Chris WiegmanWebsite attacks are all over the news affecting everything from high-profile sites like San Francisco’s BART system to wide-spread attacks on smaller sites designed to spread malicious software to the masses. While nothing can guarantee with 100% certainty that your website won’t fall victim to an attack there are 3 things you can do, regardless of what software you use, to greatly minimize the chance that you will be a target.
1. Keep Up On Software Updates
Vulnerabilities are constantly popping up in all kinds of software. Whether your site runs on Expression Engine, DotCMS, WordPress, or something else it is vitally important to learn how your software’s upgrade system works and then to make sure you’re installing every security update available.
Many attackers use something known as a zero-day attack. This is a vulnerability that has not yet been patched and, in some cases, is not known to the software vendor. Attackers spend a lot of resources looking for these vulnerabilities and this is why installing security updates as soon as they become available is so vitally important. Simply put, if you don’t update you have left a door open for someone to get into your site.
2. Use Strong Passwords
While this might seem like common sense, to many it is still common to use passwords as simple as the word “password” to protect their investment in their website. Use a strong password or paraphrase of at least 20 characters and change it at least every 4 months. Also make sure that you use different passwords throughout your site ensuring that if someone gets your WordPress (or other content management system) password they won’t also have your database and FTP/file system password.
In addition to protecting from someone changing the content of your site, enforcing strong passwords can protect you personally as well as your customers. Once a password is known it is a relatively simple process to determine other passwords saved in your database using techniques such as a rainbow table to remove the security imposed by the hashing algorithm that was used to store the password. Combine this with the fact that most people use the same password across multiple websites and you suddenly have a situation where the accounts of both you and your customers are in danger on other sites as well.
3. Watch Your Site
This is probably the most important as well as the most overlooked aspect of protecting your website. All the plugins, services,and techniques in the world can’t beat a watchful website owner. Look for abnormalities, traffic spikes, downtime, etc and investigate anything out of the normal. Watch news on your software and host to make sure their lack-of-security isn’t making headlines. Look at the content of your site to make sure nothing has changed that you didn’t change yourself. It is far better for your traffic and your reputation if you discover a problem with your site before Google or your customers do.
Fortunately, when it comes to monitoring your site you’re not on your own. Many of the tools you use every day to determine the effectiveness of your marketing and help you with your SEO can also be harnessed to help you keep your site safe:
- Google Webmaster Tools can help you find problems in your site and will tell you if it detects Malware on a given page. Watch it’s diagnostics section closely for clues to problems.
- Pingdom can help you find problems by reporting outages to you with their phone app, email, or text message.
- Google Analytics can help you find anomalies in traffic to your site. Often times, when your site has been hijacked for malicious use you may not see any outward changes on your homepage. Analytics can show you the problem which will often show up as a large traffic site to an old or relatively unused part of your website.
- Google or Bing can help you discover hidden links injected into your site by an attacker by simply searching through for the name of your site along with common link-bait terms such as “pills,” “casino,” or any of a host of other terms that shouldn’t appear anywhere in your content.
When it comes to safety there are many products that can help make your life easier, but none of them can take the place of the keeping current updates, using strong passwords, and just being vigilant in your monitoring. Combine these 3 steps with some good security software however and your chances of falling victim will have just fallen off the proverbial cliff.