Is Your Website Really Secure?

As a developer for over 24 years, I have studied and seen many types of attacks on websites and other infrastructure. Most of the attacks I have witnessed have had a specific agenda in mind. In which, the attacker was looking to gain access to high valued information, bank account info and other personal data. In some cases, the attacker is just trying to disrupt services to cause a company financial pain.

Lately, what is concerning to me has been the uptick in the number of alerts my company receives daily when it comes to monitoring the health of our clients websites. So much so, we decided to run additional scans, by having one of our staff do penetration testing on websites we have built as well as host. Though the results came back with a handful of adjustments needing to be made. What became clear, attackers did not care whether the site was high profile. They cared if there was any vulnerability. Comparing our traffic analyzer to sites with known vulnerabilities, we found that if a site had a known vulnerability, then it was getting more unwanted attention.

So what got our attention? Clients who reported a slower website, showed an increase in unwanted traffic. In most cases, these sites were getting hammered with inbound traffic. To be clear, this did not mean they were infected, it just ment there was something a hacker could see as an opportunity. In these cases we patched the issue and all was well. However, we took an additional step to investigate this further. With permission, we pen-tested a few websites that we did not build or host. To our amazement, these sites came back to be easy targets for multitude of attacks, one of which, was a PHP injection.

Why is it important to keep your website clean? First off, it is not a matter of if but a matter of when you get infected. Every attack or infection has an end game. For lower profile sites, an infection could mean malware is now able to be transferred to any device that touches that site. That includes cell phones, which is like having someone rooting around in your wallet. Every website needs to take security seriously. Attacks can lower your brand’s value, keep customers from returning, lower SEO value/rank, disrupt your business processes, and ruin your reputation.

How can I reduce risk?

• Make sure your hosting company is following all standards and keeping their equipment up to date.
• In your admin console for your website hosting, review your settings to make sure you have not left any back doors open.
• Keep your website software up to date. This includes your CMS (if you use one), plug-ins, supporting software, ECT.
• Use security software on your website to monitor for any changes and protect you from infection.
• Use a program like Cloudflare to protect you from outside attacks.
• Have a disaster recovery plan in place so that if something does happen, you can go back and do a restore.

If you are unclear on how to review these steps, contact an expert who has a background in development and cyber security.  As always, we are happy to assist you with reviewing the security of your website.