I am a fan of WordPress and sometimes recommend it for my clients to use. When your goals and business plans align with what WordPress can do, I find it to be a great tool to use. Sure, there is a learning curve involved … but yes, you can. It is a new skill that you acquire and it is comparable to learning to drive a car.
I recently noticed a customer completely neglecting security issues with their website. I was contacted by someone who had a working WordPress website that needed a redesign, and the website had not been updated for two to three years. When I heard that, I was surprised. This customer had never thought about website security and was completely oblivious to this matter.
What is the risk of neglecting security on your website?
A website that is not updated for three years is a huge security risk, because it reveals openings and vulnerabilities in the code that invite hackers.
Hackers know that small businesses are a bit more lax when it comes to security and this is one of the reasons that small businesses are being attacked more constantly these days. Even if a small business website is not specifically targeted, it is still highly plausible that they could be caught up in a wide-ranging attack. Most of today’s attacks are carried out by machines through software.
The objective of such an attack is usually to steal and exploit confidential data.
For my client who had not updated either the WordPress software or any of the plugins for almost three years, this could mean that it could have been malicious code injected into the application, because it had open loopholes for a long time.
It would be very slow to run advanced security controls for such an insecure website, and I would probably recommend setting up a fresh WordPress installation instead of running these controls. Personally, I would refuse to redesign a website without improving site security beforehand.
An example
I had recently set up a new website that had WordPress installed, but was otherwise completely empty. When visiting the URL, only a blank white screen would have been seen. It was literally intact.
To my surprise, I began to notice that this new website recently received a lot of traffic. In just 3 days it got almost 140,000 visits with a peak of 70,000 visits in a single day. 70,000!
Okay, let’s do the math here: an hour has 60 minutes and there are 24 hours a day, which adds up to 1,440 minutes a day. 70,000 visits in a day are equivalent to about 50 visits per minute. That’s almost one hit per second!
It is highly unlikely that this was accomplished by a human hacker. A human would have had to pull the trigger almost every second for 24 hours. Therefore, I think it is correct to assume that there was some machine behind this attack.
Stats
The carefree security attitude of one of my clients reignited the spark to write a post about website security. It is not the first time that I have the impression that many people (And surprisingly many business owners!) they don’t reveal much security awareness for your website.
I did some research and found some figures that I personally find quite alarming. We’ve all heard of the big attacks that hit the mainstream media already, and probably because these attacks happened to large corporations, many small business owners don’t think they need to worry much.
However, I really want you to take a look at these numbers:
SMEs often do not believe they are at risk:
- 97% – of SMEs did not prioritize improving their online security for future business growth
- 82%: believe they are not targeted as they have nothing worth stealing
- 32%: believe they will not suffer any loss of revenue from a day’s downtime due to an attack
SMEs lack the resources or knowledge to defend themselves against attacks:
- 31% – do not have an action plan
- 24% – think cyber security is too expensive to implement
- 22% – admit they don’t know where to start
A survey conducted by PwC in 2015 revealed that cybercriminals are shifting their focus to midsize companies, as large companies improve their data security. There is a general assumption that smaller businesses are safe from cybercriminals because they think their data is not valuable, so they are not taking steps to protect themselves against security risks.
A word about hackers
Hackers are people like you and me. They are hunters. Sometimes they have a goal in mind and sometimes they just want to have fun.
They are constantly moving in cyberspace and looking for where they can find something. The most capable are targeting large corporations, looking for sensitive data that can be captured and exploited in the gray market. Others are just browsing and testing a site, looking to see if the website owner lacks security basics and has commonly known security holes open.
On my website, I see that at least once a week someone is trying to access the main files of my application. They are testing if I left everything “default”, which would make it easier for them to go in and leave a snippet of code. They usually try only once. because “no, I have not left everything by default”.
Others try to enter my database by guessing different usernames and passwords. They also don’t go very far because they soon block your IP address.
“Security is a process, not a product, and that process is endless.”
Here’s what you can do about it
For any company with an online presence, ensuring their systems are secure and remain secure is critical to ensuring they remain in business. The threat of attack is always there, but there are many things you can do to protect yourself from risk. Remember, the most dangerous course of action would be to ignore the threat.
Here are some steps you can take:
- Back up your computer’s hard drive to an external hard drive and install a regular backup routine. (If you’re on a Mac, it’s best to use TimeMachine to create backups.)
- Set up a backup plan for your website. If you have WordPress, there are some very good plugins that you can use to back up your entire website on a regular basis. The top rated plugins for this purpose are VaultPress and BackupBuddy.
- This step is aimed again at WordPress sites: Install a security plugin or two to help you close frequently used loop holes. I can recommend Wordfence, which comes as a free or premium version, but is quite useful even in its free version. Wordfence starts by checking to see if your site is already infected by hackers and malware, and it protects it. Another useful plugin is Acunetix WP Security, which scans your installation for security vulnerabilities.
- If you have an ecommerce store, apply an SSL certificate to your website. It helps ensure that data is transmitted securely from your visitor’s browser session to its destination.
- Always keep your software up to date. Pay attention when these little pop-up notifications in your WordPress application tell you that a new version is available. Find out what the update is about and apply the new version as soon as possible (but make a backup beforehand).
- Update your WordPress theme.
And of course it is important that you develop the habit of backing up your data. Particularly for a small business, this can make all the difference should the worst-case scenario actually happen to you. It is a way of managing risks and also a very healthy attitude for every entrepreneur.
As long as we don’t have an effective cure for malicious hacker attacks, we must come up with smart approaches to protect our businesses. There is no miraculous way to prevent an attack, but educating people and increasing safety awareness is vital.
If you are on the IT team, as well as the sales manager and delivery driver, you probably already work 25 hours a day and may need to rely on professionals in the future. Go with what makes sense for your business and your budget, but remember that a single security incident can bankrupt you, so don’t leave this to chance!
Remember, when you are running WordPress on your website, you need to do regular maintenance. Updating and backing up your website is mandatory, not optional.