While recovering your site from a hack or spam attack may be necessary sometimes, it’s better to avoid having to in the first place. So how do you keep hackers out of your site?
Last week we touched on some basics of passwords, user Ids and other simple preventative measures for after recovering a hacked website. Now let’s go into these things and more in greater detail, and how you can set your site up to be more trouble to hack then it’s worth. That’s really your best defence against getting hacked – make it a lost profit scenario for the hackers!
Your Account Logins
Your website will have several logins associated with it. This will include your hosting account, domain registration account, FTP account, and at least one email account that you used when you registered your domain/hosting accounts. You may also have other logins for a CMS system (for example WordPress, Drupal, etc.), and so on. We’ll go through each of these in more detail below.
First off, what does a login consist of? Well, it has 2 main parts, the User ID (or Username) and the Password. To login to an account, you need to know both your User ID and your Password. Anyone who knows both, therefore has full access. In other words, protect them and make them as hard to guess as possible.
Now let’s go through the main logins you’ll likely have, and what the main risks are for each.
Domain Registration Account
A domain is a website address, or URL. It basically tells the computer what website to deliver. This account then, is the account you used to register your website address with. It may also be combined with your Webhosting account (or host account) as well, but we’ll get into what that part is later.
This account will need to have your personal information stored in it, as this is required by law to register a domain. You will probably also have billing information stored here as well. This means you have all the information needed for credit card fraud or identity theft, as well as all your domain records are stored and controlled from here, meaning a hacker could also redirect all your traffic to a site of their own choosing.
A host is a powerful computer that stores a large amount of data for a network, and is also called a “server” because it serves files and apps to other computers. In the case of a web server (or web host), it serves websites.
This account then, is your access to your space on your host’s servers. This means you can control a lot of things about your website and your hosting account from here.
This account is typically where you access any online databases you use for your website. Your FTP accounts (we’ll explain this later) are also controlled from here. You can also activate/deactivate apps or features your host provides for you. You may even be able to directly manipulate files from here, as most hosts now offer a file manager app. Again, you may have billing and personal info stored here as well.
File Transfer Protocol (FTP) Account
FTP is the instructions computers use to manage moving files around between computers. This means anyone who has access to one of these accounts can directly upload, download, copy, move create, delete and edit files on your host. In other words, with this account, a hacker could do almost anything to your website.
This includes both the email account you registered your website under, as well as any emails you have provided as part of your hosting plan, such as company branded emails.
The risk here is if a hacker gains access to the email you registered your site under, they then have access to reset your password, effectively locking you out of your own account, and can then log in to your account normally at will.
Gaining access to managing any email services you get with your hosting account means a hacker could create a branded email for their own use under your brand, to spread malware, spam or other cyber attacks, while your company takes the blame. They can also gain access to existing company email accounts and access valuable data, trade secrets and again, use your accounts to send spam.
Content Management System (CMS) Accounts
A CMS is a program designed to help in building or editing website contents in a convenient text or word processor style editor, and converts your edits into web code automatically.
While these tools are very convenient in that you don’t need to know any web programming to maintain your website, it also creates more ways a hacker can get at your website. This is because these systems run off of having user accounts with a login to gain some level of access to modifying site contents. This can include being able to add programming code onto pages, upload files, and much more, depending on the exact system used and how much access that user is allowed.
In other words, if a hacker can manage to somehow gain the highest level of access to one of these accounts, such as an administrator (admin) account, then they can do a great deal of damage.
The Best Defense Against a Hacker Just Logging In
The best way to guard yourself against a hacker being able to just log in is to have a strong username and password, and don’t give either out. Keep them safe where they can’t be easily stolen. Generally, the most attention is given to the password being strong, but a weak username that the hacker can easily get means the hacker is already half way there to hacking your login. So both must be strong and kept as secret as possible.
Sadly, it isn’t always possible to have a strong username or to keep it 100% secret, as some sites automatically assign your username based on some info you were required to provide them, such as your email address or real name. Although is is unfortunate and does make the hacker’s job a little easier where it exists, do try to choose a strong username whenever you have the choice, and do ask those that don’t give you a choice to change their system so you can choose.
