Security threats to your website are on the rise, as more and more hackers trawl the web for soft targets where they can log in and cause problems.
Why would anyone want to hack my website?
Unless you are a high profile target, most websites are not actively targeted for being hacked. They do not ‘choose’ you based on merit. What is happening now though is thousands upon thousands of automated hacker programmes are trawling websites trying to find ones that are easy to hack into so they can steal data or plant malicious malware that can cause problems or infiltrate other areas on your computer or the computers of visitors to your website.
What they are looking for is data to steal or access: things like contact details, transaction and account details, passwords and other information that can be used or on-sold.
Or if the goal is not to steal then it is to spread and cause as much damage or disruption as possible to everything it touches.
To help prevent this happening to your website there are some simple measures you can take to make your site less vulnerable to attack. But first you need to know the easiest ways for hackers to hack your site.
The three easiest ways into a website for hackers
- Default Usernames
The two pieces of information you need when you log into the admin area of your website are the Username and Password. If you still have a default username created automatically by your Content Management System, then you are literally giving away the first half of your security access to the hackers. The hacking software will have a list of common default usernames to try first as these will often turn out to be the correct ones to gain the first level of access.
- Easy passwords
Just like the first point, having an obvious password that is too simple or easy to guess makes it easy for the hackers to work out in fewer attempts. Passwords that are too short, use real words or obvious word and number combos are an open invitation to hack your site. It is the equivalent of leaving the key under the mat for burglars to find when you are out.
It is also important not to use the same passwords for multiple logins: if one is hacked successfully, then it is simple enough to try the same passwords on your Facebook page, online shopping sites and other places where, for instance, you may have your credit card details saved for making purchases.
- Security updates not done
All Content Management Systems send out regular updates for clients to apply to their websites.
Almost all of these updates are security updates, and many are in response to an immediate threat. Failing to install your CMS updates leaves your site vulnerable to hackers, who are continuously updating their efforts to crack the CMS security measures.
Hackers are like burglars. Whilst a really determined one might eventually break in, most only try the most obvious points of access, and if they are thwarted they will move onto easier targets. Take care of these three areas of your website security and you are safe from the majority of security threats.
Extra measures you can take for added security for your website
There are additional steps you can take if you want to raise the level of security further for your website.
Create a unique login address for your site admin
Most CMS login pages have a URL that looks like: www.CMSname/login where you can enter your username and password to access your site admin area. Imagine is as the front entrance to a building with individual offices, and each office has its own set of keys. For a hacker to access a website in the building the obvious starting point is through the main door, which they know about as it is the same for everyone. From here they will try to bypass the security measures to get in. A unique login address means that, rather than using the same access point as everyone else, you can have a new one created just for your website – as if you have your own door somewhere else that only you know about. If a hacker can’t find your unique access point (or door) then they don’t have a starting point for attempting a breach.
Cost: This varies from system to system
Have a secure URL
HTTPS (Hyper Text Transfer Protocol Secure) is simply a secure version of http. Originally they were mainly for online payment transactions and email or for sensitive transactions in corporate information systems. These days, HTTPS has become more widely used for protecting page authenticity on all types of websites, securing accounts, and keeping user communications, identity and web browsing private.
Changing your web address to the secure HTTPS version involves adding an SSL 2048-bit key certificate on your site. As each page has its own unique URL, you can choose which you want to convert to HTTPS.
Note: It is important if you switch to a secure URL that it is done correctly for the search engine indexing so as not to impact on your page rankings.
Cost: Certification has a renewable annual charge of $69.00 per year
Install Two Factor Authentication to your website
Two Factor Authentication, or 2FA, is one of the best ways to secure your website because it adds an extra layer of security to logins and passwords, greatly reducing the potential success rate of brute force attacks. The 2FA tool is simply added to your existing login account on your website. When you login, as well as having to know your username and password you will also be required to enter a randomly generated single-use code, which is sent to you by text or email when triggered at the time of login.
The Two-Factor Authentication process, makes it even harder for criminals to access your website as they would need to have access to your phone or email to retrieve the additional pass code. Some sites like Google have made it free to add 2FA to your Google, however, having the extra hassle of entering another pass code sent by text every time you want to check your Gmail, Google+ or Adwords or Google Analytics can become annoying if you do this several times a day.
Cost: if you want to add this to your website login, the price will vary depending on which content management system (CMS) you use. For a WordPress website, the price is approx. $138.00 per year.
Web Tonic offers full technical support to facilitate any of these additional security measures for your website. Contact us for pricing or to discuss which options might be suitable for you.