Web Dandy Web Design Articles
Web Dandy Web Design Articles

Size Doesn't Matter — Protect Your Website

Hackers Don't Just Target High Profile Businesses

When a hacked website grabs the headlines, it's usually the website of a large, well-known company and often involves a loss of customers' personal data. In a recent case Dell suffered a data breach where a hacker gained access to a Dell portal with customer's names, addresses and order information.

Small business owners often mistakenly believe that hackers only focus on high-profile organisations. However small business websites are frequently attacked and hacked too. In fact according to Solid Academy (whose products include Solid Security), "small business websites receive the brunt of malicious activity". The potential consequences for a business with a hacked site can range from frustration and inconvenience to unauthorised access to sensitive information, identity theft, loss of search engine ranking, reputational damage, privacy breaches and financial loss.

How Many Websites Are Hacked Every Day?

Security company Astra, states there are around 4,000 cyber-attacks worldwide every day, with retail being the second most targeted industry. Astra found that a company falls victim to a ransomware attack every 14 seconds and that 39% of UK businesses were affected by cyber-attacks in 2022.

The latest Malware statistics show there are now over 1 billion malware programs out there. 58% of them are Trojans (malware disguised as a legitimate program).

These numbers highlight the need for businesses to be aware of the risks their websites face and to take effective preventive measures.

Why do Hackers Attack Websites?

A question we are often asked is "Why would a hacker want to hack my website?" Hackers attack websites for a variety of reasons and the size of your site doesn't matter. To understand the potential danger to your business, it's useful to understand a hacker's mindset.

Financial Gain

Taking over a website for financial gain is probably the most obvious motive. There are a few ways in which hackers do this.

  • Once access is gained to a website hackers may add code which then redirects site visitors to fake sites setup to look like legitimate companies in an effort to deceive users into revealing sensitive personal or financial information.
  • Ransomware is one of the most common ways a hacker can gain financially. Ransomware attacks involve encrypting a website's data, so the website owner cannot access it. Hackers then demand money, usually in the form of cryptocurrency, to restore the website.
  • Cryptocurrency mining is another method whereby hackers use a website's resources for their own gain. Cryptocurrency miners need vast amounts of computing power. Hacking websites allows hackers to mine cryptocurrency without having to use any of their own computing resources.
  • Some hackers will exploit vulnerable websites to send out unsolicited emails to promote their products or services, or ones they're affiliated with, to avoid the cost of legitimate advertising.

Power and Influence

Compromising systems, manipulating data, and disrupting infrastructure can give a hacker a feeling of power and influence. One of the most common forms of disruption is a distributed denial of service (DDoS), where hackers overwhelm a website with a flood of traffic, making it inaccessible to genuine users.

It's also possible to use hacked websites to promote politically motivated messages or as part of a hacktivism (from 'Hack' and 'Activism') campaign.

The Challenge

For some, hacking is a challenge, which can provide a sense of personal satisfaction if they can break into secure systems and prove their technical prowess.

Keeping Your Site Secure

Hackers often rely on automated tools that scan the internet for vulnerabilities, such as outdated, vulnerable software or weak passwords. According to WordPress security experts Patchstack, plugins were responsible for 97% of all new security vulnerabilities, themes accounted for 3% and 0.2% were found in WordPress core itself. Poor maintenance and security measures on a site can also make it easier for hackers to exploit weaknesses.

To counteract these and other threats, businesses should ensure they're protecting their websites by following the guidelines outlined below.

Choose From Trusted Sources

Only choose themes and plugins from reputable and reliable sources. Avoid websites that are selling "nulled" themes or plugins.

Keep Your Website Up to Date

It's important to regularly update the WordPress core, installed theme(s) and plugins on your website especially where security vulnerabilities are detected and updates are released. Failing to update themes and plugins can leave your website susceptible to potential threats.

It's important to check regularly for security announcements from software developers because they provide information about vulnerabilities discovered in their products and the corresponding updates to fix them, which should be implemented promptly.

Remove themes and plugins that are not being used or are longer supported. Unsupported themes and plugins that are no longer maintained or updated are more likely to have security flaws.

Use Security Software

Install reliable security tools that have a firewall and malware scanner such as WordFence.

A firewall acts as a barrier between the internal network and the external world, monitoring and filtering network traffic. It helps detect and block unauthorised access attempts, reducing the risk of malware infection and DDoS attacks.

Regularly scanning a website with a reliable malware scanner is vital and will allow you to identify and remove any malware present on the website, safeguarding its integrity and ensuring the protection of user information. It should also detect and block any suspicious traffic that might be part of a DDoS attack.

Install a Secure Sockets Layer (SSL) Certificate

Install an SSL certificate on your website. This provides authentication for the website and enables an encrypted connection. This makes it difficult for hackers to read and potentially change the data. A website that has an SSL certificate has https at the beginning of its URL and displays a padlock icon in the URL address bar.

Regularly Backup Your Website

One of the best ways to ensure that you will not lose any data is to create a backup of all the content and services on your website. Having recent backups will enable a quick recovery with minimal data loss if anything goes wrong. If a hacker locks the content of your data using ransomware, you will not have to meet their demands. You can delete the main database and re-upload the backed-up version, keeping your site's downtime to a minimum.

Use Strong Admin Usernames and Passwords

Users and admins want quick and easy access to files and so usually favour easy to remember usernames and passwords. However, this can leave your site and data vulnerable to brute force attacks. Ensure administrator credentials aren't predictable, don't use "admin" as your primary username. Use long and complex passwords. An effective password should have a minimum of eight characters that includes upper-and lower-case letters, numbers and symbols.

Enable 2FA

Multi-factor authentication, also known as 2 Factor Authentication (2FA), can help prevent unauthorised access. A user must successfully present two or more pieces of evidence before being granted access to a website or application. The most commonly used authentication factors are something a user should know, like a password or PIN, and sending text or a numerical code (a one-time password) to a smartphone or email address.

Follow the Principle of Least Privilege

The principle of least privilege (PoLP) is an information security concept where a user is granted the minimum levels of access or permissions. A site is more secure if a user or entity only has access to the specific data, resources and applications needed to complete a required task or set of tasks appropriate to their job or functions.

Educate Staff

Train employees on basic cybersecurity practices. This includes encouraging employees to use strong, unique passwords, being able to identify phishing attempts and suspicious downloads, and being cautious when sharing sensitive information.

Take Preventative Measures... Before It's Too Late

Small businesses should take the preventive measures above to protect themselves against the ever-evolving threats posed by hackers, to enhance their website security, and safeguard their financial assets and reputation.