Website security should be at the top of everyone's to do list with the recent ransomware attack. Been hiding under a rock? Then please, read about it.
Ransomware is a form of extortion. Digital extortion. Your website is essentially hacked and after a ransom (in bitcoin) is paid, your site will be restored.
The digital age is awesome. But nothing is perfect. And unfortunately dealing with illegal access to your business through your website is a reality. A reality that impacts thousands each day.
Website security is analogous to whack a mole. As soon as some vulnerability is "patched" another is exposed. A constant cat and mouse game.
But there is hope. You can take a stand now. And reduce the chance of becoming a victim.
There are some basic steps we all can take to reduce the chance of getting hacked. Of some ransomware or malware (malicious software) being injected into your files, rendering your website useless.
So What To Do
Vulnerabilities in software are constant. Once these "open doors" are discovered, patches are issued. Patches being updates to software that close these doors.
They are also constant. In the case of Word Press plugins, it common to see multiple updates each week. Especially when it comes to e-commerce plugins like ECWID.
As soon as they are released, you need to install them. It's not difficult. Rarely if ever does it cause any downstream problems. Such as something breaking in your site. All it really involves is constantly (i.e. daily) checking your plugin page for updates.
Login vulnerabilities have three essential components. The address a user goes, the username and the password.
Again using WordPress as an example (30% of websites are WP), the address to login, also known as the admin page is standard. And I would speculate 95% of all WP sites have the same address, absent the domain name. To change that, try a nice tool like WPS Hide Login for example.
Knowing the address makes it a lot easier to access a site. Next comes the username. Prior to a few years ago everyone used "admin." So much so it is now restricted with many hosts. So people have become smart. They likely use "admin1." True in the new username, sarcastic in the smart comment.
And lastly the password. I'm amazed at how many use something rather simple to figure out. Rather than some more complex, random generated, alpha numeric entry, they use their name and birthdate for example.
Are You Prepared
Do you have a plan in place? Not only should you do all you can to reduce the chance of someone gaining entry. Or injecting a malware. You should also have a recovery plan in place.
Thirty days of rolling back ups to restore files before they were corrupted for example. Reducing the time between when an attack beings and when you identify it is happening. Or having resources to turn to in case you need files restored, cleaned up, malware removed.
Like a good boy scout, be prepared. The time for preparation is before, not after an attack. Unfortunately for many it's not a question of if. But rather when. But it does not have to be.