I am a fan of WordPress, and I sometimes do recommend it for my clients to use. When their business goals and plans align with what WordPress can do, I find it a great tool to use. Surely, there is a learning curve involved… but yeah, you can do it. It’s a new skill you get, and it is comparable to learning to drive a car.
I recently noticed a client totally neglecting security issues with their website. I was contacted by someone who had a WordPress website in place that needed a re-design, and the website hadn’t been updated for two or three years. When I heard that, I was shocked. This client had not spent any thought ever about website security and was completely oblivious about this matter.
What’s the risk with neglecting security on your website?
A website that doesn’t get updated for three years is a huge security risk, because it reveals openings and vulnerabilities in the code that invites hackers.
Hackers know that small businesses are a bit more lax about security and this is one of the reasons why small businesses are being targeted more consistently nowadays. Even if a small business website is not targeted specifically, it’s still highly plausible that they could get swept up in a broad-reaching attack. Most attacks today are done by machines through software.
The goal of such an attack is usually to steal and exploit sensitive data.
For my client who hadn’t updated neither the WordPress software nor any of the plugins for almost three years, this could mean that there could have been a malicious code injected into the application, because it had loop holes wide open for a long time.
It would be very time consuming to run advanced security checks for such an unsecured website, and I would probably recommend to set up a fresh WordPress installation instead of running these checks. I personally would refuse to redesign a website without improving the site’s security beforehand.
I had recently set up a new website that had WordPress installed, but otherwise was complete empty. Upon visiting the URL, one would have only seen a white blank screen. It was literally untouched.
Much to my surprise, I began to notice that this new website recently got a lot of traffic. In only 3 days it got almost 140,000 hits with a peak of 70,000 hits in one single day. 70,000!
OK, let’s do the math here: one hour has 60 minutes, and there are 24 hours per day, which sums up to 1,440 minutes per day. 70,000 hits on one day equals about 50 hits per minute. That is almost one hit per second!
It is very unlikely that this has been accomplished by a human hacker. A human would have had to pull the trigger almost every second for 24 hours. I therefore think it’s correct to assume that there was some machine behind this attack.
The carefree security attitude of one of my clients re-ignited the spark to write a post about website security. It’s not the first time that I had the impression that many people (and shockingly many business owners!) don’t reveal much security awareness for their website.
I’ve done a bit of research and found some numbers that I personally find pretty alarming. We’ve all heard about the huge attacks that rocked the mainstream media already, and probably because these attacks happened to big corporations, many small business owners don’t think they have to worry much.
However, I really want you to have a look at these numbers:
SME’s often don’t believe they are at risk:
- 97% – of SME’s did not prioritize the improvement of their online security for future business growth
- 82% – believe they are not a target of attacks as they don’t have anything worth stealing
- 32% – believe they won’t suffer any lost revenue from a day’s worth of downtime from an attack
SME’s lack the resources or knowledge to defend against attacks:
- 31% – don’t have a plan of action
- 24% – think that cyber security is too expensive to implement
- 22% – admit they don’t know where to start
A survey taken by PwC in 2015 revealed that cyber criminals are switching their focus to medium-size firms, as large firms improve their data security. There’s a general assumption that smaller businesses are safe from cyber criminals because they think their data is not valuable, hence, they are not taking measures to protect against security risks.
A word about Hackers
Hackers are people like you and me. They are hunters. Sometimes they have a goal in mind, and other times, they just want to have fun.
They constantly move around in the cyberspace and check out where they can find something. The more capable ones are targeting the big corps, looking for sensitive data that can be captured and exploited in the grey market.? Others are just surfing around and test-hacking a site, looking to see if the website owner is lacking security basics and has the commonly known security holes open.
On my website, I see that at least once a week, someone is trying to access the core files of my application. They are testing whether I have left everything “at default”, which would make it easy for them to get in and leave a code snippet. Usually, they try it only once because “no, I have not left everything at default”.
Others try to get into my database by guessing different usernames and passwords. They don’t get very far either because they get their IP address blocked soon.
“Security is a process, not a product – and that process is a never-ending one.”
Here’s what you can do about it
For any business with any online presence, ensuring your systems are secure and remains so is critical to ensuring your stay in business. The threat of attacks is always present, but there is plenty you can do to insulate yourself against the risk. Remember, the most dangerous course of action would be to disregard the threat.
Here are some steps you can take:
- Back up your computer’s hard drive to an external hard drive and install a regular backup routine. (If you are on a Mac, it’s best to use TimeMachine to create backups.)
- Set up a backup plan for your website. If you have WordPress, there are a few very good plugins that you can use to regularly backup your entire website. The most valued plugins for this purpose are VaultPress and BackupBuddy.
- This step is targeted for WordPress sites again: Install a security plugin or two to help you close often used loop holes. I can highly recommend Wordfence, which comes as a free or a premium version, but it is pretty helpful even in its free version. Wordfence starts by checking if your site is already infected by hacks and malware, and secures it. Another helpful plugin is Acunetix WP Security, which scans your installation for security vulnerabilities.
- If you have an eCommerce store, apply an SSL certificate to your website. It helps to ensure that data is securely transmitted from your visitor’s browser session to its destination.
- Always keep your software up-to-date. Pay attention when these little notifications pop up in your WordPress application, telling you a new version is available. Educate yourself on what the update is about, and apply the new version asap (but do a backup beforehand).
- Update your WordPress theme.
And of course, it is important that you develop a habit of backing up your data. Particularly for a small business, this can make all the difference should the worst case scenario really happen to you. It is a way of managing your risks, and also a very healthy attitude for every entrepreneur.
As long as we have no effective cure for the attacks of ill-minded hackers, we need to come up with smart approaches to protect our businesses. There isn’t a miracle way to prevent an attack, but educating people and raising security awareness is vital.
If you are in the IT team, as well as the sales manager and delivery driver, you probably already work 25 hours a day, and may need to rely upon the pros going forward. Go with what makes sense for your business and your budget, but remember that a single security incident can put you out of business, so don’t leave this to chance!
Remember, when you are running WordPress on your website, you’ve got to do maintenance regularly. Updating and backing up your website is a must-do, not optional.