I am a fan of WordPress, and I sometimes do recommend it for my clients to use. When their business goals and plans align with what WordPress can do, I find it a great tool to use. Surely, there is a learning curve involved… but yeah, you can do it. It’s a new skill you get, and it is comparable to learning to drive a car.
I recently noticed a client totally neglecting security issues with their website. I was contacted by someone who had a WordPress website in place that needed a re-design, and the website hadn’t been updated for two or three years. When I heard that, I was shocked. This client had not spent any thought ever about website security and was completely oblivious about this matter.
What’s the risk with neglecting security on your website?
A website that doesn’t get updated for three years is a huge security risk, because it reveals openings and vulnerabilities in the code that invites hackers.
Hackers know that small businesses are a bit more lax about security and this is one of the reasons why small businesses are being targeted more consistently nowadays. Even if a small business website is not targeted specifically, it’s still highly plausible that they could get swept up in a broad-reaching attack. Most attacks today are done by machines through software.
The goal of such an attack is usually to steal and exploit sensitive data.
For my client who hadn’t updated neither the WordPress software nor any of the plugins for almost three years, this could mean that there could have been a malicious code injected into the application, because it had loop holes wide open for a long time.
It would be very time consuming to run advanced security checks for such an unsecured website, and I would probably recommend to set up a fresh WordPress installation instead of running these checks. I personally would refuse to redesign a website without improving the site’s security beforehand.
To provide an example that I am not just playing around with fears, I want to show you two screenshots I made from one of my websites today. I have WordPress installed on this very new website, but besides that, it is completely empty. When visiting the URL, you would see a white blank screen. It is untouched.
Much to my surprise, I began to notice that this new website recently got a lot of traffic. In only 3 days it got almost 140,000 hits with a peak of 70,000 hits in one single day. 70,000!
Ok, let’s do the math here: one hour has 60 minutes, and there are 24 hours per day, which sums up to 1,440 minutes per day. 70,000 hits on one day equals about 50 hits per minute. That is almost one hit per second!
It is very unlikely that this has been accomplished by a human hacker. A human would have had to pull the trigger almost every second for 24 hours. I therefore think it’s correct to assume that there was some machine behind this attack.
The carefree security attitude of one of my clients re-ignited the spark to write a post about website security. It’s not the first time that I had the impression that many people (and shockingly many business owners!) don’t reveal much security awareness for their website.
I’ve done a bit of research and found some numbers that I personally find pretty alarming. We’ve all heard about the huge attacks that rocked the mainstream media already, and probably because these attacks happened to big corporations, many small business owners don’t think they have to worry much.
However, I really want you to have a look at these numbers
- of targeted attacks in 2014 struck small and midsized businesses 60%
SME’s often don’t believe they are at risk:
of SME's did not prioritize the improvement of their online security for future business growth
believe they are not a target of attacks as they don't have anything worth stealing
believe they won't suffer any lost revenue from a day's worth of downtime from an attack
SME’s lack the resources or knowledge to defend against attacks:
don't have a plan of action
think that cyber security is too expensive to implement
admit they don't know where to start
A survey taken by PwC in 2015 revealed that cyber criminals are switching their focus to medium-size firms, as large firms improve their data security. There’s a general assumption that smaller businesses are safe from cyber criminals because they think their data is not valuable, hence, they are not taking measures to protect against security risks.
A word about Hackers
Hackers are people like you and me. They are hunters. Sometimes they have a goal in mind, and other times, they just want to have fun.
They constantly move around in the cyberspace and check out where they can find something. The more capable ones are targeting the big corps, looking for sensitive data that can be captured and exploited in the grey market.? Others are just surfing around and test-hacking a site, looking to see if the website owner is lacking security basics and has the commonly known security holes open.
On my website, I see that at least once a week, someone is trying to access the core files of my application. They are testing whether I have left everything “at default”, which would make it easy for them to get in and leave a code snippet. Usually, they try it only once because “no, I have not left everything at default”.
Others try to get into my database by guessing different usernames and passwords. They don’t get very far either because they get their IP address blocked soon.
“Security is a process, not a product
– and that process is a never-ending one.”
Here’s what you can do about it
For any business with any online presence, ensuring your systems are secure and remains so is critical to ensuring your stay in business. The threat of attacks is always present, but there is plenty you can do to insulate yourself against the risk. Remember, the most dangerous course of action would be to disregard the threat.
1. Here are some steps you can take:Back up your computer’s hard drive to an external hard drive and install a regular backup routine. (If you are on a Mac, it’s best to use TimeMachine to create backups.)
2. Set up a backup plan for your website. If you have WordPress, there are a few very good plugins that you can use to regularly backup your entire website. The most valued plugins for this purpose are VaultPress and BackupBuddy. Feel free to read this article to learn from some pros on how they are backing up their websites.
3. This step is targeted for WordPress sites again: Install a security plugin or two to help you close often used loop holes. I can highly recommend Wordfence, which comes as a free or a premium version, but it is pretty helpful even in its free version. Wordfence starts by checking if your site is already infected by hacks and malware, and secures it. Another helpful plugin is Acunetix WP Security, which scans your installation for security vulnerabilities.
4. If you have an eCommerce store, apply an SSL certificate to your website. It helps to ensure that data is securely transmitted from your visitor’s browser session to its destination.
5. Always keep your software up-to-date. Pay attention when these little notifications pop up in your WordPress application, telling you a new version is available. Educate yourself on what the update is about, and apply the new version asap (but do a backup beforehand).
6. Update your WordPress theme.
And of course, it is important that you develop a habit of backing up your data. Particularly for a small business, this can make all the difference should the worst case scenario really happen to you. It is a way of managing your risks, and also a very healthy attitude for every entrepreneur.
As long as we have no effective cure for the attacks of ill-minded hackers, we need to come up with smart approaches to protect our businesses. There isn’t a miracle way to prevent an attack, but educating people and raising security awareness is vital.
If you are in the IT team, as well as the sales manager and delivery driver, you probably already work 25 hours a day, and may need to rely upon the pros going forward. Go with what makes sense for your business and your budget, but remember that a single security incident can put you out of business, so don’t leave this to chance!
Remember, when you are running WordPress on your website, you’ve got to do maintenance regularly. Updating and backing up your website is a must-do, not optional.
I do have clients who consult me for setting up their technical systems. When installing WordPress on a client’s site, I implement security right at installation. I am well aware that there is no way to make anything foolproof, but there are ways to make it a little harder for anyone with bad intents. If you need some support with regards to website issues or some guidance in setting up business processes, I am here to help you. You can contact me for a Clarity Session to get your most burning questions answered, or request a system setup of your business processes in the contact form below.