence of Malware and act immediately as soon as you find malware.
A beneficial help with this is Google’s Google Search Console (formerly Webmaster Tools). You will find here a collection of useful tools to monitor the health of your website.
If your website is infected with Malware and Google has blocked you, you can submit a request yourself to be declared healthy via Search Console.
5) Make sure there is always a recent backup of your site
If the damage caused by hackers is excellent, then you can in any case quickly restore a good version of the website.
Especially for WordPress users some useful tips from Web Monkey:
6) Have points 2 to 5 and more provided by a specialist
Let’s face it: for most of us, managing the security of a website ourselves is too much to ask.
The discipline is difficult to apply and the knowledge even harder to maintain.
That is why it is not a bad idea to outsource this critical task to a (WordPress) security specialist. Someone with knowledge, so that you no longer have to worry about it.