The World Wide Web is near the dawn of a new age in its existence. An age where The Internet of Things (IoT) will bring unlimited connectivity into our lives.
Unfortunately, what this new age seems to also promise is an era where our kitchen appliances can share personal information across the internet with malicious intent. Now, while I can’t help you make sure your vacuum cleaner won’t max out your credit card – I can offer some advice on how to keep your most valuable connected asset secure. Namely, your website.
Why websites are hacked
Latest figures suggest that around 30,000 websites every day are hacked. You might be asking yourself, “Who would hack my website?”
The real question you should ask is, “What does someone have to gain from hacking my website?”
Assuming you aren’t a popular pro-adultery website with extremely sensitive (valuable) information at your disposal, the likelihood is that a hacker would use your website to facilitate malicious activity. This activity can manifest itself as simple advertising banners on your site; spam links showing up in your google search results; spam product names in your meta tags and website copy or using your website’s server to broadcast hundreds of thousands of spam emails.
Most of the time, website owners have no idea their sites have been hacked until they are informed by search engines like Google and Bing (usually because they are blocking visits).
The great CMS conundrum
Content management systems (CMS) allow you to easily add content to your website. The continued success of platforms like WordPress, Drupal and Joomla show users understand the need for platforms that are powerful (in what they can offer) and open source (for access to experts who can help).
The current CMS market share for just WordPress, Joomla and Drupal stands at around 71%. This is a huge opportunity for hackers. It means that they can focus their attentions on finding security holes in one CMS system.
Don’t worry – this in itself isn’t a major problem. All three of these CMS have the backing of a community of industry-leading developers, who are always checking for security issues and releasing free updates to protect against them.
The major hacking issues on these platforms have come from plugins created by third parties. Plugins provide quick functionality additions to websites, like calendars, booking systems, contact forms, sliders etc.
Many of them can be added by just one click, so are attractive options for many website administrators. Sadly, once launched, many plugins are neglected by their creators. On WordPress alone, figures suggest that 44.7% of available plugins haven’t been updated in over two years.
Plugins that have not been updated (based on CMS security recommendations) are vulnerable to hackers and can act as a back door into your website, if they find an exploit. Your site is 1,000 times more likely to be attacked with a known exploit than an unknown one.
Outside of a select few plugins created by excellent development teams I know, I would always opt for native (built in to the CMS) functionality over shortcuts using plugins.
Google recently blogged about how to avoid being the target of hackers. In short, Google offers four key points in ensuring your website’s security is rock solid:
- Strengthen your account security
- Keep your site’s software updated
- Research how your hosting provider handles security
- Use Google tools to stay informed of potential hacked content on your site
Excellent advice, no question. However, the majority of hacking cases I’ve dealt with all started with these principles when the site was launched and then (worryingly)… Nothing happened. A website launched on strong security foundations is only good as it’s weakest moment in time.
Given that time trundles endlessly forward and the majority of website CMS’s and plugins require updating on a regular basis as new features/security patches are released – website security maintenance should also happen on a recurring basis.
I appreciate after reading this it might seem overwhelming to try and take on the security needs of your website. What’s imperative though, is that you understand the very real danger website hacking poses. Google admits it blacklists 10,000 sites a day for malware and over 20,000 sites every month for phishing.
Every day a website isn’t accessible it presents short term financial loss (for the business), as well as longer term trust issues (for the users).
Vertical Leap has many successful ongoing relationships with clients for services like SEO, PPC, content creation, design and social media. A large number of these clients also use us to keep their website in tip top security shape every month in the form of a website maintenance retainer.
Website retainers offer a high level of risk reduction (risk will never entirely be gone) that give our clients piece of mind and allow them to focus on their business.
Read up on Google’s #NoHacked campaign. This is a great resource for loads of website security tips.
Securi offers this free tool to check if your website has been hacked. It’s not as in-depth as a custom review, but it’s a good start.
If your website has been hacked and you want to resolve the problem yourself, Google offer this help and advice for webmasters.