Small Business Websites Falling Victim to Hackers
According to newly released Google Transparency Report safe browsing statistics, over 10 million internet users encounter unsafe websites delivering malware and spam every week. Google says many of the pages falling victim are small business websites and personal blogs. The search engine says many compromised site owners are unaware there is a problem, visitors are turned away with a ‘This site may be unsafe’ warning meaning a lack of traffic, and when the problem is detected, often there is a lack of cyber security know-how to fix the issue and restore the site.
Security on the web is paramount, especially for webmasters striving to create a coordinated and enjoyable online experience for their visitors. But with statistics showing more than 10m users encountering harmful websites every week, just how deep does this security issue go – and how can webmasters make their sites more secure for their audience?
The figures are certainly worrying, both for those browsing the web and the webmasters attempting to keep their site free from hackers, malware or scams. Over the last year, Google says it has detected more than 800,000 compromised websites, with 16,500 new ones springing up every week, from all over the globe.
The unfortunate visitors to these sites find themselves looking at scam content and malware, often with downloads inserting themselves onto the computer. Many of the scams are fairly easy to spot, and many users have software installed which alerts them to these fake sites – but they are becoming ever more sophisticated, and the uninitiated can fall for the dirty tactics employed by the malware creators.
In order to help webmasters protect their websites and their businesses, Google teamed up with the University of California, Berkeley, to devise new methods of reaching out to compromised site owners quickly and to expedite recovery. It says, “When Google works directly with webmasters during critical moments like security breaches, we can help 75% of webmasters re-secure their content. The whole process takes a median of 3 days. This is a better experience for webmasters and their audience.”
The big question then is how can webmasters protect themselves against these kinds of hacks and ensure that their visitors aren’t exposed to potentially harmful content? How can compromised sites be repaired and measures put in place to stop it happening again?
If you’re a webmaster concerned about the figures above, try these strategies to protect your site and safeguard your online reputation.
Keep everything up-to-date
One of the most effective ways to protect your website is to ensure that all the platforms and scripts your website utilises are kept up-to-date. The downside of using open-source software is that the code is available to hackers, who can take their time to pinpoint security loopholes they can exploit. By keeping your scripts and platforms totally up to date, you can minimize the risk of hackers exploiting loopholes – but it’s important to remember that this method alone will not be enough to secure your site fully.
Encrypt login pages, and limit sharing of login data
Using encryption on your login pages is essential when it comes to ensuring that hackers can’t get hold of your login credentials. SSL encryptions are among the most popular – this is the type that makes ‘https://’ appear at the beginning of the URL. When you use this type of encryption, it means that the information entered there is meaningless to any third-party who may have come across it, and cannot be interpreted or translated in any way.
You should also ensure that you’re not handing out login details to those who don’t necessarily need it. Rather than allowing coworkers, third-party service providers or other associates to use your login information, create separate accounts for them and ensure that their permissions are kept up-to-date. Remove or downgrade permissions immediately if they leave the company or change their role, and remind all users to change their passwords regularly.
Utilise Google’s tools
Google offers a multitude of tools across a number of its properties that can help you remain vigilant when it comes to your website’s security. The site:search feature accessible from the search page allows you to check for suspicious URLs or directories associated with your website. The Search Queries page in Analytics lets you check out the significant keywords that Google has found on your website. If you’re seeing unexpected keywords (terms like ‘casino’, ‘viagra’ and ‘loans’ are among the most common), it’s likely your site’s security has been breached.
Google plays a big part in helping to detect malware, which is why it is important to set up and verify your website in Google Search Console. If it picks up any suspicious activity on your site, it’ll send you a notification via your Message Centre. Not all webmasters check their Message Centre regularly, so you should have these notifications set up to forward to your email account, to ensure that you receive them quickly after they’re sent.
Change your CMS settings from the default
A lot of malicious website attacks are carried out by automated systems which depend entirely on sites using the default CMS settings. These attacks are the most common attacks on websites, and this can be rectified simply by changing your settings. Make sure you adjust things like comment controls, visibility of user information and file permissions to bolster your security and protect your site further.
Schedule in a regular scan of your website using one of the many scanning services out there – if you haven’t used one before, tools like Norton Safe Web, McAfee SiteAdvisor and Google Safe Browsing Diagnostics are all safe bets. These services will pick up on malware and suspicious pieces of code that may have latched onto your website, so that you can remove them as soon as you find them. If you neglect regular scans, your site could be vulnerable to hidden code or suspicious malware coming in under your radar and infecting potentially thousands of users’ devices.
Work from a safe computer
Try to avoid updating or maintaining your website from a public computer, if you can help it. Access it only from your own device, and ensure that your software is up to date, you have no viruses and have carried out a malware / anti-virus check recently.
Subscribe to security updates
Many hosting companies and publishing platforms have their own RSS feed providing updates on security issues. Stay up-to-date on the latest happenings on your platform, as well as gaining useful insight into improving your security or closing known loopholes.
Keep your site clean
Attackers thrive on the hidden files, redirects and remote inclusions tucked away in the deep directories of your website in order to plant and deliver their malware. Ensure that your site is cleaned up regularly by deleting any content or files that your site isn’t using.
These simple steps will help to enhance the security of your website significantly – and while there is no guarantee that you’ll never be hacked, you’ll be one step ahead if you continue to keep up with these tips and steps. Be prepared, be vigilant and be pro-active about your security, and you (and your users) should stay safe.
View the full Google study for more on this topic here: Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension.