Websites are fantastic for providing information to your customers, selling online, or simply advertising. But they have a BIG drawback – they are open to compromise by individuals that want to hijack information flowing through the site, or access the server your website is hosted on.
We have been asked on a number of occasions to repair websites that have been hacked or hijacked. One website had entire PAGES on the site that the owners were unaware of, advertising pharmaceutical products and video streaming! Imagine your embarrassment – or worse – if your clients’ details were intercepted when filling out an enquiry form, or if their card details were captured from a purchase on your website. An incident like this could not only damage your reputation but also result in a fine under GDPR.
Once a site is compromised, it is very difficult to clean and requires expert knowledge of coding which can mean costly repairs. And as well as repairing the damage, you need to ensure that the hackers can’t get back in to repeat the job! If your hosting company receives a report of malware or hacking on your website, they are obliged to suspend your site. Some hosting providers just switch off the domain name, which stops all emails as well as suspending the site. Other providers will be able to turn off just the website.
That’s scary! How can I protect my website?
There are a few simple steps you can take to protect your website, which we’ve outlined below:
- Change the default login page address. Every website management system has a default login address, and hackers try this default address to see if they can log into the back end of your website.
- Change the default username for logging in to your website. In most cases, the default username is “admin”, which is very easy to guess.
- Require dual-factor authentication to log in to your website, for example, a username and password plus a code generated on your phone. This means that an attacker would need not only the username and password to get in, but they would need your phone as well.
- Add security software to your website and make sure it is configured correctly – many users just add the security software without checking that it is set up to protect them.
- Make sure your website has an SSL certificate – this will show your web address as HTTPS (with a padlock). SSL encrypts all information being sent between a visitor, and your site so that it would not be readable if it were intercepted.
- Only give users the minimum level of access to do their job – think about whether you need to add other administrators to your site, or whether they could be editors.
- Back up your website regularly, including any database associated with it.
Do I really need to do this?
These images illustrate attempts to get into our own website – the first image shows the number of IP addresses from each country that have tried (and failed) to access the site in 24 hours. The second image shows various attempts to log into the website on the morning I was writing this article – 14 in 4 hours.
We use a website monitoring and security tool, which alerts us to any updates or changed files on our websites. It also alerts us to any attempts to access the website. Across a sample of 10 websites on our monitoring portal, there are over 50 medium-level risks to take action on each week. At least once a month there are 3 or more high-level risks.
Ours is not a particularly popular website (as much as we’d like to think it is!) – these are most likely all robots, just checking for sites that are vulnerable and can be logged in to. Once they find a site that is vulnerable, they will either try to capture information or insert advertising or malicious code, depending on who is behind the robot.
If all this sounds a bit too scary, we can help. We offer website maintenance plans, where we can take care of all of this for you – please click here to download the price list. The plans cover updates, security, backups and monitoring, for a low monthly fee.
If you have any questions about website security or are concerned that your site may have been hacked or is vulnerable, please do get in touch. We’re happy to take a look at your site and provide advice.