How to Make Your Website Hacker-Proof
Hackers are constantly breaking into innocent websites and using them to infect visitors with malware, lure them to dodgy sites and infiltrate databases to grab sensitive customer information. But you can avoid trouble -- or eliminate it quickly -- by taking some relatively simple steps.
Each day, Google identifies 9,500 malware-infected websites, about 4,000 of which are legitimate sites compromised by hackers. About half of these victims learn they've been hacked when they see the same browser and search-engine danger warnings their customers see, a sign they've been blacklisted, according to a survey by StopBadware, a nonprofit anti-malware organization in Cambridge, Mass. Some 45 percent are notified of the problem by one of their technology providers -- a much better scenario.
Small businesses are especially vulnerable to hacking because they usually lack the technology expertise and site security that larger companies have. They also suffer more if their lack of expertise slows repairs and their ability to get back to work. Business owners can lose significant online traffic and sales if their site lands on blacklists operated by Google and other search engines.
Take MetroSeeker.com, an Austin, Texas-based startup that offers online guides to cities' "personalities," for instance. The site was down for a week in early June after hackers broke in and pointed all its links to sites selling Viagra. Exactly how hackers got in wasn't clear, so CEO Ysmay Gray tackled every entry point. In addition to cleaning all links, MetroSeeker erased and rebuilt its server, upgraded its content management software, and revamped how employees log in and change site content. "I'm a little paranoid now," Gray says.
MetroSeeker.com's recovery required the full-time work of three people and significant help from the company's hosting service, DreamHost, Gray says. While it achieved a clean bill of health from Google's Webmaster Tools service more quickly, Web searches triggered a scary warning that "This site may be compromised" for more than three weeks, casting a shadow over the new business, she says. When contacted about the issue, Google said residual "spammy content" in search results caused the warning, but that it would remove it because the spam itself was gone.
"A lot of people will have to tangle with [a hack] at some point in time," laments Maxim Weinstein, executive director of StopBadware. His advice for small companies? "Secure everything." Here's how to get started:
Keep your software up to date.
Hackers aggressively target security flaws in popular Web software such as content management systems and blogging programs so they can attack websites en masse. Stay out of the line of fire by using the latest versions of software and applying security patches promptly.
"Sites that get infected and clean up, but don't fix the vulnerability in their software, just get re-infected," says Lucas Ballard, a software engineer with Google's Safe Browsing team. He urges webmasters to address the underlying weakness that enabled the hack, as well as remove hackers' malicious code from site pages.
Related: Keeping Passwords Out of the Hands of Hackers
Use strong passwords and keep them safe.
Using strong passwords is crucial because hackers frequently attempt to crack or steal passwords for web software and FTP servers, which are computers that use the File Transfer Protocol to move web pages and other files to another computer, such as a Web-hosting server. Default, common or predicable passwords can be easily broken.
Also make sure to protect your PCs from a virus infection since that can lead to the theft of site passwords. A February 2010 infection in a computer belonging to freelance writer and editor David Congreave allowed hackers to steal his FTP password and plant malware that tried to infect visitors to his sites. Luckily, the malware was buggy, and he noticed the problem immediately. His hosting service, Hostgator, removed the malicious code in hours. Congreave changed his password and began using CuteFTP for more secure file management.
Register with Google's Webmaster Tools.
Getting on Google's blacklist, which is used by the search site and the Chrome, Firefox and Safari browsers, can reduce traffic to your site. By registering with Webmaster Tools, you can receive notifications of malware infections immediately, sometimes before blacklisting occurs, so you can get rid of them faster. The service also provides details about the precise problem Google is seeing. That can speed your clean up and your return to Google's good graces.
Get expert help.
Companies that are heavily dependent on their websites may want to hire a firm that provides alerts if they get on a blacklist, monitoring for malicious activity, scanning for security vulnerabilities or help with repairs after a hack. Firms that serve smaller companies include Stop the Hacker, SiteLock, Sucuri and Qualys. Prices start at about $90 a year. Businesses that have databases with sensitive customer information connected to their sites should get help building security into their sites and scouring software code for bugs.