Website Security Explained for Beginners
For the last year or so the amount of my time that has been spent on security issues has significantly increased. I spend time updating and malware scanning sites. I spend time explaining to authors measures they need to take to ensure that their sites are safe. I spend a lot of time explaining to authors why they need to take these measures!
[image error]
If I had a dollar for every time an author told me that they don’t thing they need to be overly concerned about their site’s safety, I’d be a millionaire…well, not really…but you get the picture.
Hacking into a website is a crime of opportunity. Everyone is potentially at risk – you don’t need to be famous to be a target – everyone is a target to one extent or another.
In today’s post we’re going to talk about two different security issues.
Brute Force Attacks
Theme or Plugin weaknesses
1) Brute Force Attacks
We’re going to start with an explanation of Brute Force Attacks. I read a lot of technical stuff each week and one blog that I follow quite closely is WordFence. Wordfence is a company that provides the free plugin that I use on many of the sites that I monitor. I has a number of security features that I like to take advantage of. I like the blog as they regularly post about security issues in somewhat understandable language. In a recent article, they posted a definition that I’ll share below:
What’s a Brute Force Attack?
Fundamentally, a brute force attack is exactly what it sounds like: a means of breaking in to the back end of a website with relentless successive attempts. With a brute force attack on WordPress websites, a hacker attempting to compromise your website will attempt to break in to your site’s admin area by trial and error, using thousands of possible username/password combinations. This is usually accomplished with automated software specifically designed to generate and then try countless combinations one after the other, over and over, with the aim of finding a needle-in-a-haystack combination that will let them into your WordPress admin area. From there, they can wreak havoc on your site to their hearts’ desire.
Quote from Wordfence
The article goes on to explain that the automated software that they talk about is something that a very basic programmer could create – this isn’t fancy coding.
Why would someone do this? The article goes on to outline some of the reasons:
Defacement or destruction of your site (malicious)
Malware distribution (your site could be taken over to distribute malware elsewhere)
Spamvertising (your site could display spam or be used to connect to other sites)
Redirection (visitors to your site could be redirected to an affiliate site to make money for the hacker)
Stealing system resources (hacker could use your hosting resources for their own)
Fun or a test of skill (bored kid)
The protection against this type of attack is fairly simple – for your login credentials, use something other than “Admin” or “Administrator” and use a password that is complex.
[image error] [image error]
I’ve posted the above two graphics to indicate the severity of these attacks. These two graphics are taken from the daily stats for one of my sites. The top graphic shows the countries that have had users blocked by my site and the bottom graphic shows the specific IP address of who has been blocked. These graphics are taken on different dates and I chose them to illustrate a few things.
a) not all hackers live in Russia or the Ukraine
b) certain computers/people try over and over again to get into sites
2) Theme or Plugin weaknesses
A theme is something that is added to your website to denote the other all look and feel. It determines where information will be placed, the font used, the colors, etc. Plugins are extra bits of code that can be added to a website to help with a specific functionality. Plugin is the name that WordPress uses, but this type of functionality exists with most types of websites. Plugins can be free or they can be purchased.
Both themes and plugins need to be kept up to date. They need to be kept up to date for a variety of reasons. Most importantly, as time goes on, vulnerabilities are found in the coding of these items that need to be fixed.
Just like what happened with the Wannacry incidence a short time ago, hackers can take advantage of identified weaknesses and gain access to a website. The Wannacry incident took advantage of a weakness in the Windows operation system, but the principle is similar to what happens with themes and plugins.
Just because you aren’t aware of weaknesses doesn’t mean that first of all, they aren’t widely known in the on-line world. Just a quick search produced lists of plugins with known weakness along with the number of times they have been attacked in the month of May of this year. If I can find these lists, hackers can as well.
[image error]
A selection of themes with known weaknesses and the number of times they were attacked in May of this year.
[image error]
As users of technology, we don’t need to understand why these are weaknesses, we just need to understand that they have issues and that we need to actively keep our sites up to date to avoid being a target.
Developers of themes and plugins that are actively maintaining their product become aware of weaknesses that are discovered in their products and most developers actively work to remove the weak point and issue a new version of their product. A sad fact is that many plugins and themes are abandoned by their developers and at that point there is no one to repair the weakness for you.
More on what to do if you you have a theme or plugin that has been abandoned in a future post.
*****
Thanks for reading todays post. Feel free to send me a contact note or subscribe to my blog using the widget over there on the right >>>.
As I wind down the school year and make plans for work to accomplish this summer – my eyes are on updating my current books and perhaps work on putting together more YouTube videos and a new course. To keep up to date, subscribe to this blog or subscribe to my newsletter.
The book that was highlighted to my newsletter subscribers this week was my latest:
The Complete Mailing List Toolkit
[image error]
Is a broken mailing list holding back your author career? Discover how to transform your marketing and attract dedicated readers.
Does emailing your subscribers feel like shouting into the void? Are you struggling to come up with newsletter ideas that resonate with readers? Author consultant Barb Drozdowich has spent decades teaching writers how to navigate the technological pitfalls of publishing. Now, she’s here to help you master your mailing list.
The Complete Mailing List Toolkit provides a holistic approach to reader engagement through the power of direct communication. This bundle of four essential books provides strategies for list building and step-by-step guidelines for creating content that turns readers into lifelong fans. Through a series of easy-to-follow explanations, you’ll finally discover how to optimize your use of MailChimp and revolutionize your author platform.
In The Complete Mailing List Toolkit, you’ll discover:
How to create attractive newsletters your readers will eagerly anticipate
How to troubleshoot deliverability issues so you can reach more readers
How to understand and measure open and click rates to gauge your success
How to tailor your message to meet the needs of your unique audience
Why quality engagement matters more than subscriber quantity, and much, much more!
The Complete Mailing List Toolkit is your how-to guide for mastering email outreach and connecting with more fans. If you like practical solutions, down-to-earth explanations, and empowering guidance from an industry expert, then you’ll love Barb Drozdowich’s career-changing box set.
Buy the box set today to jumpstart a new phase of your author career!
Available on Amazon
The post Website Security Explained for Beginners appeared first on Bakerview Consulting.
