December was the month for Security stuff at Simply Web Works.
- email accounts being hacked (not in our system thankfully)
- websites being brute force attacked
- customers getting spooked and wanting to beef up their security
- plugin updates that gummed up our system
Security issues come in all sorts of flavours and you need to be aware of these. I will break this down for you to give you a better idea of what is involved in a successful security strategy.
The biggest problem with WordPress websites for Simply Web Works is that WordPress requires constant updating with plugins, Themes and WordPress installations. We tackle this for you every month as part of your hosting package as hackers are able to use out of date Plugins, Themes and WordPress installations to access your website and create mayhem. Or they may use your website to gain access to other files on the server. Either way, hackers are not a welcome participant in our web world.
Usually we come up against a problem with plugins: the developer has gone off to do something else, and is no longer supporting the plugin. In plain English this means that…
‘The show is over: time to find another plugin’.
They are able to hack into your website by hijacking out of date plugins and access the website files on the server. This can be obvious to you, or it may go unnoticed for months. It depends on what sort of software you have in place to check for these hacks and alert you to the problem. What is certain is that you need to adopt a strategy of:
‘I know these hacks can happen, so I need to plan to prevent that possible outcome’
Sticking your head in the sand is not an option. Hackers have now gone one step further and have come up with the idea of hacking a plugin before you upload it to your website (or update it) and gain access to your website this way. They do this to give them easier access to your website and by using the trusted relationship that plugin developers have established with the WordPress community. Read more detail about these Supply Chain Attacks.
In most cases this will not affect you, but it is good to know what these attacks involve so that you can make sure that you are not putting yourself in harms way by uploading a plugin that you find somewhere in the WordPress plugins repository. The main plugins that we use are checked many times a month by security experts: there is safety in numbers if you stick to the most popular plugins.
We work on the idea that less is more… delete any plugins or Themes that are not essential to your website as they are simply increasing your risk of a hack. Keep it simple! By doing this, and regularly updating your website, you can keep things nice with your website.
Use Tough Passwords
I cannot say repeat this enough times for clients… Get serious about your passwords. They need to be more complicated than the name of your children and a date. If you have not worked this out, trust me, hackers have. They can use details that you leave on Social Media to gather information that they can string together about what your password might be. We are humans, and we tend to do similar things. For example:
- the name of your dog
- your children’s names
That information alone is enough to give them access to a large range of your digital world. There are a host of ways to beef up your passwords: one of the most useful is by using patterns on the keyboard. For example you might have a simple password that you use. You then add shapes to the letters of this word. For example:
- Simple word that you use: ‘ski’
- use a ‘shape’ to type out the letters that surround ‘s’- such as a circle starting at 9 o’clock.
- use a ‘shape’ to type out the letters that surround ‘k’
- use a ‘shape’ to type out the letters that surround ‘i’
Just by using this simple pattern, you have created a very complex password that would seem to be random to a hacker. Want to make it harder? Press a shift key for the start of the letters or the last letter or… you get the idea. That has added another layer of complexity. It turns a simple password into a very complex one, and all you need to remember the sequence of letters, numbers etc that work with the ‘keyword’ and access a keyboard to see the shapes that you make. Better still… use a password vault such as LastPass. We do, and it works a treat.
Get serious about your emails
What most people don’t understand about emails is that these systems are not ‘hacked’ in the way that we think about websites. The most hacks in email systems are very simple:
‘You give them the details that allow them to hack into your email account- they just ask you for them!’
The process goes like this:
- they send you a request to change your password in your email system to your email address
- the email looks like something that that organisation would send you- all of the text and images are copied from a real email
- you change your password on their ‘login page’
- they copy these details and login to your real email system
- they can send emails, read emails or change your email password as required- you no longer control this account
We had one client recently where this had devastating and expenses consequences. Emails, these days, are very important things.
What can you do to make emails more secure?
Use your domain name in your email. For example:
I own the domain. So hackers cannot get any details from my email address about ‘where’ my emails are hosted. That makes things a lot harder for them from the start. Compare this to another email address:
They now know where my emails are hosted, so by sending me an email that looks pretty similar to something that Gmail might draft up, they have a chance to catch me out. When I respond to their email, then I have given them the keys to the door without them breaking into my system. Get it?
Work emails should always be on your domain for this reason. That way your emails are much more secure by virtue of being harder to access from the start. Using Hotmail, Yahoo or Gmail personal addresses for any business correspondence is just asking for trouble. While we are on the topic, the way to tell if your are being targeted by a hacker with this scam is to check the address that the email has come from. For example:
This is what a ‘real’ email from Google looks like:
And this is what a hackers address would look like:
They may not be able to get that far, as the domain registry company may have blocked that domain (as Google is in the name), but you get the idea. Keep your email hosting with a large provider and make sure that you keep your domain name hosting up to date. It is very important if you want to keep your emails secure and you need to know when it is due to expire and how to access it. If you have your domain hosting details with your website builder or marketing company, take the time to get it transferred over to you, as essentially that company has the keys to your digital door. We see this quite a bit where businesses are not sure of who has control of their domain. Scary stuff that can have major consequences for you and your business.
As always, if you have any questions about any of this, let us know. And let’s have a safe and secure digital 2018.