Even if you run a small website that doesn’t contain or collect any personal data you are still at risk from hackers, even if you think there’s nothing worth hacking on there. Why would a hacker want to access a website that they couldn’t obtain any particularly useful information from?
The answer to that, is because it may well not be the information they are after. Many attackers will attempt to compromise your website not because of what is included on it, but because of what they can use it to do. An attacker who gains access to your site and server may then be able to manipulate it to use as an email relay for spam or, worse still, to store and distribute illegal content and files. Something else attackers may use your server for, is as part of a botnet in order to carry out a larger scale ransomware attack on another individual or company. When you think of hacking, you may still think of an individual, sitting at a desk, moving from site to site, server to server, attempting to break in to them “by hand”, one by one.
The reality these days is much different, and much of the hacking that goes on across the globe is actually done through automated scripts which scour the web for sites that include vulnerabilities and utilise software and add ons with known security flaws. Obviously this is much faster and more threatening than an individual trying to access your site manually, and so the risk of not having the right level of site security is great.
Thankfully, there are a number of actions you can take in order to keep your site safe.
Firstly, you need to keep all your server and site software up to date. This may seem like really obvious advice, but you would be shocked at the amount of security breach attempts we have encountered over the years that could have been avoided had that customer been keeping their software up to date. It’s not enough to rely on your hosting provider to do this for you, because depending on the level of management you have or how many third party apps and pieces of software you run, they may not be able to. Your hosting provider should of course keep on top of everything that falls within their remit, but don’t assume that everything you’ve ever installed on your server falls in to this category. Some of it may well be your responsibility and you must ensure you know what is and what isn’t. Speak to your host if you’re not sure, and make sure you are keeping on top of those things that you should be taking responsibility for.
Make sure you understand what a SQL injection attack is and how you can prevent one. In the simplest terms a SQL injection attack is when an attacker uses a controllable part of your site code, for example, a form field, to “inject” SQL code in order to gain access to or manipulate your database. If your website is built with any SQL databases, you need to make sure you are skilled in the best practises needed to avoid an attack like this and that you are implementing this effectively.
Make sure your site admin pages are protected by strong passwords. It is so crucial to use complex passwords for your server, and also to require your users to adopt robust passwords to in turn protect the security of their accounts. You should, without exception, always store customer passwords as encrypted values, so that even when you’re authenticating them you’re only ever comparing the encrypted values. Finally, get the website security tools that are relevant to your site and business. If you would like to speak to a specialist at CWCS Managed Hosting about the add ons that we can offer to help you with this, please don’t hesitate to get in touch today.