Remember, it takes both the right username AND password to access your account. If a hacker gets your password right, but doesn’t know your username, they still won’t get in. So having both be strong and hard to guess will make the hacker’s job exponentially harder as they’ll have to guess both your username and your password to get in. Even with unlimited attempts and the most powerful computers in the world, it could still take months or years to go through all the possible combinations in sequential order this way.
What Is a Good Username?
First of all, it should be something you will remember, but that anyone else would be unlikely to guess by knowing or researching you. It should also not be something common.
For example, some poor choices of CMS (eg WordPress) logins would be:
- <your company name>
- <your personal name>
- <your website address>
Generally, most hacking attempts on your website will likely be a fully automated attack that’s programmed to use some combinations or variations on these 5 things as the username, then go through the most common passwords, followed by systematically going through words in the dictionary and then all possible character combinations. As you can imagine, there are a lot of possible user IDs and passwords, so the less likely they are to get lucky and hit the right combo early on, the less likely you are to get hacked this way.
What Makes a Strong Password?
Generally, what holds true for a strong username also holds true for a password. In addition, you will want to make extra sure you aren’t using only words out of a dictionary, proper names, or worse yet, words someone who knows you or researches you would be likely to guess that you would use. Some examples of bad passwords include:
- <your username>
- <your own name>
- <the name of someone you know (eg: spouse, parent, child, sibling, friend, etc)>
- <a word from the dictionary that’s meaningful to you>
- <your pet’s name (especially if you post about your pet online a lot)>
- <your favorite sports team/player>
- <your favorite hobby>
- <a place you’ve been/want to go to>
Basically anything anyone could easily guess or research to find out as a likely candidate. While the above list isn’t in any particular order, generally the closer to the top it is, the faster a hacker may be able to guess it. In general, the more random both the user ID and password are, the harder they will be to guess by researching you or just brute forcing all possibilities.
To make a password strong, even against attempting to guess all possibilities, it’s best to have a mixture of uppercase letters, lowercase letters, numbers, and punctuation/special characters.
Many sites actually have password complexity requirements that force you to use at least 1 of each of these in your password. A common thing many people will do though to “defeat” these complexity requirements is to add a token capital letter at the beginning and a token number and special character at the end. This really defeats the purpose of these requirements, however, and in the end, the only thing you’re defeating is yourself. Most hackers are wise to these “cheats” and include them in their common password guesses before they get into the guessing all possible key combinations attacks.
So to be truly strong in your login, place your capital and lowercase letters in no particular pattern, place your numbers anywhere in your password, and again, place your special/punctuation characters anywhere in your password.
By now, most people have a firewall protecting their computer, their office network and so on, so why not your website? This does not replace strong logins, but adds to them. A weak login will still defeat a firewall as it would have to let a registered user properly logged in through.
What a firewall does do is protect against suspicious activities that are characteristic of a hacker. Since hackers are generally after similar goals, that being to gain unauthorized access to your site, they will have to follow certain patterns to gain that access.
An example of such a pattern, is repeated failed login attempts. This is a likely sign of someone trying to brute force a login by guessing through trial and error. A good firewall properly configured, will detect this activity and either lock out the account being so accessed, or better still, will lock out the IP addres(es) the failed logins are coming from.
These features are usually set to trigger after a certain number of failed logins within a certain amount of time, such as after 5 failed logins in 10 minutes, for example. You don’t want such lockouts set too strict as it can block legitimate users who merely mis-typed their password, but you also don’t want it set too lenient either, as that just allows hackers more attempts to guess a login before getting shut down.
Firewalls also offer many other types of protection against many other types of attacks, but the exact features and threats it protects you from will vary from firewall to firewall, and even based on what service level you choose. In general, the more expensive the plan, the more complete and thorough the protection.
Once again, if you’ve had any experiences with getting hacked, have any questions or feedback, feel free to leave a comment below.