Is it hard to really secure your website or is it really hard to do it?
Being a hacker is quite a romantical conception in the mind of a consumer of news and pop culture. It isn’t hard to fancy a dignified rebel against the society’s order who works a decent job in a corporate environment by day and breaks laws and restrictions by night. He may actually end up doing a great thing. She is admirable even if she is a villain who does a super bad thing such as starting a nuclear reaction.
However, we have to admit that not all hackers are Neo from “Matrix” or Will from “Algorithm”. Although very knowledgeable and certainly hard to catch, most of them are not masterminds, but common criminals who steal valuable information and use them to different ends.
We give you a few of the most common reasons why securing your website is harder than it seems.
1. It isn’t always easy to realize you’ve been hacked
Basically, the easier to notice some suspicious activity on your website, the less dangerous the attack is. The very fact that you know makes it easier to fix, either on your own, if you are tech savvy, or by hiring someone to do it for you.
Think about it: a smart thief will do his best to make his deed go unnoticed for as long period of time as possible. That way he’ll be able to continue doing what he does best – stealing and hiding. However, a clumsy thief (or one that really doesn’t care) will probably mess something up or make a mistake on his way out and thus ring the alarm.
2. It isn’t the “if”, but the “when”
What, me? Why the hack (sic!) would anyone waste their time for attacking me… After all, I don’t have so many valuable data on my website. OK, there are my clients’ confidential info. But I’m not that big of a company anyway. There are bigger ones that could make for a far tastier prey.
This is what people usually think when they get out to take a walk when it’s frosty and slippery outside. And yet, most of us actually slip many times in our lives and break a limb or two. Someone ends up having a good laugh, while someone gets really hurt. But it happens to each and every one of us, sooner or later. Or both sooner and later, if you’re really unlucky.
This doesn’t mean we should duck and cover and stay at home forever. It just means we should be aware of everything that can happen to us, take all the measures of precaution, and get out into the Whole Wide World, or World Wide Web.
3. Our credentials are a delicate little flower
This is true even when they’re not plain obvious, such as FirstName123 for a username, and Pass for… duh, password. If one chooses predictable credentials, he calls for trouble and deserves what’s coming. They are easy to guess for a brute-force attack.
The problem is that surprisingly many people find it hard to contemplate just a little bit and use something less obvious as a gatekeeper to their digital treasure.
Our advice #1 is not to use the same credentials for multiple websites.
The advice #2 would be to use nonsensical passwords that aren’t likely to exist in any dictionary. Just press random keys on your keyboard, so that you’ll get something that doesn’t really roll off the tongue and doesn’t exist in any dictionary. However, don’t save those credentials in your browser or computer, as they are not impenetrable for hackers. Pen them on a piece of paper, and put that piece of paper in a box that’s in a secret drawer in your basement… Kidding about that last part, but the rest is an honest advice. Or use a password manager, such as LastPass, to store all of your passwords.
Also, it wouldn’t hurt to change your credentials occasionally.
4. The safe protocol catch
Every time you try to visit a website, your computer communicates with a server. However, the communication isn’t direct, but goes through a bunch of channels that together create a huge network. The problem is, there is always a great number of evil interceptors trying to eavesdrop on the communication and pull out any sensitive information (e. g. your credit card number). These interceptors are in some cases humans, but most frequently they are bots or even botnets, programs made, operated and automated by hackers to crawl the web, find weak spots and do the damage.
That’s why there is the so-called SSL (Secure Sockets Layer), which encrypts the message so that only the browser and the web server could understand it.
This is why you, as a website owner, should acquire the SSL certificate, so your customers would know that their sensitive data are safe with you. Once you do it, they’ll see a padlock in the top left-hand corner of their address bar, along with the “Secure” inscription and an https protocol, such as this.
5. We’re often too lazy to update whenever needed
… which means whenever an update is available.
Without overexplaining, let’s just assume this is a necessity, rather than one of many choices that are given to us. Updates not only bring us new features, but also fix bugs and improve our website’s security.
The aforementioned bots are usually programmed to attack websites with older versions of softwares, as they are already familiar with their weaknesses. One more reason to regularly update.
6. We’re also too lazy to perform frequent backups
The value of your business data equals the value of your business itself. It should be well guarded, protected and kept at different places. Backing it up on a regular basis is the most important thing you could do, so don’t ever postpone this process.
To have your website breached may be a consequence of bad luck, even if you did all you could to prevent it. But losing your data altogether would be entirely your fault.
7. We’re using too many plugins
Plugins are the cause of even 52% of all WordPress vulnerabilities. This astounding information was recently acknowledged by the latest WPScan report.
As well as themes, plugins should be downloaded from trustworthy sources only.
8. The dangers of file upload forms
Having a form on a business website is almost mandatory these days. Forms often come with an option of uploading documents or images. However, it is quite risky, as someone might upload a malicious file that doesn’t even appear to be malicious. A file can appear to be just a regular image, so that nobody suspects anything, but it can have a hidden evil code inside which executes when you open the image.
How to avoid this problem? Have your developer determine a list of file types and file sizes. Anything that doesn’t fit will be rejected. Even more important is to store those files in a directory that is outside the website root.
9. We don’t always put robots.txt to a good use
Hide your admin pages! If you’re not using the robots.txt file, not only are you not protecting the admin pages, but you are also exposing them to search engines, so that anybody who would wish to have a little fun can find them on a plate. Although many evil digital spiders tend to ignore the robots.txt file, it’s good to use it as a measure of precaution.
10. Being a hacker is not a hobby
It isn’t just trolling. Over time it has evolved into a full-blown profession, according to the world’s #1 cybersecurity expert Evgeny Kasperski. An underground kind, but a profession nonetheless. It makes huge amounts of money, and the good hackers even get to be hired by governments as spies.
Of course, we shouldn’t be afraid of those high-level hackers. But there is always a risk of falling into a little trap that can cause us great trouble.