Having one of your clients phone you up to say their website has been hacked over the holidays, is not something any IT support company wants. However, just that thing happened only this last week to a client who has a website hosted by another IT provider. Following on from this act of destruction, we thought we should put together an article on website security and hacking.
You are probably already aware of what hacking is. But for those who don’t – hacking is the action of somebody, generally referred to as a ‘hacker’, gaining access to your website/social media profile etc. without authorisation. They could be doing this for a number of different reasons – to steal personal information, to take down the website or to control the site, or even just for fun.
Hackers have many different ways which they use to hack into operating systems. To name a few; Cross Site Scripting (XSS), Clickjacking and SQL Injection. Hackers create code that they ‘inject’ that will have affect on the site. They can hack through spam email and pop up windows.
Unfortunately there is no way to completely protect your website, however there are steps that you can take to make it as difficult as possible for the hackers. Below are some things that you can do to secure your website from these hackers. We have chosen a few of our favourite top tips!
Username and Password Strength
Hackers are able to get into your system by using a downloadable program that can guess your usernames and passwords in seconds. To help to prevent hackers from guessing your username/password you should change it regularly and it should be a very strong username and password. A strong username/password is a word that includes letters, symbols and numerical characters. You should keep this to no less than 8 characters. You can use the below link to run through a few words to see how secure they are. But DO NOT use your own current passwords!
Two-factor authentication is based on the principal of a) something you have, and b) something you know. So when a user enters a password, they are then asked to complete a second verification step such as entering a code sent to them by text, via an automated phone call, or by using a “soft token” which is an app which contains a code to verify the password.
This is becoming increasingly more popular with companies for logging in, especially with the likes of banks or other companies which store a lot of your data such as Google.
Update your Software
One of the best ways to protect your website, is by keeping all of the software up to date. Always ensure that you check for updates, patches and new versions of programs and plugins. Once you have verified the update is genuine and is not going to cause issues to your website, install the updates. If you are running plugins, only download them from websites that you trust.
There are some plugins that you can purchase in order to provide higher levels of security. A plugin called ‘SiteLock‘ is useable for both HTML pages and CMS-managed sites. This plugin provides daily monitoring for everything, including vulnerability identification, virus scanning and malware detection.
Web application Firewall
A web application firewall (WAF) sits between your website server and data connection. It reads every bit of data passing through it and can be either a software or a hardware facility.
The WAF works by blocking all hacking attempts and filtering out any unwanted traffic. Many WAF’s nowadays are seen through the form of a ‘Cloud’ based service.
You should always keep your files and data backed-up. Always keep a back-up just in case your website does get hacked – you have a second copy of everything. If you don’t know how to back up, take a look at our blog on what backing up is and how to do it.
Switch to HTTPS
Hyper Text Transfer Protocol Secure (HTTPS), is a secure communications protocol that is used to transfer sensitive information between a user, website and the web server. The way that this protects the website is, for example, when a user fills in a ‘subscribe’ form on your site, HTTPS protects this personal information. Data sent using HTTPS is secured via ‘Transport Layer security’ protocol which provides three layers of protection.
You can never really have any idea of how secure public Wi-Fi spots are. This being in hotels, the airport or your local coffee shop. If you do need to use these public Wi-Fi spots, then there are two ways around this. You can set up a hotspot on your smartphone using your mobile data. To find out how to set up a hotspot for your android check it out here, and for an iPhone here. Another way to avoid interruption into your online roaming, is Virtual Private Networks (VPNs). These encrypt traffic so that the Wi-Fi network is unable to see what you’re roaming.