The CW Corner – Best practices for mitigating website hacks

We at CharlesWorks are often asked by our web clients if their site is protected from malware and getting hacked. They also want to know if there site IS hacked, whether there be a charge to fix it.

The totally hack-proof website

The totally hack proof website has no access to it. So it’s not connected to the Internet. No one can view it. Such a website doesn’t sound like its of much use if no one can see it.

So, let’s agree that it is unrealistic to believe that a publicly accessible website can be totally hack-proof. Any website that is accessible via the public Internet is consistently subjected to attempts to break into it. Believe it or not, that’s the norm as opposed to the anomaly.

That being said, however, there ARE things you can do to mitigate website hacks. I have to stress the word mitigate here. Mitigation is defined as the action of reducing the severity, seriousness, or painfulness of something.

Site hacks are based on odds

My goal here is to simply remind you of what you most likely already know: that we can reduce the probability – the odds – of your site being hacked. We at CharlesWorks want that probability to be so low that it hopefully it doesn’t ever happen to you.

The major hacking causes

I have been operating CharlesWorks since 1998. In my experience, there appear to be two major reasons why sites get hacked:

    • The access credentials/passwords have been compromised.
    • The software that operates them wasn’t kept up to date.

Lets take a look at each of these below.

Compromised Access Credentials

Compromised passwords and bad actors gaining access to website login credentials is the major reason we see sites hacked. Think about this in terms of your car. You could have alarms on it. But if you make a copy of your car key and give it to someone, they can do whatever they like with the car. Whether its a drive along the beach or to rob a bank, your car is theirs to use with the key you gave them. Credentials – log in and passwords – work pretty much the same way.

CharlesWorks has many clients who want to be able to do things themselves. We are strong proponents of doing it yourself when it’s feasible and convenient. This is especially true for adding posts or page materials. It also makes sense when making other changes or modifications to your site. It is, after all, YOUR website.

However, many people fall prey to phishing schemes. Directly or indirectly, they usually end up tricked into giving out their website access credentials (as well as credentials to everything else they own). This is especially true if your email account is hacked and the hackers are able to access emails containing your website’s (and other) login credentials.

This problem is exacerbated if you have shared your website’s administrative or other access with others. Think of your emails containing various authorizations or login information as a potential weak link in a chain. If you have shared that information with others you have now created more weak links. This increases the odds of a potential compromise.

One of the best ways to mitigate these situations is to change your site’s access passwords so they are different than those possibly stored in your emails. And, to hope that anyone you may have shared your website access with has done the same.

Obviously, should site access be gained in such a manner, it would be your burden to have the site restored. I’ll expound upon this a little more at the end of this article.

Out of Date Security/Software Updates

Malware and virus protection on home computers operates a little differently than the same types of protection on servers. Website servers operate in the publicly accessible Internet. This results in many more entry points for potential issues. There are a number of very standard server protections available (which we utilize here at CharlesWorks).

After bad actors getting (or guessing) your passwords, the next major reason sites get hacked surrounds unapplied security updates and other software update issues. At CharlesWorks we mitigate such issues by running anti-malware software on our servers. Also, WordPress sites hosted on our servers are kept up to date automatically via automatic updating of the WordPress core as well as automatic updating of the the website’s plugins and themes.

There are literally thousands of individual pieces of software that must work in unison to operate most websites. These are developed by many more thousands of developers around the world. Unfortunately, no company can guarantee that a website will never get hacked. They can only mitigate security compromises and hope against the worst.

Restoring your Website

Regardless of which of the two situations above may have led to your website’s issues, your website will most likely need to be restored. That’s because after a bad actor or a hack back doors into the site will most likely have been installed for the bad actors to gain access again.

Many Internet companies claim to have automatic backups. In most of those, those backups are accessible to the user in their account. If the account is hacked, how safe do you suppose that is?

Some Internet companies delete and account upon a website being hacked. In those cases I have seen many left with no website or backup as a result.

What I believe is most important regarding this topic is the manner in which our WordPress sites are backed up every day for 30 days. Our backups are made to separate servers – external to those your the site operates on. For security reasons, the site administrators do not have access to these backups. So even with a site administrator’s compromised passwords there is no access to the backups. With these backups we can usually restore an average site in about 10-30 minutes if it needs restoring. And we can go back as far back as 30 days. We would only bill our web client for the 10-30 minutes (again – for an average website) which results in only a minor charge to restore it. Note that some websites are extremely large and require much more time to restore but these are very rare).

In my experience running CharlesWorks since 1998, we’ve built and handled more than 5,000 websites. At this point in time, I do not recall the last time a website we built and totally maintained was hacked (unfortunately I recall several instances of sites maintained by others that failed to ensure the site was updated and/or had their passwords compromised).

Sites getting hacked for out of date software happens far less frequently (if at all) when security updates are kept up to date and bad actors are kept out.

I hope this helps you understand a little more about this topic.

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

The CW Corner – Persistent Scammers

I’ve written several articles about specific scams that are occurring on a regular basis on the Internet. They seem to subside for a short time – a very short time – and then a wave of them happens again.

One of the worst – as far as I am concerned – are the ones where the email recipient is being told they must verify their email. These have some common traits with most Internet scams:

1) A sense of urgency – they want you to take care of this immediately

2) A time limit – they give you within 24 hours to act

3) A threat – they tell you your email will be locked.

The first thing you have to understand is that nearly everyone gets these on occasion. I have received them myself in which they are made to look like they are from CharlesWorks. So when our clients get these they tend to become very worried very quickly.

I can’t stress enough that most legitimate companies will not send out messages like these. To fall prey to these can be a real nightmare. With access to one’s email these days the bad guys can wreak havoc in one’s life. The worst cases are called identity theft!

