A word that has been very much in the news of late is “hacking”. Away from the seedy world of unscrupulous journalists breaking into celebrity voicemail accounts, hacking is an everyday occurrence on the web. Some big names have been hit over the last year. Adobe recently had to inform no less than 38 million of its active users that account usernames and passwords had been stolen from their systems. Others who have been infiltrated include Facebook, Microsoft, Apple, the New York Times, and the US broadcaster NBC.
You’d think that, with the amount of money these guys have to throw at their security, they’d be pretty much impenetrable. An important lesson to learn here is that no website is 100% secure against being hacked. What you can do, though, is try to make it as difficult for hackers to gain access in the first place.
Why do sites get hacked? It used to be mainly low-life programmers showing off how clever they were. They would usually leave a calling in card by changing content on web pages. This still goes on, but nowadays it’s more likely to be criminals wanting access to internet servers from which they can set up unlawful activities.
Hackers will look for holes in security either on the software that you use for running your website, or on the server that your website is actually run from. From time to time, vulnerabilities are discovered in server systems and fixes (or patches) are issued to close them. You should check with your hosting provider that they keep an eye on patches being made available and that they are applied as quickly as possible.
You can’t just rely on your host, though. Millions of websites are built using popular content management systems (CMS) like WordPress and Joomla! They are superb systems which I use myself, but it does makes them prime targets for hackers as they can be sure that can be sure to find lots of them around. As well as applying security patches for them when available, it’s very important to run additional security. There are numerous packages available which give varying degrees of cover. The best ones will block a multitude of attacks, monitoring your site at all times and email you when it detects something suspicious is going on.
These can help give you more peace of mind, but they won’t be any use if you use simple, easy-to-remember usernames and password for your administration areas. Hackers have robots that scour the internet for CMS admin areas. When it finds one it will start trying usernames and passwords like ‘admin’ and ‘admin123’. Don’t make it easy for them. I know it can be a pain, but try to come up with combinations that are easy for you to remember but difficult for robots to find. They can guess billions of combinations very quickly, so it’s good security to block entry to anyone who has made, say, five unsuccessful attempts to login. They can always be granted access again later if it’s a legitimate user who simply forgot their details. Ideally, though, you will have additional username/password protection to even gain access to the administrator login area – belt and braces! I make no apologies to my clients about what they must do to get administrator access. Better to be as safe as possible than sorry.