Website security—especially for websites that accept financial transactions—is of utmost importance to businesses and organizations. If hackers gain access to your website, they may be able to conduct all types of mischief, from not-so-harmful tricks to dangerous exploits that pose a true liability. No matter what the reason for the hacking, no webmaster wants to see their site hacked. It takes time and money to resolve the situation, can damage the organization’s credibility and reputation, and can put site users at risk. This article outlines proactive steps to take to keep your website safe, how to determine if your site has been hacked, and what to do if it is.
How to Secure Your Website from Hackers
Choose a Secure Web Host
Server security (where your website is hosted) is one of the most critical elements in keeping your website safe. You should always host your website with a reputable host that provides good customer service and is committed to maintaining their servers. This includes installing all necessary security patches and upgrades, and performing regular server maintenance. When selecting a host, ask the following questions:
- How regularly do they provide full backups? Can you restore the backup files yourself? (in the event the site is hacked and you need to restore to an earlier version)
- Is 24/7 support provided? What channels is support available through? (phone, live chat, ticketing system) How do I access advanced technical support?
- What percentage of uptime do they guarantee?
- How long has the hosting company been in business?
- What kind of technology do they use for security? What is their security infrastructure?
- Do they perform daily malware scans or other security monitoring?
- What kind of firewalls do they have in place?
- How do they handle security breaches? How will they inform you of a breach?
- In the event a site is compromised, will they assist with cleanup and restoration of the site?
- Are they responsible for updating software MySQL, PHP, Perl, Java, etc?
Remember: cheap hosting doesn’t always mean “best” or “safest.”
Keep Your Website Platform Up-to-Date
Ensure the platform your website is built on is up-to-date and has all security patches installed. This is especially important if you are running eCommerce on the site or otherwise accepting payments or donations. Whether you’re using a proprietary content management system or an open source content management system, it’s important that you review the release notes for each new release and install them if necessary. If you’re working with a website developer or hosting company, be sure that everyone involved knows who is responsible for performing these updates. If the site was a custom build (not built on a content management system or application framework) work with the developer to ensure it continues to meet current security standards.
Use Secure FTP
File Transfer Protocol (FTP) is an easy way to upload files to your website, but it’s not very secure. If hackers access your credentials it’s just as easy for them to upload files to your website—or delete files. Use SecureFTP (sFTP) instead to help keep your credentials safe.
Use Strong Passwords
Short and simple passwords may be easy to remember, but they’re also easy to compromise. Get in the habit of always generating strong passwords, and consider changing passwords on a regular basis. Strong passwords include:
- At least 8 to 10 characters
- Uppercase and lowercase letters
- Numbers and special characters
Consider using a “passphrase” instead of a password, for example: 4Score&7YearsAgo. This is easy to remember yet difficult to compromise. Too many passwords to remember? Consider using a professional password management tool, which allow you to either enter a single password to retrieve all of your passwords. A few options include:
Maintain Access Logs
Keeping an access log on your website showing who has made updates to the site and where they logged in from can help you identify security breaches, and in the event of a breach, prevent a repeat offense. The server logs may also be able to help with this—work with your host to see what logs are available and how long they’re stored for.
Keep Your Computer Software Up-to-Date
Make sure your computer software is up-to-date and be sure to use an anti-virus software (or several) to perform regularly scheduled scans. Consider programs like:
How to Tell If Your Website Has Been Compromised
What is Phishing?
When a hacker gains control of a website and adds pages to the site, changes the content, or adds software like malware or spyware. Hackers may use these new pages to coerce site visitors to enter sensitive or personal information; or use the malware or spyware to collect this information.
Many times the web host will catch security breaches and notify clients, but sometimes the website owners are the first to know...either through discovering it themselves, or by being notified by a site visitor. Use the following tactics to monitor your site health on your own.
Use Google Webmaster Tools
Using the free Google Webmaster Tools program is a good option: Google uses automatic scanners to constantly look for sites that host or distribute badware. Google Webmaster Tools will report when your site has been affected with malware right on the Webmaster Tools home page (once you log in). Google Webmaster Tools will also send email notifications to select email addresses for the site.
Check Your Site in the Search Engines
Periodically conduct a Google search for your site and check that the site title and description are showing up correctly. If you see a spammy title or description that doesn’t look familiar or doesn’t match the content of your site, it’s possible your site had been hacked and the hacker is inserting spammy content into your title tag and meta description fields.
Use Google’s Safe Browsing Checker
Type http://www.google.com/safebrowsing/diagnostic?site=yourdomain.com into your browser and replace "yourdomain.com" with your actual domain. The page will display a report showing how many pages have been tested in the past 90 days, and whether any of those pages were found to be downloading and installing malicious software without user consent.
Sucuri Site check is a free website malware and security scanner, with a paid option.
Monitor your Web Traffic
Using Google Analytics or another web analytics program, monitor the daily volume of visits and where those visits are originating. A large spike in traffic that doesn’t correlate to a marketing promotion or have another reasonable explanation may be an indication of an attack.
Inspect your Website Files
Periodically review your web files for files or directories that look suspicious or out of place.
Your Website Has Been Hacked: Now What?
Contact Your Web Host
Contact your web host to ensure they’re aware of the problem. It’s possible the hackers gained entry through the server, and in that event, the host needs to secure the servers before you can take much action.
Contain the Problem
Avoid using a browser to view infected pages on your site. Because malware often spreads by exploiting browser vulnerabilities, opening an infected malware page in a browser may damage your computer. Run an anti-virus scan on your computer and other website administrators’ computers.
Consider Restoring to a Backup
Once you know when and how the website was compromised, you can determine whether you can attempt to manually “clean up” the site or whether it will be better to restore to a clean backup. If you choose to restore to a backup, make sure that you re-apply newer security patches and upgrades that you may have lost by going back to an earlier version of the site; and if the hackers gained access through the site (as opposed to the server) be sure you address the access point security issue to protect the site from being hacked in the same manner a second time.
Update Your Passwords
After the servers are secure and any security vulnerabilities have been mitigated, change the following passwords:
- The account you use to login to your web host
- Your FTP usernames and passwords
- Your database username and password (if possible, create a new username and password and delete the original)
- All administrator logins for the website, if applicable
Check Site Files
Check your site files for suspicious looking new files, or changes to existing files. Sometimes hackers will insert malicious code or new files into your site, allowing them to continue to gain access to the site. Delete these files or remove the malicious code.
Review User Accounts
Review the user accounts on your website and disable any that appear suspicious. It’s possible the hackers created one or more new accounts.
Report the Incident
Report the incident to the appropriate organizations:
Resubmit Your Site to Google
If Google flagged your site as hosting spam, once the site is clean you can resubmit it to Google through your Google Webmaster Tools account to have it reviewed and the malware warning removed.
Google Webmaster Tools
Google Online Security Blog
United States Computer Emergency Readiness Team
Stop. Think. Connect.
Editor’s note: This article is not meant as a comprehensive guide to website security, but rather as an educational tool. If you are concerned your website has been hacked, contact your web host and consult a professional web developer or web security company.