We’ve seen so many cyber attacks on ‘big’ websites in recent years that we might be consigned to think that no site is safe. In the wake of the deadly strikes on the NHS, Lloyd’s of London warned that a serious orchestrated cyber attack could cost the global economy £92bn, comparable with disasters such as Hurricane Katrina.
While an attack on a smaller site might not wreak such havoc on a wide-ranging scale, it can still cause substantial damage. A hacker might gain access to bank accounts or resources, or simply render the site unusable. However, optimists will point to the fact that there are multiple measures that can be taken to at least offer some resistance, ranging from the obvious to the more technical. Here’s some of the best:
Regularly changing passwords, and using a combination of numbers, symbols and upper- and lower-case letters, with eight characters as a minimum, are commonly-known failsafes. Passwords should be encrypted as a matter of course, using a hashing algorithm. Creativebloq recommends salting the passwords, a process of cryptography that adds random data to a password, every tine the password is generated, through phpass, C# or other similar measures.
Think about it; allowing someone, potentially anyone, to upload files is almost certainly a dangerous practice. Even changing an avatar carries the risk of a script that could be executed on a site to open up the website. Uploading a picture should be safe in an ideal world but scanning to check that a file is actually a jpeg when a hacker could simply change the file extension name is not always a perfect device. It’s possible to rename files to upload to ensure the correct file extension, but the safer bet is to prevent access to your own uploaded files.
Keeping security measures up to date
Older systems can be vulnerable without regular patches and updates – we saw that when NHS systems still using Windows XP were held hostage by ransomware hackers earlier this year. Ideally both your operating system and any software used would be kept up-to-date, but of course this might come at a cost.
Sites such as WordPress regularly send out update notifications to ensure your plug-ins are up to date, such as iThemes Security. Another option, suggested by Hostgator, is SiteLock – this closes site security loopholes by monitoring malware detection to vulnerability identification to active virus scanning.
One other way to ensure that you are vigilant is to use a managed host such as vps.net, that automatically has a security team in place to deal with updates. That also ensures that you have a 24/7 team that can assist you if you fear something untoward has occurred.
We look for the little green lock in the browser bar as a customer, so why do we not put one in place with our own sites? Any business that allows e-commerce through its site should buy an SSL certificate for a minimal outlay – to prevent maximum damage.