How to protect your business website: part 1

Would you think about building an office with no security system? What about backups for your data? This is an area often ignored by business people, yet it’s as important as other forms of protection for your business. Just as bad, many otherwise smart business leaders don’t think about the security of their website. They invest hard-earned dollars to build the site, then expect everything to just hum along without any further attention, ever.

Experts say there are now some 30,000 hacks of business websites every day. As a web designer, I see some of the stuff going on out there. It’s the wild west! There are highwaymen, criminal gangs, corporate espionage professionals, young independent troublemakers and more, all trying to get into your website for a variety of reasons.

This is the first post in a three-part series on website security. I’ll try to help you understand why security matters and what steps you can take to protect your site from the challenges we are all faced with these days.

Spam, spam and more spam

The most common issue that every website faces is spam. We’re all familiar with the problem of unwanted emails, but for business it can be serious, because it can hurt you in ways you may not realize.

Don’t expose Email addresses

First, make sure that your Email addresses are not exposed on the web. That doesn’t mean they can’t be seen, just that they shouldn’t be exposed.

Why does this matter? Because there are hundreds of thousands of harvester “bots” roaming the Internet constantly, looking for unprotected Email addresses. When these are found, they are added to databases used by spammers.

Once your Email address is in such a database, it gets sold as part of huge lists harvested through these tactics. Then it gets used in two ways. The first is that you or your employees may start to receive spam and phishing attacks (fake messages that look real, trying to fool you into logging into websites so they can harvest your login details). Your staff can easily mistake a phishing attack as a real supplier message and inadvertently give away login information. In the past few months, these scammers have even taking to phoning, or to send an Email that asks your staff to call them to talk about a problem. Armed with an Email address and your basic contact information, they pose as IT representatives and get additional login details from unsuspecting staff. In some cases the call-in number is routed to an international call center that charges hundreds of dollars per call despite the fact that it looks like a toll-free number.

The second issue that comes from these harvesting systems is that your Email address gets used as the “From” address for spam messages sent to others. This means that you or your company can be inadvertently associated with scams and other illegal activities that you have no knowledge of.

Protect all open forms

Spambots roam the Internet looking for open forms on websites and then submit fake messages.

You might wonder what on earth they gain from this. It’s all about money.

Many online forms post information to a public place on the web. A favorite target is WordPress comments posted to blogs, or corporate online support areas. Spambot operators are paid small amounts of money when their messages, which include links to the websites of customers, are posted to a public site. When multiplied by hundreds of thousands of postings around the world every day, the dollars start to get significant. Ever wonder about those offers from so-called “SEO experts” that promise to get you to the top of Google listings? This is one of the tactics they use. When search engines see a web address appear on many websites, that address may rank higher fairly quickly. Unfortunately, before long it gets marked as an abuse of the system and then it gets black-listed, disappearing from the search engine rankings entirely. Companies that were victims of these tactics then have to spend months asking for these postings to be deleted so that they can restore their credibility with Google. By then the scammers have run off with the money and are busy scamming more victims. When you allow spambot-generated comments you are helping these scams and your site can be associated with the related scam links, which might point to spyware sites or even porn.

How to avoid spam

There are three ways to avoid these kind of attacks.

Obfuscate your Email address

The first measure is to ensure that every time your Email address is shown on your website, it is “obfuscated” or obscured in such a way that spambots can’t read it as a legitimate Email address. It still shows the Email address to human visitors, and clicking it still works normally. But spambots see only code that they don’t recognize as an address and move on.

Use Captchas

The second method is to employ type of gatekeeper technology on your open forms. Called a “Captcha”, this displays a small code made up of letters and numbers that the person using it has to enter before the form can be submitted. This ensures that the person filling out the form is a human being and not a software program. Some spambots are smart enough to read the Captcha code, but those are rare. Most simply move on to a more accessible website.

Unfortunately, some Captchas codes are very hard to read (to foil the more intelligent spambots). As a result, people get frustrated and move on as well, no longer bothering to complete your form. That can cost you sales. A company called ReCaptcha has grown to encompass a huge percentage of Captcha installations, but I really dislike it because too many people get it wrong since it’s exceptionally hard to read the codes. When people can’t read the codes, they quickly give up on your site. I prefer using Captchas that are simple and easy to read, even though it will mean a few spambots can get through the defense.

Protect comment forms

The third anti-spam method is to employ software that reviews all comment submissions and checks them against common spammer addresses and other factors. Without this automated protection your staff may have to sift through dozens, hundreds or even thousands of spam comments to determine which ones are real and which ones are fakes. Not only is this costly, but missing even a few can negatively impact your site if it becomes associated with a link to spyware or pornography through an accidental approval of a spambot comment.

There are a number of companies offering this service, but the only one I’ve found that actually works is Akismet. It’s so good that it is now part of the WordPress family and you need a WordPress account to use it. Akismet requires an annual fee but does a terrific job of intercepting spambots, with very few if any false positives. It works using a number of technologies, including matching known spammer URLs and IP addresses and checking for typical spam content to block suspected spam. Don’t worry, there’s always a way to review blocked comments in case of a false positive. The problem is that a typical site might get hundreds of spam comments each week, so it becomes a big task even trying to review them. I’ve found Akismet so reliable that I trust the results. I’ve experienced no more than a couple of false positives in thousands of spam comments.

The latest effort by spammers is to obfuscate their website URL so that Akismet doesn’t recognize it as a real URL. This is allowing a few spam comments to get by Akismet’s excellent protection, but I’m sure these challenges will be addressed shortly. An Akismet subscription is included in the Adwiz ReBoot maintenance and security program.

Adwiz ReBoot

RebootI apply all these strategies and more to a maintenance service called Adwiz ReBoot. For a small monthly fee, companies get the benefit of security on their site and many additional features. You’ve invested thousands of dollars to build a professional website. What’s the cost if you lose your online reputation and have to start over? Isn’t it worth a small monthly fee? Businesses need to take maintenance and security seriously as part of our modern business reality. Check Adwiz ReBoot

Next week, we’ll explore the second security challenge websites are facing: hacker attacks.

George Pytlik

George Pytlik has been involved in the advertising industry for over 30 years and designed his first website when the Internet was one year old. He was an internationally recognized speaker on advertising and branding and served on a number of communication committees at various times throughout his career, as well as writing a regular column for Marketing magazine.

No Comments

Post a Comment

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.