Are Online Businesses Properly Locking Their Proverbial Shop Doors At Night?

Every day, several thousand websites are blacklisted, sent to Google’s very own version of solitary confinement due to them having been compromised by malware or malicious computer code.

Web hacking is on the up, and with higher and higher quantities of sensitive and potentially valuable information being stored by online businesses, the damage that can result can be extremely painful for both the business and its customers.

Malware can be injected into any website which isn’t properly protected and perform an unnerving variety of unwanted actions. These can range from enabling botnets to control a business’s computers, enabling information to be stolen through a Trojan kit, infecting customers with malware through the company website, or enabling web application flaws to be exploited in order to steal products. Whatever the nature of the infection, the results are commonly a termination in their ability to trade in the short term and potentially a significant cost and reputational impact in the long. 

How do sites get hacked?

There are unfortunately a number of ways that a committed hacker can find their way into a website. Common ways include;

• Weak passwords – In a vain effort to remember our increasing number of daily-required passwords, we as a nation of computer dwellers tend, unfortunately, to dumb them down, or ‘keep them simple’. Whether it be PASSWORD, REX, or the nation’s favourite, 123456, this is commonly an oversight and presents an easy way in.
• Vulnerabilities in Web-Applications - A large number of websites now implement interactive functionality in order to create a rich experience for users. These can be in the form of user blogs and forums, sign up for newsletters, online form submission etc. Unfortunately, while being necessarily engaging for users, these can present portals for hackers to inject malicious code onto the site.
• Insecure FTP connections - A host of infections are injected into websites after the password and username used to connect to a site using FTP is sniffed by a silent trojan/rootkit that has been embedded on a computer of a website administrator. Once passwords and username are obtained, access the website and subsequent infection with web-malware are relatively simple.
• Third party software - Another current trend in website development is the use of third party add-ons into websites in order to provide more interesting features to a user. These add-ons may provide geolocation, or image resizing but they also can, on occasion, harbour malicious code which will then be passed up through the chain.

Making sure your proverbial business door stays locked

In an effort to stay secure in the long term, for any online business it’s essential to adopt a level of consistent vigilance over any common areas of weakness.

• With more advanced password cracking software being used by hackers, there is greater need than ever for whoever’s coming up with the passwords to get a little more imaginative. A seemingly random selection of number & letters is by far the most secure option.
• For businesses using FTP, consider moving to a more secure solution like ssh/SCP/SFTP
• Only install reputable third party plugins and update them regularly and individually
• Make sure you regularly scan your business PC (s) with more than one Antivirus package
• Use SSL to send emails
• Choose your webhost carefully and make sure they’re providing round-the-clock active server monitoring, or even suPHP (see above)
• If you’re currently on a shared hosting package, consider changing to a VPS (Virtual Private Server) which offers a whole different level of security. These days a VPS is a cost effective solution for small businesses and inherently more secure due to its separation from other sites.  Users can create custom firewalls and install other security measures that most hosts won’t allow on shared accounts.

In conclusion, vigilance and awareness of any potential areas of weakness within your online set up are your best weapons against having your website compromised. By ensuring your systems are secure, based on taking best practice advice such as that offered above, and implementing a brief but regular schedule of checks, antivirus scans and updates, chances are that for any hacker, the time and effort required to search out any way of infiltrating your system will ensure they move along in search of an easier target.