If you’ve been following this blog for awhile, you know what happened to it in May: we were hacked. We had to take down the entire website, and because of a family emergency, internal personnel changes, and a very busy client schedule, it stayed down for weeks. Weeks. Fortunately, we don’t sell anything on our website, but we do market our services and use it as our online corporate brochure, so to speak, so to have it unavailable for so long crippled our web marketing and promotional campaigns. I mean, this is what we do for a living. We develop, launch and manage digital marketing campaigns for clients, for cryin’ out loud. Having a website in perpetual Maintenance Mode didn’t exactly help our reputation.
It did teach me an invaluable lesson, however, and that is that online security and privacy should never be taken for granted. At least, not anymore.
When I first ventured into the Internet 19 years ago (!!), my username (assigned by the university) actually included the last four digits of my Social Security Number. That’s how naïve we were back then about the use of identification numbers, but at the time the Internet existed primarily as an academic network. The “web” as we know it now had yet to be created, and I knew exactly three people with email addresses, and two of them were computer science students.
Now, however, just about everyone I know has at least two email addresses, and sometimes more. We access the web at home as well as at work, at Starbucks, on the plane, in an airport, in a remote village in Africa, and even on our phones. We download pictures, share music, conduct research, shop, send flowers, pay bills, and of course, bank online.
All of these transactions and activities both large and small translate into terabytes of data flowing through millions of computers around the world — and all it takes is one vulnerable section of that network to reveal your data for all the world to see.
And the same applies to your website. Many of us take great pains to protect our financial privacy online, but as a small business owner, chances are you might not even do the bare minimum to protect your site from being hacked. Look at us: we’re Exhibit A. We actually traffic in the digital space, and yet our own site was hacked. And we’re a very small boutique firm.
Imagine if your company website were to go down for even just a day, let alone a month, as ours was. If you’ve ever attended a networking event and handed out your business card to someone, or submitted a proposal to a prospective client or even posted a job ad on Craigslist, chances are the folks you met or saw your ad or proposal went online to check out your web presence.
If, instead of a website describing your services, history and management team, your visitors were to instead land on an error page, what do you think they’ll do next?
If you own or manage a small business, you can’t afford to have your site down for even just a few hours, especially on weekdays and during business hours when prospects and clients are most likely to check you out. Here are some hard-won lessons I’ll share with you on how to protect your website from being hacked and taken down.
- Keep your website code clean and/or your software updated. WordPress is one of the most popular website platforms in the world, and for this reason it’s a favorite hacker target. WordPress continually releases updates to patch security holes, upgrade features and stay one step ahead of hackers, but it’s your responsibility as the owner of a self-hosted WordPress site to ensure that you download and activate those upgrades. Same goes for any plugins that you’ve installed. Outdated software is one of the vulnerabilities that hackers look for when they troll for sites to infiltrate.
- Keep your own computers and other electronic devices secure. I use Kaspersky and have for over 5 years to protect all of my computers, including my Mac, 2 laptops, desktop, and netbook. This Russian company’s antivirus, anti-malware, and anti-spam programs have been consistently well-reviewed, and it’s kept me and my computers well-protected. In fact, when I first logged into our website shortly after we were hacked in May, my PC was inundated with Trojan malware. Or at least, whatever program was installed on our site tried to install Trojan malware on my computer. Kaspersky caught every single one of them (hundreds of attempts in all, every single time I tried to log-in) and made it possible for me to clean up the site without getting my own PC infected. (If you’re interested, you can buy now and save up to $25 on Kaspersky’s program and participate in their ‘ultimate Batman experience’ promotion.) Other excellent, solid programs include Bitdefender and Norton. Whatever program you select, make sure that you renew your license when it’s close to expiring – never let your protection lapse. The relatively low cost of these programs are a tiny price to pay for security.
- Ensure that your employees change their passwords periodically. If you’re on Google Apps, you can customize password management and require your users to, say, select a password with a minimum of x characters. It also allows you to monitor the relative strength of your users’ passwords so that you can see if you have any weak links in your security chain, so to speak. Whatever system you use to secure your website and email programs, make sure that you require your employees to change their passwords every 2-3 months, if not more often.
- Keep your browser updated. Whether you use Firefox, Safari, Chrome, Internet Explorer, or any other browser, make sure that you have the latest version. Some — like Google Chrome and Mozilla Firefox — updates automatically by default, but others require that you manually check for updates. If that’s the case with your browser, check for updates at least once a week to ensure that you have the latest security patches and other critical update functions.
- Be selective with the users you allow access to your website. Your IT administrator obviously will have super-admin status, but does your administrative assistant need it, too, especially if he’s not a programmer? (By the way, the business owner should always have super-admin status, even if he or she doesn’t ever touch the source code itself. I’ve seen too many website developers disappear on their clients, leaving the latter without any access to their own websites, especially if they were hosted on the developers’ own ISPs.) Even consultants to whom you provide login credentials should have limited-time access only, after which their logins will automatically expire. Monitor your logs periodically to make sure that unauthorized users are not logging in and potentially doing damage to your site.
- Install a website protection and backup program. I swear by VaultPress.com, built by Automattic, the same folks who built WordPress. I love it even though it’s a premium service (basic plans start at $15/month per site) because I never have to worry about whether or not it’s compatible with the latest version of WP. I know a lot of folks who love Backup Buddy, too, and I’ll happily admit that Backup Buddy saved us when our site was hacked and I had to rebuild it from scratch. (I didn’t install VaultPress until after I had recreated the new site.) Whatever platform you’re using to manage your site, make sure that you have a backup program, and that it backs up daily, especially if you update your site content often.
- Avoid using open networks. That means the free wi-fi at Starbucks or any other public area such as libraries, airports, universities, restaurants, grocery stores, etc. You can minimize the risk by accessing sites only through their HTTPS URL, which encrypts data going in and out of your account. However, that doesn’t eliminate it altogether, and some sites have login pages that are HTTPS-enabled but internal pages that are not. To be on the safe side, minimize your browsing activities on insecure, open networks, or better yet, get a mobile broadband account, either on your smartphone or with a broadband device from one of the major cellular carriers.