Free to Download!

The Good Web Content Guide.

eBook

Learn how to create website content that pulls people in, and converts like crazy.

Download Now

Essentee on Twitter

How to keep your website secure

Email spam, form spam and hacking attempts are an annoying reality of doing business on-line.

Around 2012, we noticed a significant increase in the amount of hacking attempts and spam enquiries being received by our client's websites.

We see this as a case of New Zealand catching up with what the rest of the world has been experiencing for some years.

These attacks can come in the form of:

  • 'Bogus' contact enquiries – trying to sell something unrelated to your business such as pharmaceuticals. These enquiries frequently contain links to external sites - if they do – please don't click on them, and don't reply to them!
  • Access attempts – people trying to access the back-end administrative part of your site
  • Visits from unusual referral sites - called referral spam

In the most part, these attempts aren't individuals sitting patiently trying to hack your site. They run special programs and scripts that automate this process across hundreds, even thousands of sites simultaneously.

Why are they doing this?

For the most part they are attempting to place malicious code on your site.

In some cases they just want to prove they can do it. Occasionally they want to disable a site by overloading it with requests (called a denial-of-service-attack or DDoS).

One of the most common reasons is they want to hijack your site and use it to send out spam email or deliver malicious code to others.

The strange enquiries that include a link are designed to get you to visit their website. At best they want to inflate their website visitor numbers to drive advertising revenue, but they could also be attempting to download malicious code to your computer.

What about CAPTCHA on forms?

CAPTCHA and image based 'tests' on forms help, but it doesn't stop attempts that by-pass the enquiry form and submit the bogus enquiry directly to your website's CMS database.

Can you stop it?

Not completely.

We have a number of processes and systems in place to protect our servers and our client sites, but it is impossible to stop this nuisance.

What you want to do is make sure that all and any precautions that can be taken are, and DON'T ASSUME YOUR WEBSITE DEVELOPER HAS DONE IT.

With the advent of free and open source CMS solutions like Wordpress and Joomla!, many people are building websites who don't fully understand how to harden it against intrusion.

Hackers and spammers spend all their time finding new and inventive ways to exploit sites and site owners. It is a continuous process that at best can only be managed, but doing nothing is a guarantee that something will happen at some time.

We could block visitors from certain parts of the world, or only allow form submissions from 'proper' email addresses – excluding hotmail or yahoo type addresses. These tactics can be helpful but will still not prevent a determined hacker and may inconvenience legitimate visitors. Blocked specific users (or computers) does not work – the sender may actually be an innocent user whose machine has been compromised.

What do business website owners need to do?

In the past, small business websites could go years without a security update and not fall victim to an attack.  These days are over. 

As a business owner, it is in your best interests to make sure your site is kept as secure as possible.  Yes, there is a cost but this is often lower and less disruptive to your business than trying to fix a compromised website (which may not even be possible).

We recommend site owners:

  • Keep administrative passwords safe and hard to guess. Passwords should be a mix of upper and lower case letters and numbers
  • Only provide administrative access to people who need it  – typically this will be your web developer.  If you are just updating content, you don't need full admin access.
  • Moderate blog submissions and comments to avoid spam, and don't allow anyone to submit a blog or community post without registering first.
  • Only install plug-ins and components from trusted sources and audit their security practices
  • Avoid get-traffic-quick and similar schemes that use illegal spam tactics
  • Secure your email lists – if your website stores email addresses, make sure they are stored securely.
  • Install the latest security patches and component versions
  • If you are running a CMS (such as Joomla! or Wordpress) make sure you have the latest version of the 'core' system.
  • Monitor use of your site.

What services do we offer?

We apply appropriate security measures to our clients sites when we build them. After that, the level of on-going management depends on the level of service we are asked to provide:

Hosting only.

Security patches will be applied to the web server only.

You should have a plan in place to update your website security.  If you haven't, talk to us about doing this as it is not included in standard hosting fees.

If your site is running a version of Joomla! that is lower than 3 you should contact us about upgrading your site to the latest secure version of Joomla!

Technical Support

This means we look after security and general technical performance of our client sites – applying security updates, monitoring the web server and the website. We tailor a package depending on the type, size and complexity of the site.

If your site is running a version of Joomla! that is lower than 3 you should talk to us about upgrading to the latest secure version of Joomla!.

Management

Includes technical support along with optimisation and other marketing services as requested.

We look after your site including security and general technical performance – applying security and core component updates (dependent on your version of Joomla!). We also monitor your web server and your website for suspicious use. We take backups of your site so if it is compromised, we have a recent version that can be used to restore it.

Management does not mean you are running the latest version of Joomla if the site was built by another developer. If your site is running a version of Joomla! that is lower than 3.0 we recommend you plan to upgrade to the latest secure version of Joomla! Talk to us about this if we haven't done so already.

Ad-hoc updates

Like many web developers, we will do ad-hoc content updates when requested. However, this does not include technical or security updates unless we are specifically requested to do so. If your site is running a version of Joomla! that is lower than 3.0 talk to us about upgrading your site.

Sandra
Show comment form

Contact Us

+64-9-483-9190

P.O.Box 34588 Birkenhead, Auckland 0748

Send a message

Client words...

Thanks so much for your audit. It's really valuable in that you have targeted the very things that I have neglected- i.e. case studies and proof of professionalism. Also that I should be focusing on keeping existing clients revisiting the site - an area for further work.

K Browne