Think your website is secure?
Google has been cracking down on security, and the numbers aren’t pretty:
- 32% increase in the number of hacked sites in 2016 compared to 2015
- 61% of webmasters who were hacked didn’t even know about it because their sites weren’t verified in Google’s Search Console.
And if this isn’t worrisome enough, consider these stats from Symantec’s 2016 Internet Security Threat report:
- More than 75% of legitimate sites have unpatched vulnerabilities
- 15% of legitimate sites have vulnerabilities deemed “critical”, which means a cybercriminal can attack those sites with minimum effort
- 1 in 3,172 websites were found with malware in 2015, almost triple to 2014.
So any webmaster who fails to secure their website should be aware that hackers will take any vulnerability as an open invitation to gain access and manipulate a site.
Now, would it surprise you to know that the number one reason why websites get hacked is not to steal customer data?
Believe it or not, SEO spam is one of the main reasons why hackers target vulnerable websites. Why? Because they can just hijack a vulnerable site and redirect visitors to malicious sites, causing you to lose customers.
While losing customers at the time of the hacking is painful, the long-term impact is even worse.
Imagine a potential customer runs a search for your site on Google and what they see is this:
If that happens, this can not only affect your reputation but also your SEO efforts because:
- Google can penalise your website as an “attacked” site or site hosting malware. When that happens, that costs you money because your rankings will drop, which means your site traffic and sales will drop as well. Also, Google will continue to show the above message in search for 30 days for repeat offenders.
- Customers will lose trust in your site. If your website security is compromised, people will no longer feel safe on your site, knowing that all activity and confidential data they share with you may no longer be as secure as they thought. Regaining that trust is not easy.
So, no matter how much work you put into optimising your site for users and search engines, if security is not a priority all that hard work will be gone in an instant the moment a hacker gets into your site and compromises everything.
How hackers get in
To protect your site and prevent cybercriminals from attacking it, you must first understand how they act.
So, how do hackers get into a site?
The three most commons ways are through:
1. Access control
2. Software vulnerabilities
3. Third-party services
1. Access Control
Access control doesn’t just refer to how you log into your website but into other areas as well such as:
• Hosting panel
• Server (i.e., FTP, SFTP, SSH)
• Your computer
• Your social media networks
It’s like that host that holds a guest list at the door, taking responsibility for checking who is allowed entry, but leaves their post to enjoy the party. Why even bother if anyone can stroll straight through?
With this type of attack, hackers usually attempt to guess the possible username and password combinations in an effort to log in as the users.
There are also more complex social engineering attempts phishing pages designed to capture a users’ log in information, or some form of Cross-Site Scripting (XSS) or Cross Site Request Forgery (CSRF) attack where the hackers tries to intercept the user credentials via their own browser.
And, of course, there’s also the well-known Man in the Middle (MITM) attack where the hackers intercepts your username and password while working via insecure networks and your credentials are transferred between one point to another via plain text.
2. Software vulnerabilities
Most site owners, no matter how skilled, are unable to address today’s software vulnerabilities. That’s because most of us use things as they are designed. That includes web servers, infrastructure, even your browser. So, anywhere there’s a system, there’s a potential software vulnerability that attackers can exploit.
The two most common ways for hackers to exploit software vulnerability is through:
- Uniform Resource Locator (URL) or
- POST Headers
With these two methods, a hacker can run a number of attacks, such as: Remote Code Execution (RCE), Remote / Local File Inclusion (R/LFI), and SQL Injection (SQLi) attacks. Of course, there are many other, but these are the most common ones that are affecting today’s websites.
So, if a hacker can get into your software they can probe your SQL database for vulnerabilities, install malicious HTML code, and make changes to your website.
3. Third-party services
Third-party integrations and services are extremely popular and widely-used, especially in CMSs like WordPress, Joomla! And Drupal.
Now, the problem with third-party services is that they’re beyond a site owner’s control. When you integrate third-party providers you usually assume that they’re safe, but that may not always be the case.
Ways to prevent an attack
But enough of this scare fest. There are things you can do to protect your website against these attacks.
Here’s a roundup of the easiest steps to take:
1. Make sure your passwords are secure
This one seems obvious, but it’s extremely important.
It may be tempting to use a password you know will always be easy for you to remember, and to use it for almost everything – from gaining access to your website to logging into your social media accounts. You can and have to do better than that if you want to keep your site secure.
So come up with a strong, secure password. Make it long and use a combination of special characters, numbers, and letters. And definitely steer clear of easy-to-guess keywords like your birthday or your dog’s name. If a hacker is trying to gain access to your site, you can be sure they’ll have no trouble finding this information about you so don’t make their job easier.
If you’re working with a team, have them do the same. It only takes one weak password to make your entire website vulnerable.
2. Toughen up access control
Apart from enforcing passwords, you should also limit the number of login attempts within a certain name, even with password resets. Also, avoid sending login information via email, in case a hacker gains access to the email account.
3. Keep everything up-to-date
Delaying an update can expose you to an attack so if there’s one simple thing you can do to protect your website that’s to make sure that every piece of software you run is up-to-date.
Why is this important? Because many of the tools and plugins we use are open-source, which means the code is easily available to everyone. This includes malicious hackers who can scan the code looking for security loopholes and weaknesses that allow them to take control of your site.
