security

According to the 2019 Cybercrime Magazine study, website hacking will cost the world $5 trillion by 2021 -this is up by $3 trillion since 2015. Furthermore, cybercrime attacks are the fastest growing crimes in the U.S. Worse, the hackers are becoming more skilled and sophisticated than ever before. To put this in perspective, consider this: There are 111 billion lines of new software code written each year – meaning a significant amount of coding that can be exploited by hackers and more risks to your website’s security.

Find it hard to fathom? Consider these additional facts regarding cybersecurity:

• In the first 6 months of 2019, data breaches exposed 4.1 billion records.
• 52% of breaches featured hacking, 28% involved malware and 32–33% included phishing or social engineering, respectively. 
• The top malicious email attachment types are .doc and .dot which make up 37%, the next highest is .exe at 19.5%.
• On average, only 5% of companies’ folders are properly protected.
• In 2018, 62% of businesses experienced phishing and social engineering attacks.

So, what can you to do as a business owner to make your website as secure as possible? Thankfully, there is a long list of actions you can take to prevent your website from being hacked.

13 Tips for Preventing Hackers from Attacking Your Website

Know the Risks

To truly protect your website from hackers, you must first identify any areas – internal and external- that make it more susceptible. Some of the most prominent areas are –

• Weak passwords – Your passwords need to be a minimum of 16 characters and include a mix of numbers, letters and special characters. In addition, you need a different password for each login. To help you keep up with the variety of passwords, you will want to use a password manager or a single sign-on program such as LastPass.
• Malware attacks – A malware attack is a result of an infected USB drive, or an app that is designed to capture keystrokes, passwords, and data. To prevent this form of hacking, install a malware detection tool such as the Norton Toolbar.
• Social engineering – A form of identity theft in which a hacker pretends to be you in order to reset your passwords. Minimize this risk by being careful not to share financial information, requesting password rests via the phone, and by conducting a security audit.
• Ransomware – Do not click on links that seem odd or questionable. This can result in hackers accessing your computer, website or data and holding it hostage until you pay their fee. Prevent this from happening with tools like Trend Micro lock screen ransomware tool or the Avast anti-ransomware tool.

UPDATE Often

Making this acronym by Marc Goodman a part of your procedures can help keep hackers away from your business’ website.

• Update often – Take advantage of auto-updates so that you always have the latest patches for apps, software, and operating systems.
• Passwords – Change them periodically and don’t reuse them.
• Download responsibly- Only download from sources that can be trusted. Look for any bundled elements and remove them.
• Administrator is NOT your default setting – Do not log into your pc as admin on a daily basis as this can make it easier for hackers to access your information.
• Turn it off – Don’t leave your computer on when not in use. Turn it off or disconnect the WIFI when you are not using it.
• Encrypt your content – From your files to your emails or any other important material on your computer protect them with an encryption program. When online, check that websites (your business site included) have a little padlock symbol next to the URL or an address that starts with https.

Look out for SQL Injection Manipulation!

SQL injection attacks are the result of a hacker using a URL parameter or web form field to access your database. To protect your business website from this type of hacking, you will need to use parameterized queries.

Yet another form of hacking that can affect a WordPress site is cross-site scripting (XSS) that put harmful JavaScript code in your web pages and the browsers of your site’s guests. The XSS attacks can change your page content, or even steal it.

The best way to reduce these risks is to know how user-generated content that is stored to your site could be accessed and ensuring that the framework of your site includes XSS protection. One option is by using JavaScript as part of the HTML. (Sound like a different language? No worries. The Page Progressive team can do this for you.) A great tool that can protect against XSS is a Content Security Policy (CSP) that allows you to state which domains a browser should consider valid sources of executable scripts.

Error Messages

None of us like to see error messages come up on our website – but they do occur from time to time. So, when they do, be sure your error message keeps details succinct so that content is not inadvertently leaked. Provide just the information your guests need, with the details being stored in your server logs.

Validation

Never settle for single end validation! Rather, you need to require validation on both the server side and the browser side. Why? Because hackers can bypass some fields by leaving them empty or by using text in a “numbers only” field. Requiring validation on both the server and the browser keeps unwanted interactions at bay.

Say No to Uploads

Never allow site guests to upload files to your website as this opens your site up to any number of risks. Sadly, that innocent looking image or word document can contain a script that can destroy your site or mine information you thought was secured. 

