Hackers are always out there, searching day and night for sites they can easily exploit. Well, to be more accurate, there scripts are always searching for potential targets.
If your site is compromised, the fallout can be devastating. It could damage to your website, your reputation and your ability to do business.
Here area some tips to help keep you safe out there.
How to reduce your chances of being hacked?
The most effective approach to reduce your chances of getting hacked is to make your website and email accounts are secure. Start by following these simple best practices, which apply to all web platforms.
Strengthen all passwords
This is the best way to stop hackers. The days of using “password” for your email or site password (don’t laugh, I’ve seen it) are long gone.
A strong password:
- is 8 characters or longer
- does not contain any dictionary words
- has upper and lowercase letters
- includes at least one number and one special character
Random passwords are best. You can use one of the many random password generators available online. If you have a cPanel account, there is a password generator built in, as do most password managers.
Don’t worry if it’s difficult to remember. Most browsers, email clients and other programs will store your passwords for you. There are also a number of password manager options available.
You can even go a step further and use two-factor authentication (2FA) for your applications. While not all services support 2FA, the list of those that don’t gets smaller every day.
Never reuse passwords
It seems that everything needs a password these days. Emails, bank accounts, social media… It can be difficult to remember all of these passwords. To make things easier, you can use the same password for all of your accounts, right?
This can be disastrous. Most accounts use your email address and password for authentication. If you use the same email and password for all of your accounts, if even one account is compromised (maybe an account with lower security, like a newsletter), all of your accounts are now compromised. Your bank will have several layers of security to protect your information from being stolen. That bird watching blog that you visit most likely does not.
Hackers are aware that most people use the same password for all of their accounts. So, if your Facebook account gets compromised, the next thing the hackers to is try to log into your email account. If successful, they now have access to all your accounts that use that email as a username. Even if your other accounts use a different password, they can potentially use the password reset on the login page to gain access.
As mentioned above, the best method for protecting your accounts is to use a different, randomly generated password for each account, and them manage them with a secure password manager. But if you do decide to use the same password for all accounts, at lease use a different password for your email address. While this is still not very secure, it will lessen your exposure.
Add an email filter
Most account “hacks” are caused by phishing emails and spam. While your email account has a spam filter installed by default, you can also use an external email filter to help filter out unwanted spam and phishing emails.
One of the most effective and affordable solutions is Email Defense, found in your Client Area, which provides an advanced spam filter plus virus protection. It helps keep your accounts secure by blocking spam and placing potentially dangerous emails in quarantine.
You can purchase an SSL certificate from your Client Area, to help protect sensitive customer data on your site. When you purchase and install an SSL certificate, your site will change from HTTP to HTTPS (the “S” is for “Secure”). Your customers will instantly recognize that their information is protected, which can lead to more people visiting your site. In addition, Google is placing growing emphasis on whether a site has an SSL installed, so strengthening security with SSL encryption will also boost your search rankings.
One of the largest, most common, security issues is what is know as phishing email attacks. With so many now working from home and relying on emails more then ever, phishing email attacks have escalated significantly.
Phishing as named as such because of its resemblance to actual fishing: the phisher will throw out a hook (email) and hope someone takes the bait.
One of the most common phishing email attacks takes the form of a fake email from a legit business. You will receive an email that appears to be from your bank, for example. The email will “inform” you that there is some sort of issue with your account that requires that you log into your account and will provide you a link.
However, the link does not take you to your bank’s website, it takes you to a hacked website the is made to mimic your bank’s website. When you enter your account information, instead of logging you into your account, the site records your account information and sends it to the hacker. The hacker now has access your real account.
And not just bank accounts. We have seen phishing emails that are mimicking several different accounts, from streaming sites to online stores, to email providers and service providers. If you get any unexpected email from a business that you have an account with, you should approach it with caution.
So how do I know if an email is legit or not? Well, there are a few telltale signs. The biggest red flag is spelling and grammar errors the the email. Also, look for missing or odd looking images in the email formatting. Most legit businesses spend a lot of money on branding, and would never send out automated emails with spelling mistakes (well, maybe not never). A poorly formatted email with missing images, bad grammar and typos is a sure tell sign that the email is not legit.
Another thing to check is the actual target of the link. If you are using a web based email client (webmail), you can hover your mouse over the link. You should now see a box in the lower left of your screen that will show the actual target of the link.
If the address in this box does not start with
https:// , or is anything other then the domain that the email is from, then you should not trust it.
If you are using a mail client, such as MacMail or Outlook, you will typically see the target of the link in the tool tip the pops up when you hover over the link. You can also right-click the link and see the target.
While we do not recommend this method, you can try logging into your account using the actual website, making sure that it is secure by looking for the “lock” in the address bar, and then clicking on the link in the email. If the link is legit, the site should recognize that you are already logged in and should take you directly to the target of the link. If it still takes you to the log in page again, it is most likely a phishing email.
Do you have a WordPress site?
WordPress is easily the most popular website platform today, mostly because of its user-friendly design with numerous plugins and themes. In fact, this very site was built with WordPress. However, because of it’s popularity, it is also a huge target for hacker attacks. Fortunately, there are a number of simple things you can do to better protect your site.
- Keep WordPress and all plugins and themes updated with the latest version. This is the single, most effective defense against hackers.
- Limit login attempts to prevent hackers from gaining access to your site through Brute Force attacks. The Loginizer plugin is great for this.
- Only install and use plugins and themes that you have researched to ensure that they are safe. The wordpress.org blogs can help with this.
- Install all-in-one security plugins to handle many security tasks for you. We recommend Wordfence as it is one of the best. You can install and use it for free, but there are optional paid advanced features.
The main thing to remember with WordPress is that it is not a “once and done” platform. If you do not stay up to date with your WordPress install, plugins and themes, it will get compromised eventually.
Most WordPress hacks are caused by vulnerabilities exploited in plugins and themes, so keeping those updated if vital. You also want to watch for any news regarding your current plugins or themes, as there have been incidences where an older plugin was purchased by a new developer and the new developer inserted scripts that caused vulnerabilities in the site.
The main take away here is that if you are using WordPress for your website, you will need to monitor it frequently for updates and potential threats.