In this episode David explores why you should and how you can improve your non-profit’s website security.
Some quick highlights:
In this episode, I’m going to discuss with you what you can do to help secure your non-profit’s website so that you can sleep at night. I’m talking about website hacking, it’s around us every day we hear about it in the news, but quite often it’s something we take for granted.
Welcome, you are listening to the Non-Profit Digital Success Podcast. I’m your host David, from Wow Digital.
I’m going to start off this episode with a story of something that happened to me on December 24th, 2014, around 9 – 9:30 p.m. I’m sitting at home enjoying a relaxing evening and all the sudden I get an alert that there’s a problem with the website for the hospital that I was working at. It was offline, it wasn’t responding, I got on my computer, I started trying to figure out what was happening, and I had a hard time even accessing it, it was super, super slow. I was able to log into the back end and manage the firewall in the security system, and the settings, and eventually, as I was reading through the server logs I realize there was a lot of traffic coming from China. I’m talking tens of thousands of visits a minute to our site, this was extremely out of the ordinary. At the time, I was working at a geriatric hospital and there was absolutely no reason for this amount of traffic to come from China.
Within 10 minutes I was able to get the website back up and operational the way that it was supposed to be. I did a bunch of research in the coming days and realized what was going on. This type of “attack” was just a denial-of-service, meaning the server couldn’t handle the amount of traffic that was coming to it. It was out of the ordinary and way different than any amount of traffic a hospital would receive. There is no reason for us to have a more powerful server than we actually had at the time.
Over the coming weeks, I did more research and found out what really happened. China’s firewall, what I call the Great Firewall of China, which is what controls the traffic, the internet information coming in and out of the country, and what citizens inside of China can see, and what people outside of China can access without any nefarious means. For some reason the people in charge, maybe it was a mistake, they started directing traffic meant for gambling and pornography websites to random places on the internet. Happened to be that the hospital I was working at was one of the random places. They didn’t specifically target the hospital but what they did do was just send traffic to random IP addresses across the internet and took down hundreds if not thousands of websites.
This action caused me to implant more secure methods and more secure firewall settings on the server which ended up in a much better product and a more stable environment for the website to be on. Everything that I’ve learned from this experience has made me a better professional and it’s made my clients have better, more secure websites.
In today’s episode, like I mentioned, I’m going to be talking about different security methods that you should take as you redesign your website, as well you can Implement changes that I mention in your existing website.
I think my example is actually a little bit extreme, it’s probably out of the ordinary from anything that would happen to your organization. It’s still important to know that there are several security measures that should be put in place as you set up a server or your IT people set up a server while you work on your website, whether it’s your existing one or a new one.
“David, why would anybody want to attack my little non-profit website when we’re just here trying to do some good in the world?” There’s lots of reasons why hackers and computer programs, called bots, would try to attack your site, and really it’s just, you know, some people like to destroy things but for the most part, it’s about making money and profit. All the power behind what a server has gives hackers the ability to send millions of emails quickly and easily. If they’re able to get onto your site, this is just one of the things that they can do without you knowing that it’s happened.
Another thing is that the website can be used to spread viruses to your website visitors. If a visitor’s computer or device, like an Android or I mean to lesser extent iOS or Apple devices, doesn’t have up to date security they can get infected and use the same purpose to send out viruses in spam and use even computer power to do Bitcoin mining.
Sometimes websites and servers are encrypted, this is called ransomware, you’d have to go and buy some kind of currency or wire transfer to get the password to unlock your files and your web server.
Let’s get into it, I’m going to talk about what you can do starting today to help secure and make your website less vulnerable. If you’re starting with a brand new website you want to make sure that you’re installing and changing the default database table names. For example: with WordPress, the database tables typically start with wp_, you want to change that to something else that you wouldn’t think anybody else would know. It could be a random set of 6 or 8 characters or letters and that’s what I would recommend going with.
The second thing you want to check is that there’s no admin user on the website, you never want to have a user account with the name admin or administrator or root, you never want any accounts with that, those are the ones that are most often tested against password hacking.
Next, you want to make sure that the site is set up with strong passwords, so passwords that are anywhere over I would say 10 or 12 characters that use letters, numbers, uppercase, and even some random characters like an ampersand, or hash, dollar sign, or percent, and those kinds of other characters.
In addition to strong passwords, I highly recommend also setting up something called 2FA, which is two-factor authentication, some people also call it two-step verification. Basically, what this does is it adds another step in the logging-in process. The most common method hackers use to gain access to your online accounts is by discovering your password, either by guessing it or nefarious means such as fishing or even database dumps from larger websites that are hacked.
As Google describes it, think of this as withdrawing money from your bank account, you need your ATM card as well as your PIN number. There are countless apps that provide two-step verification, and I’ll include some links in the show notes. With all the passwords that are out there and all the things that you need to remember, it’s hard to keep track of all the passwords that you have. If you’re going to use a password manager such as Bitwarden, or LastPass, or even Google’s browser to synchronize your passwords, you want to make sure that the password for the account that you’re using for storing your passwords is unique, that you’re not using that password for any other system. If somebody can get access to that platform that you’re using to store your passwords then they have access to everything stored within.
