Weekly Spam Edition 4
By Perry Bernard for Forge Online.
Here are some of the basic preventative steps you can put in place to ensure your website remains unscathed despite the massive daily volume of hack attempts made world-wide:
Protect Your Website with these 10 Steps
- Avoid using the “admin” login name or any other common name for your website, and if the “admin” user exists, create a new user and delete the “admin” one. Hackers know all about the other combinations like your name, the name of your website, the name of your business or anything else that can be guessed or assumed from the content of your website.
- Avoid publishing the login email address on the front end of your website. For example, if you use sales@ or info@ as your contact email address on the Contact page, then don’t use this same email address as your login email. Hackers sometimes assume that published emails addresses may be the same address you use for login placing them one step closer to logging in.
- Use strong passwords with multiple types of character like ‘small’, ‘CAPS’, numbers and symbols like @, %, & and *. The best password is a meaningless string of characters at least 8 digits long, using all different types of character noted here. Also avoid kidding yourself about how strong your password is by using numbers in the place of letters like in ‘p455w0rd’ or ‘s3cr3t’. Amazingly, hackers know all about these number-letter substitutions already! Same goes for using any word that you can recognise using any similar strategy.
- Ensure your base CMS (if you use one) is up to date. Some CMS upgrade processes can cause technical problems or outages; so always ensure you have a backup copy of your website before attempting an upgrade of the CMS. If you are unsure about this, hire a professional. Hackers sometimes gain access to your CMS via vulnerabilities in outdated versions that have not been patched.
- Ensure your software, extensions, plugins and themes are kept as up-to-date as possible, and again note that an upgrade might break your website so a backup is advised. But keep in mind that sometimes these extra website functions may clash with the CMS operating system or with each other, so the most recent ‘safe and working’ version may be better than the very latest version. Hackers know how to hunt down vulnerable features to leverage any weaknesses.
- Check with your hosting provider to make sure they have security systems in place and that they also keep a backup of your website in case you need to roll back to a working version. Most website hosts won’t keep backups for very long unless you add this as an extra service, so be aware that if a problem occurs, act quickly to get it fixed before the oldest working backup gets deleted. Hackers may be able to gain access to file and database systems without logging in to your website.
- Run security software on your website that protects both your login processes with a firewall and your site’s files via a virus scanner. This is your automated security system to protect your asset and you should invest in the best protection you can afford. These are mostly quite low cost and sometimes even free so it’s fairly likely you can buy the best for not too much at all. Good protection systems also monitor and protect against login attempts, Denial of Service (DoS) attacks, fake bots and many other malicious traffic sources.
- Avoid having your website hosted on a server that might have other poorly protected websites on it. Your website can be affected by an infection or hack on a website on the same server even if your websites aren’t connected by links. This is quite hard to detect, but generally you will probably find that poor sites hang out on cheap or free hosting services – which also often have less security in place. Your business is worth protection by using trustworthy services.
- Protect your domain name server (DNS) login and your domain host login with strong passwords and do not share these with anyone if not absolutely necessary.
- Register your website in Google Search Console to receive alerts and monitor activity. This is your backup alert system because Google actively lets site owners know when it detects unusual activity, however it means something is already amiss.