Website security: part 1 of 2
Why your site might be at risk
Having an online presence is crucial for your business to attract new customers and keep up with your competitors. Your website isn’t just an outlet for your company though; it’s a potential security risk.
Why do people hack websites?
There are various reasons that people might want to hack your site:
- Customer data
One of the main reasons that your site might be targeted by a hacker is that your customer’s information is stored online. If you run an online store that allows users to create accounts or store their payment information, a hacker stands to gain if they can take that information from you.
Even if you don’t hold any payment information, it can still be worthwhile for a hacker to break in and take passwords and email addresses as many people use the same password across multiple websites.
- Using your server for other attacks
Just because you don’t store any customer information on your site doesn’t mean your site is secure. Hackers might try to hijack your server power so they can use it for attacks on bigger companies or for other more complex attacks.
This type of hack is one of the most insidious, as you might have no idea that it’s happening until your host shuts down the server due to hack attempts and subsequently takes your website offline.
- Planting malware
On the subject of hijacking – hackers might just want to use your site to spread a virus to all of your visitors. To spread malware, it is critical to have a website (or multiple websites) to store malicious scripts and files.
Obviously, they could buy and use their own servers, but it’s far less risky (and less expensive) for a hacker to just hijack your server for their own needs.
How do people infiltrate your website?
Some of the most common ways for people to break into your site involves taking advantage of vulnerabilities in the code.
It’s important to make sure contact forms are properly validated. This means that anything a visitor puts into the form is matched against a pattern or a rule for each field (e.g making sure that a valid email address is put into the ‘email’ field). Proper validation not only makes sure that you receive valid data, but also weeds out any malicious code that might have been put into your form.
Forms without validation are very common, and are a serious security flaw. Anybody visiting a website without a validated form can ‘inject’ code into it, simply by typing their code in and pressing ‘submit’.
- Content management systems
If your website is running on a CMS like WordPress or Perch (our personal favourite), a hacker might be able to intercept your pages as they load. When you’re browsing a website that’s running a CMS, there’s a process that the system goes through to fetch the page that you’re browsing:
1. You visit the page in your browser, which asks the website for the page
2. The CMS responds, and provides the page without content
3. The CMS then asks its database for the content that belongs on the page, and fills it in
4. The page is supplied to you, complete
In older or custom CMS systems, this system can be manipulated to fetch content from another page, or another site entirely. By doing this, a hacker can make your website run code that they have stored on another server. They can send themselves the contents of your database, or use this method to create malicious pages on your site that can direct your users to download malware.
Installing lesser-known or not-so-well supported plugins can open you up to more danger. Not only might you be installing a malicious plugin, but you might be installing plugins that aren’t well-coded and may unintentionally make your site unsafe.
One of the reasons we favour Perch is that, unlike WordPress, there are official Perch plugins and add-ons. These are developed by the people who developed the Perch system itself, and as such are well-built, properly secured and integrate with Perch without issue. On top of this, they’re also maintained and updated regularly, meaning that security flaws are ironed out quickly – one of the main issues with WordPress plugins.
If you have a webmaster or agency that works with you on your site, we strongly recommend discussing security and asking them to review your current website; it’s always good to keep your forms secure, your CMS up-to-date and to make sure you only have legitimate plugins on your website as there could be sensitive information (not to mention your online reputation) at stake.
Are we your agency? Get in touch!
In part 2, we discuss methods to keep your site safe. Read it now