20 Actionable Security Tips To Keep Your Site Safe
The Target, Neiman Marcus and other retail hackings were the result of malicious malware created by a 17 year old Russian from St. Petersburg. To be clear, he didn’t actually hack the stores’ systems. He sold his software hacking kit for $2,000 a copy on the black market.
Over the weekend, the Actionable Marketing Guide website was hacked. Unlike major retailers where customers’ financial information was exposed, this site’s hacker(s) posted a racy ad under the header on each page.
We were lucky. My webmaster estimates that the break-in occurred less than 12 hours before we knew about it. He was able to locate and replace the compromised files quickly. We then proceeded to change usernames and passwords to prevent a reoccurrence.
This hacking wasn’t personal. Like Target and Neiman Marcus, it was about financial gain and experience. But it’s a warning for other bloggers and website owners. Hacking can happen to you.
20 Actionable security tips to keep your site safe from hackers
So what can you do to reduce your blog or website’s exposure to hacking attacks?
Administrators and other users
- Never call your admin user “Admin”. This is the first thing that a hacker will try.
- Don’t use real names for the people who have administrative privileges on your website. Nothing that can be found on your site, directory or other social media profile.
- Have a backup administrator in the event that your admin is on vacation or unable to act quickly to restore your site.
- Keep the number of users and respective privileges limited. Don’t give your guest bloggers admin or editor privileges.
- Make sure that you have a level of redundancy. As with your administrator, ensure that someone within your organization can handle the system in case of an emergency or if the people in charge aren’t available.
- Remove people from your systems once they leave your organization. For companies, this should be part of your HR notifications. This is particularly important if the parting isn’t amicable.
- Skip words that can be found in a dictionary. Skip birthdays and spouses’ and children’s names.
- Don’t use the same password across multiple sites. This is particularly important for people in your organization who work on more than one site.
- Don’t use a common password for everyone in a firm or department. The worst case is using something as universal or guessable such as “Password” or your firm’s street address (150Madison).
- Don’t make your passwords so complex that people can’t remember them. When I worked for a major international bank, this was a common problem—and where did employees store their passwords? On a posit under their blotter.
- Use at least 8 characters for your passwords. Include a combination of upper and lower case letters, numbers and symbols.
- Understand your risks. Realize that signing into sites or allowing a website to see information from your computer or login to a social media profile can comprise your information.
- Update/change passwords on a regular basis. Even if you think you’ve kept your passwords safe, you can’t be 100% certain that they’re not on some old backup disk or in an old email archive.
- Don’t send usernames and passwords via email. If you have no other option, send the username and passwords in separate emails. Especially don’t put the word “Password” in the subject line.
- Limit communications to one person at a time. For example, don’t send a list of people an email with the same password.
- Always change passwords sent by third parties. This includes a range of services such as your hosting company.
- Have a crisis plan. Be ready to respond quickly to any issue.
- Make sure that you regularly back up your files and database (if your website has one.) If you have a technology department that’s responsible for this, this is a good time to go over and talk with them. If you don’t have a technology department, call your technical support person and decide how you should handle backups and where they should be stored. (Note: This is important in case of other emergencies such as a fire.)
- Have the contact information for the person who can restore your files if necessary. Make sure that the appropriate people can get in touch with this person, especially if it’s at night or on a weekend.
- Upgrade important software whenever there’s a new release. To this end, make sure that any blogging or other marketing sites are part of your technology department’s checklist. The reason for this is that when new releases of software are made public, they announce the security holes that have been fixed. Therefore, hackers learn where to look to hack websites that are still using older software versions.
Realize as I did that hacking isn’t about you. There are people and bots out there that consider this a challenge and will try this just because they can.
Join me & Kevin Spacey at Content Marketing World 2014 Meet me in real life at CMW 2014 in Cleveland.
BTW – Don't fret if you missed my session last year: Get all the content of CMWorld 2013 OnDemand now!
Now there are two ways to get Heidi Cohen’s Actionable Marketing Content by Email:
Subscribe to receive the full text of each new actionable marketing post delivered free, five days a week to your inbox.
Signup for the weekly Actionable Marketing Newsletter and get a roundup of of the week’s posts, plus extra content you won’t find on the website, plus a free e-book: What Every Blogger Needs to Know – 101 Actionable Blog Tips
Photo Credit: http://www.flickr.com/photos/svenjajan/3128894157