Photo via Adam Mulligan
Waking up to find that your account or your customer’s account has been compromised by a malicious intruder or a spam bot can be a scary experience. It happens more often than you may think, and it isn’t relegated to people who don’t know much about computers. We deal with dozens of compromised customer accounts every week. Hopefully, after reading this, you’ll be just a little bit better equipped to not be one of them.
The most important point to be made here is that there’s no such thing as perfect security. Security is a process, not a goal. You can do everything right and a zero-day exploit in the web content software you’re running can allow an intruder to bring your site to its knees. It’s not a matter of aiming for perfection, but rather, if we are consistently vigilant and consider security, we’re a lot less likely to end up with problems. If you can devote one hour a week to security per website you maintain and share this with your customers as well, you’ll be vastly less likely to become a victim.
Technically speaking, the vast majority of hosting account compromises occur in one of three ways:
The account has a weak password associated with it, or with a service (like a blog or an email account) within it. This weak password can be guessed or brute-forced by a malicious intruder or even a malicious automated process.
The account may be running old, outdated, or insecure web content software. This can also include plugins, extensions, or themes for such software which contain exploitable vulnerabilities.
A computer used to access the account may have a virus or malware which either allowed a malicious intruder to steal the account’s password from that computer, or to perform hostile actions using that computer.
The strongest passwords are not simply random strings – these are easily forgotten, so people often write them down or store them somewhere, which oftentimes leaves them vulnerable to theft, either physically or by way of a virus on the computer on which they’re stored. The strongest password is one that’s stored only in your head. I recommend a long sentence with proper English grammar and punctuation which is easy to remember. I personally often use strange and whimsical sentences which don’t make much sense, but are silly enough that they’re easy to remember.
The addition of proper grammar and punctuation make it less susceptible to brute force and rainbow table attacks. Another good policy is to update them regularly. Making an update to your account and web content software related passwords a part of your weekly routine will improve security on your account.
The largest number of account compromises we see are due to old, outdated, and vulnerable web content software. Checking for updates and updating when necessary is usually pretty quick and easy to add to your weekly security routine. Keep in mind that any plugins, extensions, modules, or themes you’re using are a part of your web content software and should also be checked for updates on as regular a basis as possible. Many web content software vendors/developers maintain email lists for announcements of new releases or security bugs and their fixes. Subscribing to these can help save you some time and make sure that you’re always on top of your web content software.
When a user’s PC or other device which is used to access the account is compromised, this can result in the account subsequently being compromised as well. Viruses/malware can log your keyboard input or simply steal files from your hard drive which contain passwords. Running solid virus protection, regardless of your operating system choice, is crucial to maintaining overall security. A full scan of your computer and any other devices used to access your hosting account can be another component of your weekly security check-up.
Remember: 1 hour a week can save you a lot of hassle in the long run, and for our valued resellers, helping your customers to implement security measures can save you even more!