QUINTEVATION: Safety first, online like everywhere else


QUINTEVATION: Safety first, online like everywhere else

This is the first in a series of Guest Posts by Quintevation Community members willing to share their business expertise in order to support and advance Entrepreneurship in the Bay of Quinte region. If you are interested in learning more or becoming a contributing writer, please contact mary@quintevation.ca.

Earlier this year the University of Calgary paid $20,000 to get its data back after being hacked by cyberattackers.  The attackers found a way into the university’s network and encrypted some amount of their data. 

This points out two key problems the university had:

  • They were vulnerable to a cyber attack; and
  • They didn’t have a back up of data so critical they were willing to pay $20,000 to get it back

These attacks are more common than you might think.

I can tell you from my own experience of managing websites that every single one of them has been attacked and it happens on a regular basis.

How do I know this? Because I see the logs from my protection software that tells me what the hacker is trying to do.

Many of these hackers try to log into the website using the user ID: Admin.

Why? Because that is the default login for WordPress, which is the underlying infrastructure for about 25% of all websites. 

These hackers also try to probe various addresses associated with your domain name - that’s the name you type in your browser address bar e.g. http://YourWebsite.com - in efforts to find a ‘hole’, a way into your website.  

When they go to an address that doesn’t exist, that creates what is called a ‘404 error’ - address not found.

On my websites, if someone does that too many times, I automatically block them from the site. After that, it doesn’t matter what they do, I say ‘sayonara, amigo!'

Hackers also try to login into websites using the address http://YourWebsite.com/wp-admin (replace ‘YourWebsite.com’ with any real domain name, of course). They do this because wp-admin is the default login address for WordPress.

So if a hacker knows the login address and if the default user name ‘Admin’ exists and if the site doesn’t limit login attempts, I can tell you right now, THE HACKER IS AS GOOD AS IN.  

But how can he guess my complicated password?  Good question. He can’t. Instead he just runs a script which is basically a ‘dictionary’ of sorts (containing all symbols, numbers and alpha characters - the more sophisticated ones structured with ‘most likely passwords’ presented first).

And that script runs until it gets in….unless of course the website limits login attempts. 

Another rule then: employ strong passwords.

The worst passwords are:

  • 123456 and other combinations and sequences like this one
  • password
  • qwerty
  • football
  • baseball
  • welcome
  • abc123 and abcd1234
  • 1qaz2wsx
  • dragon
  • master
  • letmein
  • login
  • princess
  • qwertyuiop
  • solo
  • passw0rd
  • starwars
  • monkey

Use long and complicated passwords that have numbers, symbols and both upper and lower case letters eg. long 4This is  password89$ very  !@#and complicated a

According to Stopthehacker.com “It takes only 10 minutes to crack a lowercase password that is six characters long.

Three other things you must do if you have a website:

  • Do NOT use wp-admin as your login address.  How do you know if your website provider is still doing this?  Simple! Type in your domain name followed by /wp-admin in a web browser (Safari, Firefox, Chrome, etc). If you see a window like this come up, then wp-admin is still the login address
  • Don’t use the user ID ‘Admin’. 
  • Limit the number of login attempts before locking out that particular IP address (the address that is being used to hack the website)

There are many more things that should also be done such as:

Add a captcha to the login.
Your website provider can also limit the time of day that a website’s backend can be accessed. I block out websites from being accessed a full 8 hours in a 24 hour period.
The aforementioned 404 limits - if someone tries to access pages on your website that don’t exist too many times, lock them out.

There are numerous other security prevention mechanisms that a website should have. But here’s the thing - if your provider isn’t doing the basic ones above, chances are he’s not doing the more advanced mechanisms either.  In that case, it’s time to get a new website provider.

Let’s backtrack for a second because I have the feeling you don’t believe me that every website is being hacked. I often have customers say to me “Why would anyone want into my little local business website?” and “Who has the time to do this?"

As for time, they have all the time in the world because this hacking is done with computers that are running scripts and they never sleep.  

Furthermore, it’s estimated that there are something like 100 million computers being used world wide to cyber attack. Remember that an attack on your computer (or website) can come from anywhere in the world. In my logs that’s exactly what I see -- IP addresses from Russia, Estonia and a variety of other places.

And regarding your ‘Why me?’ question, here’s something that should raise the hairs on the back of your neck: if a hacker can get into your website, he can then use your website as a launch point for other cyber attacks.

Then this series of attacks will look like they are being initiated by you, and trust me, that is not a good thing for your website. 

Hackers hack websites for a variety of other reasons too, including:

  • Stealing user information - user names, emails, passwords, financial information and other information can be sold.  And by the way, if this is traced back to your website, you can be sued for damages.
  • To host objectionable content  
  • To boost another website’s ranking - a hacked website can be used to add ‘commercials’ or affiliate links or something called ‘backlinks’. Essentially this is piggybacking on a legitimate site to promote another site or product.
  • To act as a spam email server - you’ve probably gotten a viagra or rollex watch email? This is one place they come from!
  • Spreading viruses - obviously hackers don’t want their viruses traced back to them. Far better to use your website!

If all this doesn’t get you worried, here’s a few interesting stats for you:

  • 20% of ALL small businesses will be hacked within ONE YEAR (by ‘hacked’ I mean “the hacker got in!”).  Source:  National Cyber Security Alliance;
  • It is estimated that 30,000 websites are infected with some type of malware every single day;
  • 31% of targeted attacks focus on businesses with fewer than 250 employees. (Source: Symantec)

The moral of the story of course is to make sure, make absolutely sure that your website is secure.  The more you know, the more you realize that Andy Grove (Founder of Intel) was correct when he astutely said “Only the paranoid survive."

Glenn Lidstone is president of StoneHouseMarketing Solutions, Inc.

Read More: Opinion, Guest Blogs, Quinte



Connect With Us


Share With Us


Sign Up