A while back, we began a discussion about website security by breaking down the importance of protecting personal information on your website with an SSL certificate. While securing personal information like credit cards, contact information, and logins is something that any business website should treat with critical importance, there is other information that should be guarded just as jealously – the code that operates your company’s website itself.
Now if you are one of the many people who use a WYSIWYG (What You See Is What You Get) environment like the Website Builder in our store or the many others we have reviewed from 3rd parties, this article isn’t going to be as important for you. These types of environments restrict your access to the point that most common website threats struggle as much to change your code as you do.
Conversely, if your hosting plan gives you access to your website files and/or databases, this is going to be one of those posts we feel you should consider required reading for your business. Whether your website is among the near 30% running WordPress or the other millions using Dreamweaver, Muse, iWeb, Joomla, Drupal, Zen Cart, Magento, or basically anything else that isn’t a WYSIWYG, you are a potential target for what is called malware.
If you haven’t heard of this before, consider malware a catch-all term for content designed to hijack, interfere with, access, or destroy your website data. It is typically distributed to websites by bots and malicious scripts by exploiting vulnerabilities in web hosting servers or your website content (though the occasional hacker can be behind this too).
“But my website isn’t that big or important.” You wouldn’t believe the number of times I’ve heard this when discussing website security with clients, so I’m going to lead off with something you need to understand before we go any further.
Bots and malicious scripts are usually indiscriminate in their targeting, and no website is considered to be too big or too small for them.
Full stop. Read that sentence 2 or 3 more times for good measure. Whether you’re a new company or a larger, established business, your content will almost certainly be crawled by something unpleasant at some point with one of two outcomes:
Our goal is to help you avoid the first outcome today, but if your website has been around (and especially neglected) for a while, it is possible your content may already be infected. Some of the signs and harmful effects you or your visitors may experience when your website is compromised include:
We’re going to cover what each of these symptoms might look like and why they represent serious threats to your daily operations if they come to pass. Afterward, we’ll talk about options you can pursue to help prevent these problems from occurring and reduce their impact. Without further ado, let’s get started.
Jump ahead to:
Browsers like Firefox and Chrome automatically issue these for any website that they find with compromised data that represents a threat to you, and will do everything they can to keep you from proceeding. Doing so has a high risk of infecting the computer you are using with a virus or initiating the download of unwanted programs.
Nobody wants that to happen, so most of us are going to react the same way every time something like this bright red warning screen comes up – by clicking the back button to get as far away from this malicious content as possible.
If your site winds up being flagged by a warning like this, your regular customers might take the time to inform you so you can resolve the matter quickly and restore access. But what if they don’t? Suddenly you’re losing traffic, revenue, and growth opportunity for every day your website is down – and we know you’re busy enough that checking your website every day isn’t always a high priority.
While some malware seeks to access data on personal computers, other types are designed specifically to turn your hard work into someone else’s gain. A process as simple as rewriting one file in your website can direct all traffic going to your company over to a different website for porn, casinos, pyramid schemes, diet pills, pharmaceuticals – the list goes on.
Naturally, this is going to be as off-putting to your customers as the bright red warning screen above because most of us have outgrown the phase where we listen to the pleas of Nigerian princes and wealthy individuals who have been stranded overseas with no way to get home. You’ll get tarred with the same brush, which in turn will cost you business.
Some of this redirection is especially sneaky – it is designed only to reroute search engine traffic. Many business owners find this very difficult to detect until they learn to look out for it, but this type of infection carries the same consequences as the more obvious hacks.
Malicious content comes in a lot of flavors. While we’ve covered some with clear motives (promoting illicit companies, selling their products, or using your website for fraud), other types are simply designed to be as harmful as possible.
Both scenarios significantly slow down the load time for your website, as your server will be dedicating more resources to processes that should not be present. Think along the lines of what happens if you open 20 or 30 windows on your home computer at the same time, but often exponentially worse.
People browsing online simply aren’t going to have the patience to wait through that, and will take off for greener pastures if you aren’t capturing their attention in seconds. As if this wasn’t bad enough, load time has been a SEO ranking signal for many years, meaning your search results will suffer on another metric to boot.
