Website Hacking & Malware – Is your site safe? Hacks and malware are on the rise. How serious is the problem? Extremely. As websites become an increasingly core part of business, not only are the potential damages from hacking, malware etc more serious, but they are becoming more likely. As the number of different types of attacks and the frequency of occurrence increases, we need to stay ever more alert to the danger. Downtime, loss of reputation, blacklisting (resulting in blocked website and emails), and Google Search penalties are common scenarios. Not only is your website at risk, but visitors are too, who are potentially your customers. Trust me, it doesn’t go down very well! Why would anyone attack your company? You don’t need to store classified information on your website in order to be targeted. In fact, the vast majority of attacks are not personal and so are not specifically targeted to your company website. There are thousands of different types of malware and as many different ways to infect your website, normally carried out by automated hacking tools, that will scan large blocks of IP addresses of known web servers and hosting companies, probing for various software or coding vulnerabilities. They normally target commonly used CMS platforms like WordPress, or specific versions of software like PHP or mySQL. While previously, hackers would generally either aim to deface a website or alter its content, these sorts of vulnerabilities are usually exploited in subtle ways, such as: injecting fake URLs into your website as a means of manipulating SEO for other interests through backlink generation or to generate revenue through misleading referral clicks; as a staging ground to distribute other forms of malware to visitors to site that may perform keylogging or other forms of password snatching; or to copy your visitors’ information such as email addresses and/or CMS passwords. Not only does this put your own website and brand reputation at risk, but also those of your visitors, customers and partners. What can you do? In the same way that your house can’t be 100% safe, neither is your website, but like your house, you can reduce the risk considerably by preventing easy access and by ongoing monitoring. The most obvious thing to consider is prevention, rather than cure. A broken website can take a long time to fix, whereas protection and close monitoring is likely to locate and prevent attacks before any damage is done, or at least minimise the damage and allow easy clean-up and lockdown should an attack occur. There are obviously “best practices” and guidelines for locking down your web server, but these are not always possible to implement, particularly on shared hosting platforms where you do not have the level of control necessary. Even when you do have this level of access, not all of the best practices suggested by security companies are possible or justifiable to implement on a smaller business website. A major factor in website security is ensuring up-to-date patching and upgrades of your CMS software. Security holes are found in packages like WordPress and Drupal regularly and quickly patched by the vendors. Keeping your CMS up-to-date is critical to ensuring security. However, this is not always an easy option as, like Windows or other software Updates, larger CMS updates can cause issues with existing code or plugins that need to be upgraded to the latest version. There may be cases where applying all relevant upgrades is not possible due to legacy code. Less sinister problems like spam being sent via your website’s forms can generally be mitigated through use of spam honeypot or CAPTCHA systems that stop automated use of your website’s email forms. Along with following sensible hosting security practices regarding password security, unnecessary services etc, there are a number of third-party options available for your website, much like your PC’s anti-virus software. There are services offering a virtual web application firewall, as well as malware clean-up service, that greatly minimises the impact of security breaches. A huge benefit of these systems is that they often “virtually patch” known vulnerabilities in commonly used software, meaning that even if your CMS isn’t fully patched, the firewall may be able to keep your website secure against unpatched exploits. Finally, patching and monitoring aren’t always 100% effective due to the rapid pace that hacking exploits are released. You should also consider advanced firewall protection, mirrored backups and secure CDN services to protect against DDOS and other attacks. What does The Bridge do? At The Bridge Digital we’ve noticed that incidence and complexity of attacks on our clients’ websites is increasing almost exponentially. In the past, we recommended certain security measures for websites we build and support. These days, we insist on it as part of our regular maintenance package. The days of being able to sign-up for a low-cost web hosting package, having a site developed and then largely forgetting about it after-launch until something needs to be changed are long gone. If you are serious about your business website, you will need the sort of protection outlined above and regular maintenance in the form of patching and upgrades, which in the case of more complex CMS software, are not easy or advised for non-technical website owners to conduct themselves. For an unprotected site we first run a scan for viruses, then initiate a clean-up if necessary. The next step is to place a web application firewall in front of the site to provide protection from attacks. It’s also crucial that CMS security updates are applied regularly. We will of course initiate ongoing monitoring, which will inform us promptly in the event that the site becomes compromised. These are the basics, but depending on the risks to your business, there are many other steps you can take, including implementing strict processes on user passwords, back-end access and content management permissions. Need help? If you are concerned about the security of your website in any way (or even if you aren’t), don’t leave it to chance, and please contact us on 02 9993 3300 or email firstname.lastname@example.org to discuss your options.