If you are a website owner and you haven’t had your website hacked or defaced by some nefarious “bad actors,” it is just a matter of time. But just because it hasn’t happened (yet), it doesn’t mean someone out there isn’t trying.
After a couple of close calls last fall where some of my own websites and those of some of my clients experienced “an incident,” I began to pay a lot more attention to this issue and learn as much as I could about what I can do as a website owner to “harden” my sites and prevent future exploitation. Here is some of what I learned:
- Websites built with WordPress are increasingly the focus of attention of the bad actors. I am not sure why. Perhaps it is the fact that, according to some marketing reports, WordPress installations currently makes of 40% of the total number of content management systems on the web. When you are popular, you are…popular.
- Many of these hack attempts are in the form of what is called a “brute force” attack. This involves repeated attempts at trying to enter your website’s login by “guessing” your password. The method uses special “robots” (knows as “bots”) to submit a user name and password guess many times per minute in hopes that you are using a rather common, easy-to-guess password. There are a number of things you can do (see below), but at the very least you need to have a strong password on all of your website logins – more about this later.
- If you are using plain old FTP access to log in to your website you are treading in dangerous waters. If you must use FTP, make sure to use a “secure” version of FTP (either SFTP or FTPS) and work with your hosting company to make sure it is utilizing the best security protocols. Note: All hosted plans through jebswebs and Maine Hosting Solutions utilize FTPS as well as other security features.
- Many of the “hackers” these days are politically motivated – so called “hacktivists” (see Wikipedia’s article about this). Recently, several of my clients’ sites, including my own were attacked and “defaced” (the homepage replaced) by some group supporting Syrian independence. The damage was repaired easily enough, but it does give you that same sense of vulnerability that comes when someone breaks into your house.
What you can do
Let’s begin by talking about passwords. You have probably heard it before, but on the chance that you have been living under a mushroom for the past 10 years – the strongest defense in internet security is a strong password. If you are like many and have been using the four letter name of your pooch as the password, you are at risk!
A recent security article about the hacking of Adobe.com last year revealed that nearly two million of the accounts used the password “123456” – talk about easy pickings! The best passwords are long, do not resemble any known word or phrase, and use a combination of many symbols and characters in addition to numbers and letters. This generally makes the password almost impossible to remember, so therefore they are not very popular.
Some other thoughts about passwords:
- Change them often – at least twice per year, more frequent if you have an indication that you may have been compromised. Put it on your to-do list. Maybe schedule to do this when you turn your clocks in the fall and spring at the same time you replace the batteries in your smoke detector.
- Don’t use the same password on every site. Once you password is compromised, the bad guys will be able to get into all of your accounts.
- Your most important password is the one for your primary e-mail address. If someone gets a hold of you e-mail account just about all of your other accounts can be easily compromised.
- Read some ideas about Secure Passwords from Google.
At a recent Maine WordPress Meetup in Portland, Sam Hotchkiss of Hotchkiss Computing, and the developer of a new brute force security plugin for WordPress called BruteProtect, presented on website security. Here is just a small sample of some of what Sam told us:
- There are several free plugins available for WordPress installations that can impede brute force bots. The first is Sam’s aforementioned BruteProtect which sends all login attempts through an API running on another server that tracks the IP address from where the login attempt is coming. If the pattern of behavior mimics a brute force login attack, the API will block that IP address from proceeding further thus neutralizing that attack.
- Another fine WordPress security plugin is called WordFence which in addition to the brute force protection, offers a number of additional features and services that monitor and your site watching for signs of nefarious activities and alerting you via e-mail when it has a concern.
BTW, brute force attacks are not limited to WordPress installations. Recent attacks on Joomla sites have prompted us to utilize some additional security methods. Contact jebswebs if you have questions about your website.
If you are experiencing security issues with your website, or just have noticed that things appear to be running slower than usual, you should contact your website developer and or your hosting company for advice and help.
And after you finish reading this, get busy and change those passwords!
Special thanks to Sam Hotchkiss for his insights into web site security. Read and download Sam’s PowerPoint presentation on website security.