Fortunately, you can often identify this type of compromise by looking for strangely named files or files that were updated more recently than your last website update. Cleaning up the resulting mess can be a nightmare, however. If you miss even one infected file, all the content you removed will be back in as little as a few hours (and often with interest).
They don’t call today the Information Age for nothing. Knowledge is power and those that can exercise it to its full potential stand to reap big rewards when it comes to online presence for their ventures. Marketing firms, search engines, and social media have made entire industries out of gathering and employing information.
If malware removes your website or harms your links in a way that prevents visitors from finding or using them, your customer base loses a primary method for finding out who you are, what you do, and how they can pay you to solve their problems.
While this is a less common form of compromise, it is also the simplest and most dangerous to you.
If your customers can’t find you or your content because of malicious code, Google probably can’t either. While you do have a bit of a grace period to clean a hacked website up, prolonged malware exposure over days and weeks is going to tell search engines you aren’t paying attention to your website. You’re also telling them you probably aren’t worth the ranking you’ve spent months and years achieving.
Furthermore, some search engines will warn potential visitors when your website is hacked before they can even click your link. This message will persist in turning them away until your website is confirmed to be clean, so it is important that you both erase any trace of malware and submit a request to have your site reviewed when you are done.
In today’s day and age, you no longer have the liberty of wondering what you will do if you are hacked – you need to be prepared for when it happens. Fortunately, you have a few preventative measures you can employ to help protect yourself and your content.
The first is to take a backup of your website files and database(s). Whether you handle this through a plugin, FTP, SSH, or a third party company, it is imperative you store these backups on a separate server or hard drive. Using something like cPanel’s Installatron or backup wizard places these backups on the same server as your website, meaning they will be infected if the original is.
Think of it like copying the deed to your car and throwing the copy in the glove compartment with your original. It simply isn’t going to do you any good there if the car gets stolen. If you aren’t sure of how to perform an external backup, swing by our backup guide, hit up our store, or check out our instructional video.
Your second option is to set up a malware scanner. These are designed to look over your site on a regular basis, check for any suspicious coding changes or files that have been added, and then report it to you and/or remove it for you. These act very similarly to antivirus programs on your local computer, but are tailored specifically to websites.
The final step you can take is to set up a web application firewall (WAF). If a malware scanner provides reactive protection and/or cleanup, this is the proactive counterpart. WAFs serve as gatekeepers to your website, deciding who can come in to see it and who cannot. Regular visitors won’t even know it’s there, while bots and scripts are shown the door.
There are also a couple different WAFs you can consider for your website – cloud and endpoint. Each has their pros and cons, but both can provide some solid protection for your website.
Cloud based firewalls route your domain’s DNS through a third party before sending a visitor to your website. While this is great for filtering out bad traffic to your domain (or web address) before it ever reaches your server, if someone decides they want to dig up your IP address, it will provide zero protection against those types of attacks. These are paired with malware scanners in our store so if someone decides to get clever, you can still get your site cleaned up in a timely manner. This pairing is sufficient for most sites.
Endpoint firewalls provide an additional layer of protection at the server level (a popular example is Wordfence, who has a thorough guide comparing firewalls as well). These firewalls check any request to review a file on your server and assess whether it is safe before it is allowed to proceed. While you do get IP address coverage this way, if a new malware strain hoodwinks your firewall, your firewall becomes compromised along with your website. For additional information on how Wordfence works, you can watch the video below.
None of these methods are 100% foolproof on their own. Hardware fails, viruses evolve, and sometimes something just slips in through the cracks. If you employ these methods together though, you’ll be prepared to weather 99% of any issues that are thrown your way with ease.
That’s why we include a backup and a 1-year malware scanner subscription with every website we design for businesses. Firewalls are a little more expensive, so we leave the decision of whether to invest in them up to you, but we’ll always recommend them since preventative protection is worth every penny during and after the time your business is established.
We’re glad you asked. You can browse our selection of website security plans in our store, or give us a call at 319-229-5225 for help setting up an account or discussing our services.
Braden is one of the founders of Midwest Websites, and has been professionally writing and developing websites for over 7 years. His blog posts often take an experience from his life and showcase lessons from it to help you maximize online presence for your business.