Don’t be the unfortunate one who falls prey to these scammers. If you have been “notified” of something serious – call your provider up and speak with a representative. Just like at my company – it’s a lot easier for us to allay your fears than to have to try to clean up the mess that can happen with compromised accounts.

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

The CW Corner – Web Developer Checklist

It’s increasingly difficult sorting the good companies from the bad ones on the Internet. There are still ways to find the best, reliable web development companies. We’ve compiled this recommended checklist as a starting point. The order these are in isn’t necessarily important since ALL the points are very important!

Check to see if your web development company:

will ensure that YOU own your website when it’s paid for
is legitimately registered to do business within its State: NH MA ME VT
has been in business for at least 10 years
has several or more people
carries Workers Compensation on its employees
carries liability insurance
maintains a committed presence in networking groups
is accredited and has a good rating with the Better Business Bureau (https://BBB.org)
understands your community and reciprocates by referring business to you
has a phone contact where one can at least leave messages
has an email contact where one can send information
provides automatic site updates at no additional ongoing charge
backs up websites every night for at least a month
provides website encryption (SSL) at no additional ongoing charge
does not require hosting or domain contracts
does not overcharge you by selling you inflated monthly maintenance plans
provides partial hour web work billing (9 minutes work charged 9/60 of hourly rate)
can respond to most maintenance requests in 3-4 days
has general familiarity with trademark and copyright issues
is proficient with WordPress through experience and training

Over upcoming weeks check here for details about each. Contact us with any questions, we exist to serve you!

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

The CW Corner – Email Security

Compromised email can be an important component of identity theft. People take much of today’s electronic communications for granted.

Think about what’s connected to your email accounts – activities like shopping and even online banking to name a couple. Hackers getting into your email can give them an open doorway into many aspects of your financial and personal life. The losses incurred through compromised email can be enormous.

Good security practices are great deterrents. Start by using strong passwords to mitigate such losses.

Wireless connections can be “sniffed”, meaning hackers can wait nearby and record the information being sent and received over the connection.

Always access your email using encryption. Encryption makes it close to impossible to decode the wireless traffic. With email clients like Outlook, Thunderbird, Apple Mail or even a mail apps on phones, make sure encryption is turned on. With webmail through web browsers be careful to access it using https:// to ensure an encrypted email server connection.

Free wireless hotspots are a haven for hackers. You are pretty safe as long as you are using encrypted connections.

If you don’t understand how to set up and use encryption, call your web hosting, email or device provider for help. Don’t risk potential losses.

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

The CW Corner – Passwords

In keeping with the basics, a common issue we see at CharlesWorks involving our web clients in general has to do with passwords.

A trick to remember with passwords is to keep them simple yet complex and different enough so they aren’t easily guessed. A very good way to have a secure password is to use words or combinations of words that mean something to you but not anyone else. It’s also more secure if you use a capital letter where one would not normally be expected. Here’s an example of making a typical word into a secure word just by changing which Letters within the word are capitalized:
PeteRborOugh

Or you could go a step further by using numbers in place of some of the letters so you have both numbers and capital letters:
Pet8Rbor0ugh

To really beef up security, in this example we’ll make it 2 words separated by a hyphen or a number:
hEll064bYe

Using a couple words in this manner will pass the security requirements for many systems. You can use a couple words that you can remember and therefore don’t have to write down anywhere.

Needless to say, post-its on your monitor should be avoided. Hopefully this CharlesWorks tip will help get you away from that habit!

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

The CW Corner – Introduction

Charles Oropallo, CharlesWorks founder, Peterborough NH

Charles Oropallo, CharlesWorks founder and owner, Peterborough NH

Welcome to The CW Corner!

Charles Oropallo from CharlesWorks in Peterborough, NH will be bringing you articles on popular web topics with helpful hints. Most are expected to be simple and some are for the more experienced. All should be useful and educational by many readers. We will address:

    • Passwords with our focus on making them secure – yet easy to remember.
    • Common Internet scam information about domain name renewals to perhaps save you a lot of grief going forward.
    • More Internet scam information about Directory Listing scams to again save you a lot of grief.
    • SEO (Search Engine Optimization) in layman’s language and how it works.
    • Current web design products like WordPress – a free content management system for building websites.
    • Some information about spam and how you get onto those spammer’s lists.
    • Common myths and misconceptions about domain names aimed at helping you protect your online brand.
    • The ease (or not) of website self-maintenance for do-it-yourselfers.
    • The importance of shopping local and supporting your own community.
    • Things to know about email security on your phone or on your computer or on your tablet.
    • Website hosting and the advantages to local servers vs cloud storage.
    • The occasional pitfalls of having your friends help you with your web needs.
    • Reviewing your website now and then.
    • A little about email etiquette and things to avoid.
    • A common email extortion to ignore.
    • Secure Socket layers (SSL) and the surrounding hype.
    • Some tips and thoughts about choosing domain names.
    • Free counters and issues surrounding most “free” web stuff.
    • Info about a common “you need to update your email” scam.
    • A brief explanation of “the cloud” as applied to the Internet.
    • Social media – Facebook in particular – and how it relates to your web presence.
    • How long you have to get site visitor’s attention.
    • Who owns your domain and info about domain ownership.
    • Checking up on your web content and the minimum needed.
    • Checklist to help you find the best web developer.

And more! We’ll try to keep this page updated over time with the topics we cover each week!

There is a lot to share!

Feel free to email Charles with questions/suggestions. Check out The CW Corner each week here to see our new articles!

Charles Oropallo (Charles@CharlesWorks.com) started CharlesWorks in Peterborough NH in 1998. His team has provided website design, hosting and related web services for thousands of web clients on four continents.

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail