How to protect your business website: part 2

Last month we explored the first of three key areas of website security for business websites. Spam is a huge problem and I provided some insights to help you keep it to a minimum. In today’s post we’ll look at another major security issue: hacker attacks.

Experts say there are now some 30,000 hacks of business websites every day. Without adequate steps to protect your site, you are making your business vulnerable to infiltration and its consequences. I’ll help you understand why this is serious and give you some steps you can take to protect your website.

Experts say there are now some 30,000 hacks of business websites every day.

Before we get into the details, you need to understand that no amount of security can completely hacker-proof your website. Nobody can stop a determined effort. Even the most secure military and law enforcement websites have been compromised, and these are protected by entire security teams that are on the job 24/7! Still, with the right measures you can make your site less attractive as a target. Infiltrators will likely move on to an easier victim. Even if you can’t stop them, by knowing more about the problem you can reduce the risk.

A growing problem

The number of websites attacks is increasing all the time. There are numerous reasons why people want to break into business sites, and not all of them have to do with access to client data or trade secrets. Just because your site doesn’t have that kind of information doesn’t mean you shouldn’t be concerned.

One of the most common reasons for breaking into a website is to install malware. This often takes the form of a small piece of code embedded deep within a technical area of your website that you wouldn’t even recognize if you saw it. In most cases the infiltrator doesn’t leave any tracks behind so you don’t even know these coding changes were made.

The installed malware typically hijacks your search engine results so that they point to other websites, including porn sites and spammer clients like sellers of various nutritional supplements or pharmaceuticals.

If your site sells products online, hackers may want to access your client database or credit card numbers. Never keep both lists in the same database. A separation between your client information and the credit card numbers means that even if one of these lists is compromised it won’t be of nearly as much value because it won’t connect people directly to their cards.

Even if you don’t store credit card numbers, hackers like to access e-Commerce websites because your customers are likely to use the same password on multiple websites. When the hackers gain access to your list, they try those combinations of Email addresses and passwords on other sites, hoping for a match. Passwords are typically encrypted, which increases the amount of effort involved to break through the encryption, but with larger lists that effort may be deemed worthwhile.

The most common ways of breaking into your site is something called a “brute force” attack. The perpetrators learn your administrator account usernames and then try thousands of common password combinations to gain access.

First line of defense: an active site

Hackers love dormant websites that aren’t maintained or updated regularly because this makes it less likely you’ll find out that your site has been compromised. If your site isn’t being updated regularly, you are putting yourself at risk. Changes should be made no less than once a month and preferably once a week. An active site, regularly modified, becomes less of a target.

The most common ways of breaking into your site is something called a “brute force” attack. The perpetrators learn your administrator account usernames and then try thousands of common password combinations to gain access.

In my experience, many business owners have great intentions when building their site. They plan to update it regularly, but don’t create an effective plan. They assign inexperienced non-technical staff who struggle to make the necessary updates. Before long, the site lies dormant for months or even years without any changes. A web maintenance package is inexpensive and ensures that the site is updated frequently. It’s a small investment that pays off in countless ways for your brand. You wouldn’t run your business without insurance against fire and theft, and you should put equal emphasis on insuring your website.

Minimize Administrator accounts

It’s always a good idea to minimize the number of people who have administrator access to your site. With a WordPress site, managing administrators is very easy. WordPress has great built-in options that let you assign some people full administrator access while others have limited access. You can even apply a role management plugin that lets you further refine who can do what. Hackers are only interested in full administrator accounts, so the fewer of these you have, the better. When you must grant temporary admin access to a new user, such as a tech support specialist, change that to a “Subscriber” level account as soon as they’re finished so that you don’t leave an admin account open any longer than necessary.

With WordPress, the default account has an ID of 1 and is named “admin”. Hackers automatically look for these because they offer the easiest path to a brute force attack. By creating an alternate account and then deleting the default account you quickly reduce the potential of infiltration because the software that seeks out these defaults will move onto another site.

Once you’ve removed the default “admin” account, use administrator usernames that are slightly unusual, again to maximize the effort that’s required and increase the chance that the attacker will move on to an easier target. But keep in mind that getting a complete list of all your administrator account names is pretty easy. It just takes seconds, so these steps are just the first area of defense.

Use strong passwords

It’s absolutely essential to use the strongest possible passwords. They should consist of at least 12 characters and include numbers, letters in both upper and lower case, and at least one symbol. Never use common words or numeric strings. The first things tried in a brute force attack are dictionary words, names and numeric strings. Don’t even put two or three words together, thinking that makes you safer. It doesn’t. Use random combinations of letters, numbers and symbols.

Change your passwords frequently, and don’t use the same ones you use on other sites. If your site has numerous contributors with administrator access, it’s best to make them change their passwords frequently, because you may have little control over the passwords they’re using. Setting up WordPress to force a strong password is also vital.

