Your website is a safe haven for your content and marketing efforts . . . until it isn’t. In this post, we discuss why keeping your web software up-to-date can reduce the risk of website hacks and data breaches.
Website hacks have been consistently on the rise for years now. Here’s just one example:
In March 2015, a security vulnerability was identified in two WordPress plugins by Yoast. One of them—WordPress SEO by Yoast—is one of the most popular plugin for WordPress, meaning that this security vulnerability put a large number of websites at risk of attack from black-hat hackers. By mid-April, it was discovered that misuse of several functions commonly used by WordPress plugin developers have made those plugins vulnerable to what is known as Cross-Site Scripting (XSS), a common application hacking technique which enables attackers to inject a client-side script into site pages. This vulnerability can give access to sensitive data like credit card numbers, personal information, social security numbers, even medical records.
Millions of Websites Potentially Affected
Website security company Sucuri noted that dozens of WordPress plugins were affected by this vulnerability. It is hard to give exact figures, but considering that WordPress runs nearly 30% of the internet, the number of sites potentially affected by this single vulnerability is huge.
Unfortunately, these sorts of website hacks happen all the time. Hackers regularly exploit website security vulnerabilities, leak data, and, in some cases, hold your website or important documents hostage for real money. If you’re not paying regular attention to these issues as they arise, your site could be next.
How Website Hacks Happen
Hackers often use search engines to identify common website security vulnerabilities. They then exploit these vulnerabilities by injecting malicious code into your site using the newly discovered security gap. According to IT Portal:
Once these weaknesses are identified, hackers use a search engine to easily fingerprint websites based on a CMS [Content Management System] that harbor the known vulnerability and exploit it in multiple CMSs in many companies, fast.
In other words, before you realized what has happened, your site is infecting user devices with viruses, forwarding to a porn site, bloated with spammy, SEO-killing content, or in extreme cases, the victim of ransomware, where a website or document is held hostage until the victim pays a price—usually in Bitcoin, which translates to real money—for its release.
While hackers can target any part of an organization connected to the internet—as in past incidents at Sony, Home Depot, and others—website content management systems and their associated plugins are particularly popular targets. Large companies like the aforementioned typically have many layers of IT and firewall security protecting their websites, but many smaller companies or nonprofits may not have that luxury, often relying instead on the default security options that came with their web hosting account. Those that use open source tools like WordPress or Drupal are particularly vulnerable. If your content is especially sensitive or inflammatory in nature, you can be an even bigger target (but that’s for another post).
Part of the problem is that we are living in the age of DIY websites. ‘Free’ website building tools, Soup Kitchen Servers, and inexpensive web hosting have broken down barriers to entry for many aspiring website builders while also increasing vulnerabilities.
According to Sucuri:
Everyday we fight malware, Monday to Sunday, midnight to midnight, and the trend is getting stronger. End-users are sloppy, everyone is anxiously jumping at the opportunity to use an application like WordPress for their blogging and website needs, with little regard to the dangers of the interwebs. When a hack occurs, as is human nature, the first thing is to look at everything but…yourself…
Empowering people with easy access to web tools is a great thing (just look at Arab Spring), but this also leads to an inevitable increase in security vulnerabilities. What makes many of these tools so useful is also what makes them so vulnerable. Lack of knowledge about web servers, software security, CMS and plugin updates, or poor system administration practices commonly lead to hacked websites.
The Hack-Free Website: What Can I Do?
At Mightybytes, we offer monthly website maintenance and support services to address security, data backups, and other issues that commonly plague websites. This service includes twice monthly software and plugin updates as well as regular website and database backups. We include green web hosting that is secure and powered by renewable energy as part of these contracts as well.
There are, however, several things you can do on your own to keep your site safe and secure. Here’s a list.
Five simple things you can do to prevent website hacks:
- Keep your content management system up-to-date with the latest software.
- Use vetted premium or custom themes or plugins when possible. You get what you pay for with anything free. Premium software often includes support and free updates.
- Always run the very latest version of CMS plugins and themes.
- Make sure all users have strong passwords. Remove legacy users.
- Remove any unused themes or plugins once they are obsolete.
There are of course many, many other things you can do to make your website more secure, but keeping web software up-to-date and passwords strong are at the top of the list. It is also worth noting that while no system is flawless or impenetrable, the WordPress core is very secure. The overwhelming majority of of vulnerabilities are introduced by plugins.
If you are the least bit unfamiliar with any of the above terms or how to accomplish these tasks, call a web developer. It may cost you extra money, but the expenditure will be far greater if you wait until after your site has been hacked. Your peace-of-mind is worth the expense in the long run.
Want to learn more about website security? Check out our post on WordPress Security and how to choose a WordPress plugin that is secure, reliable, and supported by its creators. Need help keeping your website safe and secure? Check out our website maintenance and support services and drop us a line.