There are many ways a website can be hacked or attacked. Here are some actions website owners can take to protect their sites.
Unusual visitor numbers
In your hosting control panel, you can view logs that analyze website visits. AWStats is one of the most popular. In some of our sites we have found a high number of visits from a single IP address, 6,000 in 15 days. That’s 400 a day and it can only be automated.
They must not be up to anything good. They could be using your address to send spam or trying to gain access. On Google you can find lists of IP addresses with locations and sometimes list their reputation. In the hosting control panel there is a function to deny specific IP addresses which can block that IP. But you can also block a range of addresses. That’s wise because a bad IP can only be part of a range.
passwords
Years ago it was common to set passwords as memorable words. But these are easy to guess, like names, birthdays, places, and website keywords. These must be replaced by more secure passwords. Please use at least 8 characters and include upper and lower case letters, numbers, and symbols (@#$%, etc.). They can still be made memorable by taking a word and separating the letters with numbers and symbols, or by replacing the letters with numbers and symbols. For example, Alexander can be &A!3x@nd3r#, but it would be even safer if it were just a jumble of characters.
Latest software version
Always update any website building software (such as WordPress) to the latest version. These software updates can be frequent and will close any loopholes hackers have found. We have found that websites running on older versions are the ones that get hacked.
Files that are hacked
If your website is found to be spamming, some hacker may have gotten lucky, guessed your password, and tampered with one or more of the website’s files to automatically send spam. This can cause your host to suspend your website.
To fix this, you need to change your password and use an FTP program or File Manager to find which files have changed by listing them in date order. Alternatively, you can reload the entire website from the copy on your computer or from your web designer. Or you can reinstall WordPress and import the exported MySQL database.
insecure forms
Protect your site from hackers trying to guess a password by combining login name and password for validation. Make the response say something like “The name or password is invalid” so the hacker doesn’t know which one is wrong.
Add Captcha to your forms. This is a script that requires the visitor to type characters from an image into the form, something an automated spam program cannot do. Stops hundreds of spam emails from the form.
Forms that allow file upload
Limit file upload extensions to images, JPG, JPEG, GIF, PNG, etc. to prevent executable files from being uploaded to your website. Have any uploads go to a folder outside of the website.
SSL
To keep any visitor’s personal data entered into a form secure, have your host install an SSL certificate. This should cover any forms with sensitive information such as credit card details or date of birth, driver’s license and any details that would allow for identity theft. This will cost a few dollars a year, but it will make your visitors feel better about completing such a form.
ModSecurity
Many web hosts have installed this security plugin in their firewall. This blocks any IP address from which multiple invalid login attempts have been made in a short period. This slows down any nefarious hacker from guessing your username and password to log into your control panel or FTP or email account. Unfortunately, the odd website owner who has a memory lapse can, by using the wrong password too often, lock himself out of his own website. Fortunately, they can ask their host to unblock them.
Conclusion
It’s not a perfect world and even NSSA and FBI websites have been hacked, but anything you can do to stop hackers will help keep your website more secure and encourage visitors.