If you have a site where uploads are necessary or allowed, protect yourself by using limiting the access users have, through file type verification, limiting file size, keeping the uploaded folder outside of the webroot, and by preventing the users from executing any of the files uploaded. Other precautionary steps are to rename the files on upload to ensure it has the right file extension, having a firewall set up (most web hosts do this for you, but if you are using a personal server then this is a must), changing the file permissions, and -the most recommended solution- by preventing direct access to uploaded files.

Backups

Take time on a regular basis to run a back-up of your website and computer. Whether it is done daily, weekly or monthly you need to have this information at your fingertips (i.e. stored to an external hard drive or USB stick). If you do nothing else on this list, at least take time to back-up your site content and records. Often, host providers offer an automatic back-up option for a nominal cost – a cost you will be happy to have paid should your site ever be compromised.

Use a VPN

A VPN (Virtual Private Network) is designed to save all your data. It typically works like a server. The VPN connection works through acting as a tunnel that helps create a mask of your IP address so that you have more security for your website.

Only Use Secure Web Hosts

Don’t choose the cheapest web host provider out there! Just because it appears to be budget-friendly that doesn’t mean it is in the long run. When you opt for an inexpensive web host it is likely to be a shared server that is ‘home’ to millions of other websites. This means a much greater risk of being affected by a virus or a  hacker having access to your website.

Captcha

We have all been asked to type a series of numbers and letters or to validate that ‘we aren’t robots. These simple tasks are great for protecting your site from malicious bots as only a person is capable of accomplishing these tasks. Using Captcha forms is an easy step that can protect you from hackers.

Plugins

No matter what type of CMS (content management system) you use to build your website there are plugins available to protect you against hackers. For WordPress sites, consider security plugins such as iThemes Security, Bulletproof Security, Wordfence, Securi or fail2Ban. These plugins are designed to identify any weaknesses in your website and then add extra protection for them.

Anti-Phishing

Phishing is defined as ‘the fraudulent practice of sending emails claiming to be from a reputable company to encourage a person to reveal personal information.” This practice can cost you hundreds, if not thousands of dollars. To protect yourself and your company from being the victim of this type of scam, install an anti-phishing toolbar – good news, they are free! The toolbar will run checks on sites you visit and compare them to lists of known phishing sites. Should you inadvertently visit a phishing site, you will be notified immediately.

Keep in mind that just because you have an anti-phishing toolbar installed, this doesn’t mean that a site is safe. New phishing sites are created daily. Always look for the https or closed lock symbol near the address. Furthermore, never download files from a suspicious site or email.

Pop-Ups

Many companies use pop-up advertising for a good cause – to promote their services and wares. However, there are numerous unscrupulous companies out there that are using pop-up advertising as phishing scams. In the rare event that one slips through, click the small “x” in the corner and NOT the cancel button, as the button will generally take you to a phishing site.

Now What? Testing Your Security Measures

If you feel like you have done all you can to minimize the risks of being hacked, then now is the time to put your actions to the test. There are a variety of tools designed for testing your website’s security. These tools are known as penetration testing or pen testing. While there are pen tests you can buy, there are several reputable ones available for free.

• Netsparker – Ideal for testing SQL injection and XSS.
• OpenVAS – A rather advanced tool that identifies vulnerabilities. However, it can be a bit challenging to set up and you must have an OpenVAS server.
• SecurityHeader.io – This free tool loads quickly and denotes which security headers are enabled and configured correctly.
• Xenotix XSS Exploit Framework – Created by Open Web Application Security Project, Xenotix has a significant selection of XSS attack examples that you can run in order to ascertain whether your site’s inputs are vulnerable in Chrome, Firefox and Internet Explorer.

There is no single approach to protecting your website and information from hackers. Nor is it a one and done task. To protect your website, you need to implement safety features, use protocols that minimize risk, and periodically run security tests. If you make it a point to frequently check out the security of your website then you can keep the risks low and reduce the chance of becoming one the ‘hacked websites’ statistics.

If you are uncertain as to the safety of your website or would like to discuss the security of your website, contact the Page Progressive team. We can assess your site and let you know of any precautions that should be taken to improve your existing security. Give us a call today.

In our last article, we talked about what to do to prevent a breach in cyber security. But what if you have already been the victim of a scam or malware attack? How do you move forward and protect yourself and your clients from being victims at a later date? The feelings associated with a cyber-attack range from disbelief to denial, anger, embarrassment and ultimately, being ready to take action.  The one thing you don’t need to do is PANIC.