Hackers want your business website data!

According to reports (see here & here), hackers are becoming a lot smarter in how they attack websites. Rather than trying to individually attack each website they have recognised that standard frameworks are being used to create and maintain websites and thereby making it somewhat easier to attack a whole class of websites ‘en mass’ as it were.

Now this automation of attacking is nothing new, but rather the ‘nerve’ of the hackers is. They are now making increasing use of botnets (basically 1000’s of hacked computers under their control) to drastically increase the depth of sophistication and breadth in the actual attacks. Basically they are becoming more effective at attacking websites and gaining control.

So, as a business owner, what can you do to ensure you don’t end up the victim of such attacks? We provide eight helpful tips below.

1) Find out what your website is running on

Yes may sounds obvious, but if you do not know what software or framework you are running on then you have no idea what risks you are running. At the very least you should know the following:

  • What Operating System is in use on the machine(s) hosting your website;
  • What Framework is being used and its version.

BTW most website servers as configured ‘announce’ this sort of information in the web requests – so the hackers will usually know exactly what your website is running on.

2) Software Security Patches

With this you can then ask this question: When was the Operating System or Framework last updated? As a rule of thumb they should have been both updated in the last 6 months tops, as this is about the time it takes for a new ‘exploit’ to be discovered and then codified into a useful attack.

Ideally you want your software patched as soon as possible, as given the fact hackers know what you are running on, but the patches themselves might contain bugs, so its sensible not to be at the bleeding edge.

3) Use hard to guess passwords!

Can’t emphasise this enough, using a simple password (like ‘password’) is just inviting your site to be hacked, you might as well put out a virtual red carpet with ‘Welcome Hacker, free drinks!’ written on it!

As to what makes a strong password? A good simple recipe is as follows:

  • Take two short words (say 4 to 5 letters each) – join them together. Ideally one of those words should be made up and NOT in the dictionary.
  • Take a 4 digit number that has some significance to you (wife/son/father/mother day and month of birth, middle 4 numbers of telephone number, first 4 numbers of tax file number, etc – something you will remember)
  • Put on the end of the 4 digits either a $,#,*,+,=
  • Put those four digits with symbol either at the start or end of the two short words

And you have password that you should remember after a few tries and is darn hard to crack (a 100 billion combinations as least, that should keep them busy).

Now with this, you can change just the words and you can reuse the rest on other sites. At the very least you should have different passwords for the following groups of sites:

  • Personal email
  • Business email
  • Personal website admin
  • Business website admin
  • Personal Finance
  • Business Finance
  • Everything else

This drastically reduces the risk of you having your personal email hacked and you finding out the next day that your business website has been compromised. Remember odds are that some point something of yours will get hacked, the trick is to minimise the damage.

4) Take regular deep backups of the website

What do I mean by deep backups? This is when a complete copy of everything to do with a website is made (e.g. all files and data). These backups need to go into a backup system that cannot be ‘attacked’ if the website is compromised, i.e. there is another mechanism to get back old backups.

This way if you do suffer an attack, you can easily go back to a known safe state and fix whatever mechanism they used to attack the site.

5) Change ALL default passwords!

Again, another obvious one, but there should be no guest or demo accounts and certainly no default passwords in use AT ALL anywhere on your website – go and check now!

6) Hide your sign in form

Basically don’t go putting the sign in form on your homepage or in your menu, if its purely a sign in for employees only, do not link to it off the main site – just get everybody to bookmark it.

7) Lock down website stats plugins

Its amazing the number of people who do not password protect their site stats pages, this is an absolute gold mine to hackers – as it shows:

  • How big (or not) your website is, which can be quite business sensitive;
  • If there are any hidden pages on your site, as the stats usually log everything
  • Maybe a few passwords or hidden controls in the recorded URL’s.

So get those stats pages locked down and stop the hackers dead.

8) Lock down ‘admin’ packages

You all know what these are, these are the plug-ins that make it easier to administrator a website, such as:

  • PhpMyAdmin
  • File Managers
  • Web Email readers, etc

Again, leaving these open or weakly protected is an invitation to be hacked and should be locked down to be only accessible from certain locations.

Conclusion

Hackers are really only playing a very large numbers game, with several billion websites out there, they cannot afford to hand craft an attack against every single site; so instead they look for weaknesses they can programatically attack using scripts on mass. The advice above will go a long way to ensure such scripts do not succeed, but as always this is a never ending war and requires constant analysis to keep safe.

If you have any questions on the above or want help, then please either write a comment below or drop us a line by our contact form.