When you wake up one fine day, go to your website only to find adult content, your website is hacked! (Assuming you are not in the adult industry to begin with!) If you check your website and it has banners of anti-Semitic or anti-American radical slander, yes your website is hacked. It happened to a recent client of ours which caused me to write this article.
I should start by prefacing that this is not a cheat sheet for any wannabe hackers. Then again, if you are looking for a cheat sheet to start your hacking career, you should look at an alternate line of work. Here are some very basic ways how your website is attacked and steps you can take to safeguard against it -
- Compromised Password - I cannot begin to tell you how many times in today's day and age, you ask someone for their password and they say its 'password123' or better yet its 'password'. Really? You are so devoid of creativity that you cannot jumble some characters to create an alphanumeric password? I have asked my clients to create a password that uses a capital character, a number and some characters together. If you are worried about forgetting, write them down. Save it onto a text file on your laptop. What I have used in the past are combinations of my previous street addresses. i.e. 333michiganAve or phone numbers 7026475553. Granted that purely numerical password are hackable as well, however making it harder discourages most hackers for sure. Some hackers are thrill seekers who will either will give up easily and/or lack the sophisticated saviness of password guessing algorithms. Always stay away from dictionary words. i.e. Spacecraft12 is a moderate security password. Some think, substituting numbers is a good idea. i.e. numb3r5 instead of 'numbers'. Believe me - Dictionary word and a simple script to replace H with 4s, E with 3s and O with 0s is a old trick and therefore predictable. While on this topic, if your bank ATM pin is your year of birth, change that as well!
- CMS Leakage - Having a secure password and a poorly configured CMS is like having the main door of your home with a dead bolt and leaving your back door ajar. When you install a CMS system, ensure that you delete the prescribed list of files which they recommend you delete. These install files can greatly compromise your security. Also, remember hackers look for outdated version of CMS. Some versions are so famous for identified holes, that hackers flock to them like bees to honey. Make sure if you installed your CMS a while ago, update it or seek professional help to do so. The hacker can run these install scripts and restore your website to out of the box vulnerable state. Then accessing the site from the inside out and brandishing it with hateful spew.
- Hosting Vulnerabilities - If you are hosting on a server with less than decent support system behind it, you should think twice. A well managed server detects such hacking attempts before the site owner finds out. My website admins have emailed me that a particular website security was challenged and that they have changed the admin password for the CMS, ran several scripts to identify and remove malware and also updated the CMS password all before I found out myself and/or the site owner's knowledge. Now that is worth the money twice over!
- Trojan Horses - Sometimes the hack is orchestrated via uploaded files. Say you get an email or a file somehow ends up on your machine. You then upload that file to your server. If you unzip and execute it without screening it for malware, adware and/or any virus, yes you risk a chance of being infected. Some servers will automatically scrub all incoming file transfers but then again not all do.
- Cross contamination - I had a client once who used one hosting account to host multiple domains. Now, bear in mind that if your security is compromised for that one account, your other domains risk the chance as well. So you are essentially offering the 'Hack one, get three free!' deal for the hacker. So beware!
Some ways to eliminate and counter hacker attacks -
- Always invest in quality and trusted Anti-Virus software. If you ask around, you will find half of them bad-mouthing a particular brand while the others swear that it is the worst product. If you own a slower machine, the latest AV software will and/or can slow your machine down. Consult a professional I.T guy about your systems specifications prior to your purchase or consult a sales agent at the store of purchase with your PC specs.
- Be smart about your computer. If you get emails asking you to install, download or simply click on a dubious file. Stay away! If you are not sure, again consult a colleague at work, family member at home or simply do nothing.
- When you feel that your server security has been compromised, let your server admin know ASAP. The sooner you act, the faster your admin can act. This means, time is of the essence. Waiting full 72 hours after the infection can mean its too late. The damage maybe permanent.
- Backup, backup, backup. I cannot stress enough how many business owners do their business day to day without a backup for your office computers leave alone a server backup. Backup your machine. Backup your server. Backup your website. Backup everything and anything that will cost you time and money to reproduce, lose face with client and/or treasure your memories of family members.
- Seek professional help. We all have friends. And we count on them in time of need. If your friend is a qualified I.T guy, yes, call him/her. If they know more than you, doesn't mean they are qualified. When you have partially qualified person supporting you, one can do more damage than they came into sort out in the first place. This means, they may accidentally delete or cause irreversible damage to the machine. See professional help from techies who do this day in, day out.
At the end of the day, even the best of us get taken for a ride. I have almost fallen for the UPS package virus which shows up as an attachment in a hard-to-tell email saying you got a package. The email looks identical to the real email one would get from UPS. Heck, I got one from Paypal asking me to login to check fake transactions. And I almost did. In the nick of time, I realized that something did not add up.
On the servers, I have always performed security audits. There are serveral websites which will give you checklists based on the version and type of CMS you have installed. Some will perform the audit for a nominal fee. If your website host offers such complimentary service, it doesn't hurt to ask. And if they charge a small nominal fee, it is better to be safe than sorry.
I have said it once and I will say it again - hackers are opportunists looking for unsuspecting users. Be smart. Be aware of your technical handicaps. Always double check. Check twice, click once.