The three things you can be sure of in this world are death, taxes, and being hacked. Were he alive today, Benjamin Franklin would add the third, I feel fairly certain.
This latest of life’s certainties comes with being connected to the internet in any way at all. Every time you’re online, you’re a potential victim. And if you own a website for a small- or medium-sized business, your vulnerability is far greater.
By taking your business online, a necessary move if you want to be competitive, you become a target to a variety of attacks. Yet if you’re like most small business owners, you believe you’re safe.
Here’s why you’re wrong.
Fallacy #1: Small businesses aren’t worth a hacker’s time of day (or night).
Why would anyone want to bother with a small- or medium-sized business like yours? Because you’re far more likely to lack security, that’s why. Hackers know you’re less likely to take all the necessary measures to protect yourself, making you the low hanging fruit that offers itself as an easy target.
The fun they can have with your site is no different than what they can do with big business sites. Their three main reasons for hacking a website is to send out spam email, gain access to your mailing list, credit card information, and other private data, and to install malicious software onto your site or your end user’s computers.
Fallacy #2: You’re doing everything right to stay off Google’s blacklist.
As long as your site is free from malware, you’re safe, right? Except for when you do something wrong, and then Google punishes you for your mistake. When you make a mistake that lands you on its blacklist, your site will be shut down from all traffic. No more business as usual.
These mistakes often involve methods to improve your SEO, but the end result is the opposite. Using clever SEO tactics that turn into the wrath of Google can happen to anyone.
Fallacy #3: Your SHA-1 site is alright with you.
SHA-what, you ask? Because if you knew what SHA-1 was, you wouldn’t be all right with it. Basically, it’s old and decrepit and if it’s not replaced, collision attacks could lead to “catastrophic effects on the security of the internet.”
Here’s an example of what SHA (Secure Hash Algorithm) does. Let’s say you sign in to a website’s login page using your password. SHA-1 might be used to verify that your username and password are authentic. Behind the scenes your password is turned into a secret checksum and compared to the checksum that’s stored on the website. You’re granted access only when the two match.
All sites are being required to update to SHA-2 by the end of 2016 due to the weakness found in its predecessor. Chances are, your site has been changed to SHA-2. Check on shaaaaaaaaaaaaa.com just to be sure.
Fallacy #4: Your site is safe because it’s WordPress.
WordPress is the largest content management system in the world, with thousands of plugins and widgets written by the community that enhance user experience. Hundreds of people all over the world are working on it, making it as safe and reliable as possible.
The problem is, they can’t make site owners take responsibility and keep their sites’ WordPress version up to date. At any given time, there are tens of thousands of WordPress sites with outdated versions, ripe for the picking by hackers.
It takes these attackers only a few minutes at most, using free automated tools, to find your site’s outdated version and exploit it. WordPress issues updates regularly for good reason. Don’t delay in making the upgrade.
Fallacy #5: I need to download all these plugins and themes because they’re so cool.
The single biggest source of vulnerability to your WordPress site is that nifty plugin you had to have. With over a thousand plugin vulnerabilities at any given time, keeping your plugins updated to their most current version is critical.
Not only that, don’t download plugins that you don’t need. Unnecessary plugins are like storing potatoes and forgetting about them until the smell of decay infests your home. Either use them and keep them updated, or throw them out.
Fallacy #6: My password is safe and known only to me.
New bruteforce cracking software is available, making 8 million guesses per second in its attempt to crack passwords. Yet the use of common passwords persists, despite the growing threat of cybercrime.
Based on the annual list of worst passwords released in 2015, people are still using passwords that don’t follow the simple formula of CLU: Complex. Long. Unique. Notice #25 on the list: Star Wars. When you think you’re being unique, think again.
Try this password checker to get an idea of how fast some of your old passwords can be cracked. As a precaution, don’t type in anything you’re currently using. You never know who’s watching even the online checkers.
Fallacy #7: I’m the administrator of the site, so that should be my username.
Remember those brute force attacks used for cracking passwords? They are also used for getting past your username, since a hacker will need to have both to break in. Making your username “administrator” gives them exactly half of the information they need.
Making your username your actual name is another mistake. If your name is on the site anywhere as a site administrator or contributor, it’s a no-brainer to attempt hacking in using those names as hopeful admin roles.
Last year saw the largest number of cyberattacks recorded around the world, with 230,000 new malware samples produced daily, according to PandaLabs. Website security is never going to be a process of eliminating risk. It’s about reducing risk when full-proof security is unattainable.
Stop making these common mistakes and ditch the fallacies about site security. Take proactive security measures and watch for the next post on what you can do now to fix your site’s security weaknesses.