This is the first post in a four-post series about security risks related to website hosting.
Imagine owning a store where people are constantly throwing bricks through your windows, stealing your cash, flipping over your displays, and spray-painting vile messages on your door.
Sounds like a scene straight out of A Clockwork Orange. It's apocalyptic and nightmarish. And it’s happening to business owners across the US right now.
“This doesn’t apply to me. I don’t own a bricks-and-mortar store.”
But do you have a website? That’s your store.
The droogs? They’re international hackers working to infect your site 24/7/365.
Who’s Hacking Your Website?
Check your Analytics data and your Web server's logs right now. See any strange requests coming from far outside your service area?
If you've ever wondered why your local business is getting activity from Ukraine, Russia, and China, it's because they're trying to hack your website.
Hackers are a proud bunch. They boast about their deviance on Twitter. And they even create websites that teach other people how to hack websites. The scariest part is that hackers and hacking how-to sites are exponentially increasing in number.
How Do Hacks Occur?
Hackers can enter websites in several ways:
(1) They guess the password to your server’s file system. This is like sitting at the computer with all the files and folders in front of you.
(2) They test servers for outdated and obsolete tools, such old versions of FTP (File Transfer Protocol). When exploited with the right signals, these tools crash and open the door to the server’s file system, leading the hacker to all of your website’s files.
(3) They gain access to your files and alter them. Just by using a browser, many hackers can find weaknesses in your website, either through a form or a back-end entry point in Wordpress, Joomla, or Drupal.
Still Think it Hasn’t Happened to You?
If the SEC, FBI, and CIA can get hacked, anyone can.
In fact, most hacks you can't even see.
Often, hackers insert malicious software into your website to attack the device being used to browse your website. When a user’s computer gets infected after loading your website, who do you think she blames? You.
The hacks you CAN see are equally disturbing.
GoDaddy was recently infested with a hack that affected thousands of websites across the US. When the hacked sites were viewed on a desktop or laptop, they looked normal, but when they were viewed on a mobile device, they redirected to porn sites!
Whose Job is it to Protect Your Site?
Website hacks can’t be blamed on your senior management team, your programmer, your marketing company, or even you. But in many cases, they CAN be attributed to negligence on the part of your hosting services provider.
Nevertheless, it is up to YOU to make sure your hosting services provider is proactive about keeping hackers at bay. Here’s the questionnaire I use:
(1) Is a firewall in place? If so, what is blocked?
(2) Can anyone with the right username and password access the system by FTP or SSH?
(3) How often are websites backed up/cataloged, and what is the restore procedure?
Send this list to your hosting provider right now and ask her if she’s doing these things to prevent your website from being hacked.
(Of course, this is not something that you should have to ask about. Preventing hacks is not going above and beyond—it should be the standard for all website hosts. But if it can help prevent your website from being hacked, it’s worth doing.)
If you find out that your host has weak standards, get ready to find a Molotov cocktail soaring through your window in the next 30 seconds, if not sooner. And start looking for a new hosting provider ASAP!
Stay tuned for next week’s blog post, which will cover the irreversible effects hacking can have on your business (and why you need to take action NOW).
-- Randy Goldstein, Web Programmer and Hosting Services Provider