Today we are going to be talking a little bit about website security. Now this isn’t a topic that’s probably super interesting to everybody, in fact, me, myself, I don’t really get super interested in excited about website security, but I do realize that it’s something really important, especially if you have a WordPress website.
Last week there was actually a vulnerability in some software that powers over a million websites, including almost every website that I’ve built. When this came about, I did some research, figured out what we needed to do to mitigate our risk.
It ended up I had to go back and clean up a few websites that were hit before there was actually a patch out. But after doing that, I started going through some of the websites I have and looking at all the logs of things that have happened on the website.
So basically I have some software in there that keeps a log of all the ins and outs of the websites, people logging in, trying to log in, et cetera. And just for an example, one of the websites I was looking at had over 10,000 attempts to log onto the website in two months. And these were all unsuccessful attempts.
This is something that comes up with customers pretty often is people will want to know why they have to have security on their website or why that’s important. What I usually do is explain to them that it’s not so much their particular website that hackers are after. They’re not really after your customer specific information. If you’re doing e-commerce and there’s transactions on there or specific data related to your company, it really in most cases has nothing to do with that. What they’re after is the actual software on your website.
They want access to that software. And they do this by going through and finding vulnerabilities in software that’s used on many different websites.
So like the one I was mentioning from last week, it’s used on over a million websites. When they can find a vulnerability like that, they know they have a backdoor in to a million websites and they get to work pretty quickly.
Usually what they’re trying to do is they will try to get into your website and get what’s called administrator access. So this basically gives them access to everything on the backend of the website.
What they’ll do is do things like forward your website traffic to another website. So they might have another website somewhere that’s getting has ads running on it. It might be getting money for traffic or they’re trying to get people to click on things they shouldn’t be clicking on. They might just get in there and siphon all your traffic and send it somewhere else.
Another thing that’s pretty common is they will actually place ads on your website. Sometimes that’s a little bit harder for you to notice right away. I mean, if you go to your website and you get redirected somewhere else, it’s really easy to notice. But if there was a small ad running at the bottom of your website, you might not see that it’s there for days or even weeks and they’re actually collecting money off of those ads. Now that might seem like it’s not a huge deal, but typically the ads are not going to be something you want on your website. Usually they’re fairly inappropriate and you want those off of there pretty quickly.
The other thing they can do and one of the more damaging things they can do is try to get people to click on things on your website that actually install viruses on to visitor’s computers. So they’re just basically using your website as a host to deliver viruses out to people, which is obviously not something you want.
So these kinds of attacks are happening to every website around the clock. And as I said, the, the example I was looking at there was over 10,000 attacks in a two month period and that’s actually a really artificially low number because I have software on there mitigating those attacks. A quick version of what’s going on there is, there are protocols within the website to say if somebody from uh, from one IP address tries to log into the site five times and is unable to, then we lock them out. So they’re only trying five times and then getting locked out. If we didn’t have those things in place, that 10,000 number would probably be hundreds of thousands.
They’re going to keep attempting to attack the website over and over and over until they get in. And it’s usually not a person sitting there doing it. They’ve programmed some kind of software that actually goes through what we call a bot and it will go through and try different versions of usernames and passwords over and over and over to get into your site. We usually refer to this as a brute force attack and that’s where they’re just trying to force their way in through your login screen on your website.
There’s a couple of things here that I think are really important. If you have a website to keep in mind and the first one is you know, don’t think of it so much as they’re trying to attack you or your information or your website in particular. They really don’t care necessarily about your website.
Any website will do, they just want to get into as many as possible.
One of the biggest ways you can keep this from happening is just by making sure that you have a unique username and password that’s difficult to guess. You know sometimes when you have to generate a new password it will ask you to use uppercase and lowercase and numbers and symbols and all that. All of that is just extra measures for you to take to make sure your passwords aren’t easy to guess. And commonly used words or phrases that are just straight out of the English language are going to be a whole lot easier to guess then more random things that use characters and numbers and all that. Making sure you use those kinds of passwords is extremely important. Now if, if you find that a pain and a lot of people do, there are password managers that can help you out with all those kinds of things like last pass.
If you look up LastPass there are ways you can store all those passwords more securely so you’re not having to remember 500 different passwords cause I know we all have way too many today.
I would also suggest to make sure that you’re keeping really good backups of your website and that’s really your best line of defense. If someone is able to get into your website and put a virus in or redirect traffic or something like that. If you have good backups from every day of the week, you’re able to go and restore a backup from a time before they were in.
Of course, there’s all kinds of website security software out there. If you’re looking for a free one for WordPress I like to recommend iThemes security.
There’s a free plugin that you can use. It does a lot of the brute force protection. That’s really useful. They do have a paid plan that gives you some more features.
If you just want to be hassle-free, never think about website security again there’s a company called WebARX Security which creates a firewall that is really, really hard for hackers to get past. Of all the websites I have that installed, rarely if ever have had a problem. It’s a little bit more expensive, but you know it’s going to get the job done.
So hopefully this is helpful to you. If you have a website, it’s really important to make sure it’s secure. There are definitely some things you can do to help protect it, like installing some of those security plugins as well as making sure your passwords are hard to guess and keeping regular backups of your website.
So hopefully this gave you a little bit better overview of why security is so important on your website. And I didn’t bore you to tears.
If you have any questions, make sure you reach out to me. I’ll be glad to answer those questions. And if you have any other questions about your online presence that you’d like answered on the show, you can send me an email at [email protected] and I will be more than happy to include those on a future episode.
Make sure to hit the subscribe button on the podcast player and you’ll be notified when my next episode is out. We’ll catch you then.