Apply site lockouts

Set up your website to monitor login attempts, then lock out users who try too hard. For example, if someone tries to login several times in a short time period, you can force them to wait 15 minutes or more before trying again. A customer who forgot their password is slightly inconvenienced, but a hacker will be frustrated enough to leave and move onto an easier target. You can have the system alert you each time a lockout has taken place so that you can deal with complaints from legitimate admins. The best systems also allow a permanent “white list” of IP addresses that you know are those of legitimate users, like your office IP, to minimize unnecessary hassles.

There’s also an excellent list of well-known hacker IP addresses that you can install to instantly lock out these known sources.

If the same person gets locked out repeatedly, you can permanently block them. I recommend a permanent ban after 3-5 lockouts in a one-week period. Many attackers will make a very small change to their IP address and try again, but eventually they’ll feel there’s no point to continuing and will move on to another website.

404 detection

404 detection looks at users hitting a large number of non-existent pages, thus generating “File not found” errors known as 404 errors. A user who hits a lot of 404 errors in a short period of time is often scanning for a vulnerability. By looking for this you can act on this behavior and lock them out accordingly. Like the bad login attempts, it’s best to lock repeat offenders out permanently so you don’t have to worry about them again in the future.

You can also set your website to block efforts to use suspicious or unusually long query strings in URLs. Hackers will attempt to break into your site by using special code inside the web address itself. If your site doesn’t use special query strings to deliver dynamic data, this is pretty much an essential step to add critical protection.

If your site is in English only, or only uses Western languages, you can also block efforts to use non-Latin characters in the URL. This is another common effort by hackers to try and apply an URL with embedded malicious code.

Away mode

While I don’t recommend it because access to your site’s administrative area could be needed at any time if there’s an emergency, you could employ an “Away Mode” that locks out all administrator access except during certain time periods. For example, you could set up your site to be administered only during business hours. The danger here is that if something goes down that needs attention, say in the wee hours of the night, there is no administrator who could gain access. Not even a super-admin could get in. However, it’s an option for some businesses.

Additional WordPress measures

WordPress is an awesome platform and has some great features. In addition to the things mentioned above, the following measures are also recommended:

Disable directory browsing. Unless specifically disabled, users can access any directory on the site that doesn’t contain a default file. For example, image directories often don’t have an index file that intercepts the directory reference, thus showing a list of all the files in the directory. You should always disable this at the server level.

Disable PHP in uploads. WordPress has a default Uploads directory where it stores all the media files that you place on the site through the WordPress “File Upload” feature. Hackers can potentially use PHP code to force unexpected file uploads to this directory, including malware. It’s best to disable any PHP commands from working on this directory. There may be some cases where this can cause problems for website functionality, but it’s usually not an issue.

Hide the backend. You can hide the back end of WordPress by renaming it. This means brute force attacks will not necessarily recognize your site as a WordPress site without closer examination. But I find that this is a lot of effort for a questionable result because it can cause problems for some plugins, and a hacker just needs to look at your page code to see what you’ve named the default directory.

Protect system files. It’s pretty important to protect key system files like the .htaccess file from modifications. Once your site is built, these rarely need to be updated. When they do, you can temporarily unprotect them, or download the file, make the changes and upload the changed file.

Remove WordPress Generator meta tag. There’s no need to include the “Made by WordPress” generator meta tag in the header of your website. It’s just an advertisement telling prospective hackers that this is a WordPress site. I remove it from my client sites by default.

Remove the Windows Live Writer header. This code is not needed if you do not use Windows Live Writer or other blogging clients that rely on this file.

Remove the Really Simple Discovery header. If you don’t integrate your blog with external XML-RPC services such as Flickr and you don’t access your site using the WordPress app for tablet devices then the “RSD” function is pretty much useless to you. This code can potentially be compromised so if you don’t need it, then it should be removed.

You can’t take security lightly in this day and age. The above security measures are addressed in every website I build. They are also part of my low-cost Adwiz ReBoot maintenance and security program.

Adwiz ReBoot

RebootI apply all these strategies and more to a maintenance service called Adwiz ReBoot. For a small monthly fee, companies get the benefit of security on their site and many additional features. You’ve invested thousands of dollars to build a professional website. What’s the cost if you lose your online reputation and have to start over? Isn’t it worth a small monthly fee? Businesses need to take maintenance and security seriously as part of our modern business reality. Check Adwiz ReBoot

Next month, we’ll explore the third major security challenge websites are facing: protecting your site content.

George Pytlik

George Pytlik has been involved in the advertising industry for over 30 years and designed his first website when the Internet was one year old. He was an internationally recognized speaker on advertising and branding and served on a number of communication committees at various times throughout his career, as well as writing a regular column for Marketing magazine.

No Comments

Post a Comment

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.