Why would anyone want to hack my website?
As a small business owner, you might assume, with sound logic, that unless you sell online, no one would want to hack your site. After all, if there’s nothing to steal, why force your way inside?
There are four problems with this logic.
- Hacking begins with bots, small programs that scan the web looking for weaknesses. These bots cannot see what kind of website you run. Instead, they scan every site for specific vulnerabilities, trying to find the software equivalent of an unlocked door.
- Credit card data isn’t the only thing worth stealing. Confidential information is often more valuable than credit card numbers. For example, if your email is on the same server as your website, a weak spot could grant someone access to your incoming and outgoing mail. Think of the devastating effects of the 2016 hack of the Democratic National Party email server.
- It might not even be your website they want. Websites hosted on shared hosting plans are especially vulnerable because one hack can grant the perpetrator hundreds of website access points.
- Stealing isn’t always the goal. One of the most insidious hacks placing software on your server to quietly assist in other operations like spying, spamming, and even breaching other servers. An example of this type of hack is the “denial of service” attack in 2016 that brought down dozens of top US websites for a day. Hackers accomplished this by overwhelming a domain name server using thousands of hacked web cameras.
Because of all these motivations, every website is at potential risk, not just online shops. It’s also a good idea to think of “your website” as more than just the part where you domain resides. Most companies should also consider their security practices around their social media and Google Business listings. Having these channels hijacked could be just as damaging.
Offset a significant portion of the risk with these precautions:
1. Use wise access protocols.
- Only use complex, impossible-to-guess passwords.
- Use different passwords for your email, website host, domain registrar, social media accounts, etc.
- Don’t email or text usernames and passwords together.
- Understand your security is only as strong as the security used by anyone with whom you share access.
- Don’t grant high-level access to someone who doesn’t need it. In many cases, you can give access to only the specific service an employee or contractor needs. Facebook and WordPress both offer graduated account levels for contributors.
- When someone is done sharing your password, change it.
2. Think twice about cheap/shared hosting plans.
If you can afford a virtual private server or an actual private server, pay a little more for this hosting plan. Using a shared server is a bit like living in a boarding house; your security depends on not just the landlord’s practices, but those of all the other tenants.
3. Compensate for the vulnerabilities of your software.
Between twenty-five and fifty percent of the web is powered now by WordPress, depending on who you ask. And popularity invites risk. Imagine if every safe in the world used the same brand and style of lock. Figuring out how to crack one would get you into them all.
If your site runs on a content management system, you should take these basic precautions:
- Avoid free themes and stick to custom-created or purchased themes from a reputable source. Themes are a pre-made design you or your developer can install on your website. Quality custom or paid themes use less code and fewer plugins. If you must use an off-the-shelf design, look for one from a company that sells only the designs they create in-house. These will be of better quality and include regular updates and support. Avoid marketplaces that resell themes from hundreds of anonymous contributors. Unless you plan to examine the code line-by-line, there is a higher potential for security and stability problems.
- Employ plugins selectively. Plugins are bits of pre-programmed functionality that enable your site to do a variety of things from fancy slideshows to payment processing. Paid plugins are safest, but some free plugins are acceptable if they are well-established, regularly updated, and have good user feedback.
- Use a good security plugin that detects bots and brute force attacks. These plugins also have several other tools for closing security loopholes with the click of a mouse.
- Employ spam thwarting techniques anywhere you collect data. Remember, it’s vulnerability that hackers want to exploit. It doesn’t matter if your form only collects an email address, it’s still an access point. Your web developer can use tools like reCaptchas, honeypots, and double opt-in authentication to reduce your risk.
- Always keep your theme, plugins and content management software up to date. Many updates are released to fix security vulnerabilities, so ignoring them puts your site at risk.
4. Understand “offline” vulnerabilities and educate your staff.
There are several ways to let hackers in that have nothing to do with the strength of your website software. Typing in passwords from a computer infected with malware can allow a hacker access to your site. If someone wth access fails to run antivirus software, stores passwords on slips of paper, uses a shared computer, chooses poor passwords, uses a USB drive they found somewhere, loses their smartphone, or fails to use anti-virus software, your site could be vulnerable.
Employees with access to the secure or administrative portions of your website should read and sign a best-practices agreement for safeguarding their access.
5. Use a secure socket layer (SSL) certificate.
SSL usage was once the responsibility only of sites that took credit cards, but this has changed. Google and WordPress both advise adopting SSL on every site. In 2016, WordPress announced that an SSL would be mandatory to receive full access to a growing list of their services throughout this year. Google has announced similar upcoming restrictions.
6. Be careful what apps and plugins you allow to access your social media accounts.
Reputable (often paid) services like Hootsuite are generally safe, but several iOS and Android apps claiming to help manage social media tasks have compromised accounts. One highly rated Instagram “helper” app we tested caused our account to begin following thousands of other accounts without permission.
While it’s important to safeguard our website and web profiles, we should accept that no web server is completely safe. If government agencies and major international corporations have been breached, everyone must assume some risk and take precautions:
- Don’t put more data on your server than you need. Download and remove old copies of websites, old databases, client information and other unused files.
- Periodically back up any social media or Google Business data you can. Set up safety mechanisms for getting back into your accounts (like a recovery phone number) and enable two-part authentication, if available.
- Make and keep regular backups of your website – at least monthly, but more often if you update it frequently or if it collects information from users or third-party servers.
- Host your email separately from your website. If your email or website server goes down, you’ll still have the other tool to keep communication flowing.
- Prepare for the worst—keep a backup of your site on a different server or, at a minimum, keep a basic disaster page hosted on another server. If your site becomes compromised, you can redirect your domain name there in minutes while you work on restoring a clean copy of your website.
Few of us expect to get hacked but hoping for the best isn’t a sound web security move. To suffer the least damage from a hack, limit your risk and have a recovery plan in place.