For many small to medium sized businesses, website security is an afterthought. Given the perceived complexity and cost associated with protecting themselves against hypothetical attacks, it’s not surprising that companies choose to focus their resources on “more important” activities. A security breach is something that only happens to “other” people, right?
The sad truth is that if you’ve got a website, whether it’s a personal blog or an online storefront, then it’s going to be a target of malicious hackers and other miscreants sooner or later. Every day, millions of websites are scanned for security vulnerabilities using automated software executed by people known as “script kiddies,” who like to cripple websites for sport and bragging rights. They’re typically wayward teens or maladapted adults who crave attention, are angry at the world, or are just bored with their lives. Taking their frustrations out on innocent people (and some not-so-innocent people, to be fair) fills a void or makes them feel as if they’re “making a difference” in the world.
WordPress and other content management system (CMS) platforms are the most popular targets for attack. Common attacks include but are not limited to website defacement, cross-site scripting (XSS), SQL injection, sending spam emails from the victim’s account, and distributed denial-of-service (DDoS). According to website security company Sucuri, DDoS threats concurrent with extortion schemes are becoming more prevalent outside the realm of big corporations:
Even though the media and security companies were already talking about this DDoS extortion threat, for most webmasters it felt like a foreign threat only affecting very large institutions and financial websites.
However, over the course of the last couple of months, we started to see an increasing number of extortion attempts against more average-sized sites. Everything from forums, small e-commerce and even some online gaming properties started receiving the threats and being DDoS’ed.
In a DDoS extortion campaign, the attacker sends a threatening email to the target, claiming that if the ransom (usually requested as Bitcoins) is not paid by a certain date, then the victim’s server will be DDoS’ed. To prove that it’s “not a joke,” the attacker will perform a minor DDoS that won’t crash the server but will hopefully send a message, so to speak.
The result of a major DDoS attack is that the website will be unavailable to its users until the attack subsides. What happens is that potentially thousands of requests to a server are made simultaneously, and most websites are ill-equipped to deal with that. If you’re running a business, such an event will likely damage your company’s reputation and cause lost revenue.
Ignoring the necessity of website security may also negatively affect your search engine rankings. If Google discovers that your site is a victim of a successful hacking attempt, it may drop your rankings, remove your site from its index, or place a notice to Google users next to your listing that says, “This site may harm your computer.”
To avoid being vulnerable to certain kinds of attacks, it’s important to keep your CMS (and any plugins or add-ons that you may be using) up to date. You should install the latest versions as they become available. In addition, avoid setting usernames and passwords that are easy to guess or that can be discovered through a so-called “dictionary attack.” Also make sure that your web developer understands the importance of “server-side input validation” to guard against SQL injection (if your site is running a database on the back end).
In terms of DDoS prevention or mitigation, that is best handled by professionals in the security industry who provide such services. Another option is to use a web hosting provider or content delivery network (CDN) that is capable of dealing with DDoS attacks so that your website will experience little or no downtime if such an event were to occur.
Contact us to learn how we can design and develop a beautiful, functional, and secure website for your business.