SSL secure certificates, this is what changes the little lock icon up in the top of your web browser for the website address is. It shows people that your website is secure, it encrypts the data that is sent back and forth between the server and the end user’s web browser, meaning that hackers can’t get in between there to grab any of the data. If you’re doing any kind of transfer of information or credit card processing this is 100% a must. This typically costs anywhere from $50 to $100 for a basic SSL certificate and some web hosts actually provide this for free.
A little plug for Wow Digital, we provide free SSL certificates for clients that are hosting on our web server. Alright, back to the episode.
Something else you should think about doing any kind of credit card transaction is making sure that you have a PCI compliance. This is another level of security and data confirmation to ensure the safety of any information being transferred back and forth between the server, your website, the end user’s browser, and the merchant system that’s doing the actual credit card transactions.
As for server settings, you want to make sure that you are preventing something called “directory browsing” which allows people to see the files within folders on your server as well as prevent image hotlinking, which is allowing people to use images and files that are stored on your website on their website. You can do this by password protecting private folders and files on the server, on Apache servers this would be an HT access file, which is your typical kind of web server that you would find, or if you’re using a Windows server it would be a web.config file.
There are two great plugins that you can use to help you with some of the security settings, don’t use them together, pick one over the other and go with that one. One of them is called Wordfence and the other is called Sucuri, they both have some really amazing free options as well as paid plans that give you a little bit more control and more details and information about settings, and different permissions that you can enable.
You also want to make sure that you have backups that are happening, I always highly recommend to my clients that we have on server backups, as well as off-server backups, and what that means is that we keep local files copied in a secure area on the webserver, as well as having them copied to a third-party platform off the server.
If the website ever gets hacked and somebody decides to delete the entire website, if they have access to where your backups are stored they’re going to delete those as well, so having the backups off the server helps just as an extra layer of precaution.
The next thing I want to talk about is WordPress specifically, as well as Drupal, any of the open-source platforms that have a big following with lots of people that manage, and update, and create plugins, and modules, and website themes, and all that great stuff that helped build the internet as we know it today. The problem is that there’s a lot of people that build all of these functions, and programs, and plugins, and themes that make the internet what we know today, and that’s the real problem. We need to make sure that people are not injecting malicious code into your web server, into your code for your plugins and themes. Sometimes it happens, sometimes there’s a little hole that the developers didn’t notice or forgot to fix while they were creating the plug-in module or theme.
Just today with regards to the operating system of PHP, which is a back end that runs a large number of web servers, there’s a glaring call that hackers had put into the development code, it never made it through the production and it was removed relatively quickly, but this is the type of thing that does happen regularly, it happened to be that it was in the news. Further to that, you want to make sure that you always have up-to-date plugins and themes, and the core system that runs your websites such as WordPress or Drupal up-to-date and running on the most recent public version available.
With regards to plugins and modules, any ones that you’re looking at using you want to make sure that they have been updated somewhat recently, so we’re talking the last few weeks or months. Any plug-in module that was last updated around a year or so older you really want to avoid using, because it’s typically that the developers are no longer supporting it and that there probably won’t be any future updates for it.
And lastly, just a circle back to my story that I had at the beginning of the episode. It’s ideal to use a third-party platform to monitor the uptime of your website, ensuring that your website is running smoothly outside of your organization and outside of your so-called bubble that you’re part of. This will make sure that your website is working perfectly and as expected for any website visitors that are coming to it.
So what do you do from here? Now that you understand the why, the what, and the how of WordPress and your website security, there are some options that you have. Number one, you can – and please don’t take this – you can ignore all the advice that I just mentioned, bury your head in the sand, and hope and pray that your website just stays great and is working fine. Like I said, please don’t go with this, it’s only a matter of time before something happens, there are some really easy quick wins that you can do with some of the items that I mentioned in this episode.
Number two, you can take the do-it-yourself approach, the DIY, and secure your site yourself. While this might be a great option for some on a tight budget or if you feel that you’ve got the skill set to be able to implement these changes, go for it, but ask yourself this: do you have the time and energy to keep up-to-date with all the changes and requirements that happen all the time with new vulnerabilities that come out almost on a daily basis, securing your website and WordPress all in one, and making that happen in a continuous way that keeps you protected?
Option three is to work with pros to ensure that your website remains secure and worry-free. The team at Wow Digital manages non-profit websites from security, firewall, malware, automated monthly, daily, hourly backups to keep you running smoothly and showcasing your organization in the light that it was meant to be. We also provide services for keeping your website up-to-date with the core, plugins, modules, and themes. These types of updates are really important because these are the ones that are typically the most vulnerable.
Are you interested in a website security checklist? Head over to wowdigital.com/008, which is for this episode, and you’ll have a link there to be able to download a one-page security checklist for your nonprofit.
So I hope you’ve enjoyed this episode and I’m looking forward to having you listen to the next ones that we’ve got coming up. If you’ve enjoyed this episode please leave feedback on iTunes or wherever you listen to this podcast, I’d love to hear your feedback and it would also help others find the show.
Be sure to check out the show notes for the episode, head over to wowdigital.com, click on podcast, and search for this episode number and you’ll find all the links, details, and other information that has been discussed in this episode.
Are there any other topics that you would like to hear about? Just send an email to firstname.lastname@example.org. Thanks for listening to the Non-profit Digital Success Podcast!