Can you remember your website's password? Then you should be reading this article. Most hacking attempts are not personally targeted - meaning that your site or server's IP(s) fell into a scan range that the individual was scanning for or certain terms brought up your website such as the version number of an obsolete script install. The digital 'wild west' is more wild than you think but most attempts can be thwarted with these tips.

Never Store Credit Card Data

Let the merchant (or 3rd party solution such as Paypal) handle storing credit card details if you need this option and if they provide it. Never store this sensitive information yourself. Some people do because they want it to be convenient for the customer, however, it would be most inconvenient having to explain to your customers why this information has been stolen and end up doing damage control for your company. Your site becomes a hacking target when you store this data and doing so requires expensive and difficult security measures to be in place to prevent details from being stolen. So unless you have the funds in place, a good sever security manager and lawyer: allow the merchant to handle credit card details.

All Passwords Should Be Difficult

Can you remember your site password? That is the first warning sign that you need to change it immediately! Passwords should be difficult to guess and remember. More specifically, they should be about 5 characters or more, contain uppercase/lowercase letters and have a few numbers/symbols in them. (Use password strength tool by Microsoft). Hackers use what's called a dictionary attack to scan your site for easily guessed passwords. Even with my own server 'hardened' for security, I see people attempt access via this method on a daily basis.

Change Passwords Often

Especially if you are working with different freelance developers. Always change your passwords after a developer has finished your project (or you can provide them with a temporary username/password). This should also take place in the event of a company/site structure change such as an employee or sub-contractor no longer working with your company or for your website. Some experts advise changing all passwords (including email) every 30 days but this is completely up to you.

Harden Your Server's Security

Another common security pitfall is on the sever itself. Poor server settings can open dangerous doors. If you have a dedicated server then you should hire a professional to harden your server's security at least once. (Personally I recommend Platinum Server Management who I've been a customer of for years). Unfortunately, if you are on a shared hosting plan then you are at the mercy of that particular hosting company but you can email them to ask what security measures are in place.

Backup! Backup! Backup!

Having a backup handy (or several from different time points) has saved my bum on more than one occasion and every time I work on a site I always backup the files and database first. (Those with dedicated servers or large websites might want to look into an automated solution). In the event of a server hardware fail, successful hack attempt, software or script upgrade failure, etc these are wise to have. There could be hundreds of scenarios where you would need a backup (I accidentally overwrote the wrong file in the wrong folder once but luckily I had a backup!).

Keep Your Software Up-To-Date

In addition to actual server software: your site scripts (Wordpress, Joomla, etc) should be kept up-to-date as well. This includes any plugins, extensions and themes that accompany these scripts. Most developers release different improvements to their scripts: security and core incremental releases. The security releases are the ones you want to pay attention to and most developers have a newsletter you can join to get these alerts.

Audit Access in Other Programs/Websites

Periodically do an audit of what programs or websites have access to your site information or email addresses. For instance, you might have online billing software attached to an email address of a domain you don't own anymore or this could be an old email addy in the whois of an active domain.

Turn Frontpage Extensions OFF

Not only is Frontpage itself obsolete but Frontpage extensions are a huge hazard. Frontpage extensions blast site access information all over the internet and yes, Google does spider these files. More information here. The best solution is to simply uninstall them especially since Microsoft themselves are ditching the program in favor of Expression Web.

Secure All Forms

All form input and output data should be filtered by the script handling your form. What this means is the script should be checking that an email address is in fact an email address, a phone number is in fact numbers, etc and restrict everything else. Otherwise, if this data is not filtered in some fashion then scripting code can be entered into these forms designed to break your script and execute whatever was entered into the form. Furthermore, they can be used to spam mass quantities of others leaving your server, site and/or email in the details.

If you find yourself falling under any of the above and need help feel free to contact me if you need direction.

On a side note, I would like to congratulate Warren Royal and his team on the success of Bobbleheads.com. (see a nice news segment here). It is always exciting to see a member of our industry succeed and Warren has definitely taken Bobbleheads.com on the road to success (which leads me to ask: Hey, Warren! Where's your bobblehead?). Read more about his background with Bobbleheads.com here and here.

Comments (1)

Name

Email

Website

Comment

smaller | bigger

Write the displayed characters

Add Comment Preview