First off, let me say that if you collect credit card transactions, are a bank or gather customer-related information online, this article isn’t for you. There are a whole list of security considerations for keeping sensitive data safe online.
This article is for the small business owner that maintains a standard website. There are a few steps you can take to ensure that your web properties are reasonably safe from the most common threats.
You may be asking yourself, “Why should I care about online security? I don’t take credit card transactions directly on my site. All I have is a few informational pages about my business.” It is quite common for small business owners to think that and also why tens of thousands of websites are hacked every year.
There are two types of internet thieves to be concerned about. One is the hobbyist. This is typically the local kid that likes computers, is part of the local computer club and thinks it’s fun to break into websites. Generally, there isn’t much malicious intent here, just some pranking and proving to his friends that he can do it.
The hobbyist is looking for the low-hanging fruit. He probably knows a of lot of the local businesses and sees their websites quite regularly. He’s also familiar with the most common web technologies and knows how they create default administrator accounts. If there’s a link to login anywhere on a home page, he’s going to click it and see if he can get in.
The hobbyist is going to leave his mark in some way. Usually by defacing the site with the modern version of graffiti. In other words, spouting his manifesto, uploading rude pictures or just plain replacing your page with whatever cause he’s into right now.
Unless you’re checking your site every day and/or have a significant amount of traffic, the hack may go unnoticed for several days or weeks, but potential customers may be turned away by vulgar or inappropriate content.
The second threat is spammers. Unscrupulous web entrepreneurs pitching everything from cheap foreign medicine to get-rich schemes are trying to get their message out via the quickest, cheapest way possible and the least likely to be traced back to them. They do this by hijacking the storage space and bandwidth that your web server provides in order to host your site. Sophisticated programs will seek out web servers and programs that have known security vulnerabilities and take advantage of them. Once in control, spammers can use your resources to host image files, send emails and spread viruses and malware in order to take over more servers and computers.
A spammer can have control of your web server for months without you even knowing it. Unless you are monitoring site traffic and storage limits, hundreds of transactions can be happening on your site every day without raising any red flags.
Often the first notification you get will be from Google. Google has advanced malware detection algorithms that will detect sites with malicious content. First, they will remove your site from their index and search results. They will then notify you that you have malware and it must be removed before your site will be allowed back in their index. I can tell you from experience that getting dropped from Google’s index is easy. Getting back in takes some work.
What you can do to protect yourself.
Both the hobbyist and the spammer are looking for easy prey. Unless you are a tempting target with large rewards, the vast majority of threats will move on once they see that proper controls are in place. There are plenty of other unprotected servers, so it is not worth their time to spend resources hacking into your site.
Again, this is where we get back to credit cards and financial information. If you track either of those, these steps are not enough. But they will prevent malicious actions on most sites.
- Remove any obvious links to login screens unless you are a membership site and your visitors regularly log in. Bookmark your login page and remove links to it from your public-facing site. It’s not necessary, provides an easy first step and plenty of temptation.
- Do not use admin, administrator or the name of your domain as the administrator login. If it already exists, change it.
- Use strong passwords. If your password has the word “password” in it, you have probably already been hacked. Use at least a combination of 8-10 letters and numbers, mixed case and special characters.
- Keep your software up-to-date. If you use WordPress, Joomla, DotNetNuke or any other content management system (CMS), check them monthly to make sure they’re up-to-date. All of them have out-of-date versions with security holes that can be exploited.
- Don’t advertise the CMS and version number that you are using. Spammers use programs that search out versions of applications that have known security holes. Remove it from your footer and ask your web developer to remove it from the page source if possible.
- Ask your web developer/programmer for a security review. There are advanced tactics that you can employ such as restricting administrative access by ip address and blocking foreign countries with known security risks.
- Review your traffic logs at least monthly. Traffic spikes from foreign countries, referrals from suspicious sites or an unexplained jump in storage used are signs your server may have been attacked.
Too many small business owners take a set-it and forget-it attitude to their web sites. Many who do will see problems down the road with malicious visitors. Loss of sales and the costs associated with rebuilding your web site are two reasons why these steps could save you time, money and effort in the future.