So make sure you always have the latest versions of your platform and scripts to minimise the risk of an attack.
At the same time, you should clean out your website of any old, unused plugins because these are like sitting ducks for hackers. They’ll not hesitate to use them as a gateway to gain access to your site and wreak havoc on it.
4. Use SSL
For both SEO reasons and user security reasons, set your site up over HTTPS with an SSL certificate. An encrypted SSL protocol will prevent any transfer of users’ personal information between your site and database from being read in transit and accessed without the proper authority.
The cost to you is minimal, but the extra level of encryption it offers to your customers goes a long way to making your website more trustworthy and secure.
5. Use parameterized queries
One of the most common ways for hackers to attack a site is through SQL injections. SQL injections can occur when you have a web form or URL parameter that allows outside users to supply information. So if you leave the parameter of the field open, a hacker can insert code into them to gain access into your database.
There are steps you can take to protect your website from SQL injection hacks, and one of the most important and easiest to implement is the use of parameterized queries. These types of queries ensure that your code has parameters that are specific enough so hackers can’t get in. This guide explains how and why to use parameterized queries to avoid SQL injection attacks.
6. Install security plugins, whenever possible
There are plugins you can use to enhance your website security and protect it against hacking attempts. If you’re working with WordPress, you can use free plugins like BulletProof Security or iThemes Security. If you’re using a different CMS, it might be worth investing in a website security monitoring tool that can scan your site on a daily basis for malware, viruses and vulnerabilities.
7. Hide your admin pages
You really don’t need your admin pages to show up in search engines. One thing you can do is to add the URLs to your robots.txt file, which will prevent them from showing in the search results but only if there are no other links pointing to those URLs.
If you want to reliably block a page from showing in the search results, you’ll need to use a robots meta tag set on “noindex”. This way when the search engine finds the page and sees the noindex tag, it will know not to show that page in the search results.
8. Limit file uploads
File uploads are a major concern because it’s one of the ways hackers can gain access to your site’s data. So the easiest solution is to prevent direct access to any uploaded files. Store them outside the root directory and use a script to access them whenever necessary.
What to do if your site has been compromised
In the event your site gets hacked, there are things you can do to fix it. Just make sure you act fast.
Google’s in-depth guide explains the steps to follow to assess the damage, identify the vulnerability and clean up your site.
Here’s an overview:
Step 1: Verify ownership of your site
The road to recovery starts with verifying ownership of your website in Search Console. So sign into Search Console using your Google account (or create a new one). Click add a site, enter in your site’s URL, and click continue. Then choose the verification method that works for you. Once you’ve clicked Verify, you’ll see a screen mentioning you’re the verified owner.
This step is very important because with a verified website you can get notified of any security issues.
Next, go to your Search Console account, click Manage Site, then Add or Remove Users. This allows you to check and see whether the hacker already claimed ownership of your site. If there is a user you are unaware of, delete them immediately.
Step 2: Inform your host
The second thing you should do is to let your host know that your site has been attacked. This allows them to take measures to ensure their other customers on the same server won’t be compromised. They may also help you find out how your site was compromised and how to recover.
Step 3: Take your site offline
You should do this for two reasons:
- Prevent the hacker from causing further damage to your site
- Prevent visitors from landing on your site only to see a scary malware alert
So stop your webserver or point your site’s DNS entries to a static page on an entirely different server that uses a 503 HTTP response code. This code is a useful signal that the site is temporarily unavailable. According to Google, taking your site offline briefly is unlikely to affect your site’s future rankings in the search results.
At the same time, you should review your user accounts, especially the newest ones as one of them could be the hacker’s. Look into these accounts and delete the ones that look suspicious. Also change the passwords for all site users and accounts, including logins for FTP, database access, system administrators, and content management system (CMS) accounts.
Step 4: Determine how you were hacked
Once verified, check the messages in your Search Console to see whether you received any information from Google regarding whether your site was used for 1) serving spammy pages, text or links, 2) phishing, 3) distributing malware. You can also go to the Security Issues tab to get more information on the type of attack on your site.
Was your site hacked with spam? This Google video highlights spam techniques, how to investigate your site for spam, and how to find all the affected files.
Was your site infected with malware? Then the hacker could be using your site to harm visitors with malware software designed to create havoc and steal information from your computer. Watch this video to learn how to investigate the malware and find out which files were affected.
Step 5: Clean up
Here are a few things you should do to clean up your site:
• Remove anything that was added by the hacker (i.e. content, links), then restore your latest backup. Install all software and program updates.
• Eliminate third party widgets you rarely use.
• Perform a clean installation on your server.
• Transfer good content from the backup file copy to the recently installed server. Only upload the files you know are clean.
Step 6: Ask Google for a review
Have you verified your site’s ownership in Google’s Search Console? Is your site clean with no trace of the hacker? Have you brought your clean site back online?
If you answered YES to all these questions, it’s time for a Google review. This is a necessary step to have the warnings associated with your website lifted as it lets Google know that you’ve taken the steps to fix all the issues with your site. If Google determines your site is clean, they will approve the review and at the same time remove the “this website is not safe” messages that show up in the search results.
Website security isn’t just about keeping your site secure and making your visitors feel safe. It’s also about protecting confidential user information, thus protecting your reputation and search engine rankings as well. These are things you definitely don’t want to risk losing.