I was just talking with a friend this week who “almost” had her identity stolen and had credit cards opened up in her name. After spending countless hours of her time ridding her credit report of fraudulent data, she is finally back in the clear.
We’ve also had the highest number of sites hacked this year than in the previous five years combined. Granted, we also have more steady clients, but the number of security breaches is unprecedented.
This month is the 10th anniversary of National Cyber Security Awareness Month, which is a shared corporate and government initiative to promoting awareness and providing resources to help keep us all safer and more secure online. One thing that we have really taken note of this year is how we all contribute to the security of those around us. In at least two of the hacks we dealt with, the breach was made on a neighboring site – and not directly on the site that reported it to us. During one of those instances, our own site went down because of a less secure site that was sharing our server.
In the spirit of doing our part to keep things safe, we recommend conducting a security audit on your website:
1. Backup everything
You should backup your website as often as you update your website. This includes core website files, website assets (images, videos and other files) and database files. This ensures that you can quickly restore your site in the event it gets hacked.
2. Change your passwords
You should change your passwords regularly. Every 3 months is a good rule of thumb. This goes not only for passwords related to your website (admin dashboard, hosting account, domain registrar, database), but for your personal accounts as well (email, banking, utility accounts, credit card accounts). Many corporations now require employees to change their password on a regular basis, including preventing a password from being used more than once. There is a reason they do this. We agree it is annoying to change your password all the time, but not nearly as annoying as clearing up a breached credit report or dealing with a hacked website or stolen credit card.
3. Use strong(er) passwords
SplashData releases a list of the “worst” (meaning most popular) passwords every year. Their “Worst Passwords of 2012” included the same top five as the year before:
1 password Unchanged from 2011
2 123456 Unchanged from 2011
3 12345678 Unchanged from 2011
4 abc123 Up 1 from 2011
5 qwerty Down 1 from 2011
If you are using any of the passwords on the list, it is probably only a matter of time before you are hacked. Most hackers run automated “dictionary attacks” or “brute force attacks,” which are basically programs that try and guess your password by running through gigantic lists of commonly used passwords and sequences. A good password should contain a combination of letters (both capital and lowercase), numbers and special characters. It ideally should not contain any dictionary words, sequences or repeated characters, adjacent keyboard characters, or personal information (such as your kid’s name, phone number, birthday, anniversary).
Many applications, like WordPress, now have password strength checkers to help you create a strong, secure password. Microsoft also offers a free password checking tool on its website.
4. Vary your passwords
Don’t use the same password on multiple sites. If you do, and a hacker gets your password to one site, then they already have the key to all the others.
5. Don’t write your passwords down
This should be a no-brainer, but with dozens upon dozens of accounts these days, it can be next to impossible to remember them all. The trick is to use a password manager, like Dashlane. Although most modern browsers will remember passwords for you, as will Mac Keychain, a program like Dashlane can securely synch across all your devices AND log you in automatically.
(5b. Never, ever email or fax your passwords)
If you have to give them out, do it over the phone or by breaking them up into more than one message. I had one clever client tell me a website password in an email by creating a riddle out of descriptive phrases that only I would understand.
6. Regularly review your website logs
Your 404 crawl errors can alert you to SQL injection attempts on dynamic websites. Your raw access logs share information about who is visiting you and what they’re doing there, and whether password crackers are hitting your login page. If this is Greek to you, do yourself a huge favor and invest in managed website maintenance. We offer this service as part of our website maintenance plans. Contact us today to learn more.
7. Install a lockout system
If someone incorrectly tries to guess your website password more than 3-5 times, they should be locked out from trying again for a certain period of time. If a would-be hacker has to wait 5 minutes to try again, trust me that they’ll move on to a less secure site. Most automated scripts will move on automatically if they get locked out as well, after only a short period of time.
Bonus: remember Darwin
It’s survival of the fittest. If a good thief every really wants in, they will find a way in. But the idea is to make it as annoying and time consuming as possible to break into your website. A thief won’t want to waste precious time disabling your alarm, cutting out your steering wheel lock and worrying about whether you have LoJack when the next car is just sitting there unlocked with a set of keys “hidden” in the visor. The more you protect your site, the stronger it will be, lessening your chances of becoming an easy prey.
Security Audit and Maintenance Plans
Contact us for a security audit and to signup for an ongoing maintenance plan. You wouldn’t drive without insurance, so don’t leave your website investment to chance. We’ll review your site for any security holes, review your logs and conduct regular checkups and backups.