Blogging: I Got Hacked And So Can You

20 Actionable Security Tips To Keep Your Site Safe

Guy in Hoody Hacking. It’s not just large, high profile retailers like Target and Neiman Marcus that get hacked. You can too.

The Target, Neiman Marcus and other retail hackings were the result of malicious malware created by a 17 year old Russian from St. Petersburg. To be clear, he didn’t actually hack the stores’ systems. He sold his software hacking kit for $2,000 a copy on the black market.

Over the weekend, the Actionable Marketing Guide website was hacked. Unlike major retailers where customers’ financial information was exposed, this site’s hacker(s) posted a racy ad under the header on each page.

We were lucky. My webmaster estimates that the break-in occurred less than 12 hours before we knew about it. He was able to locate and replace the compromised files quickly. We then proceeded to change usernames and passwords to prevent a reoccurrence.

This hacking wasn’t personal. Like Target and Neiman Marcus, it was about financial gain and experience. But it’s a warning for other bloggers and website owners. Hacking can happen to you.

Blogging-I got hacked

20 Actionable security tips to keep your site safe from hackers

So what can you do to reduce your blog or website’s exposure to hacking attacks?

Administrators and other users

  1. Never call your admin user “Admin”. This is the first thing that a hacker will try.
  2. Don’t use real names for the people who have administrative privileges on your website. Nothing that can be found on your site, directory or other social media profile.
  3. Have a backup administrator in the event that your admin is on vacation or unable to act quickly to restore your site.
  4. Keep the number of users and respective privileges limited. Don’t give your guest bloggers admin or editor privileges.
  5. Make sure that you have a level of redundancy. As with your administrator, ensure that someone within your organization can handle the system in case of an emergency or if the people in charge aren’t available.
  6. Remove people from your systems once they leave your organization. For companies, this should be part of your HR notifications. This is particularly important if the parting isn’t amicable.

Passwords

  1. Skip words that can be found in a dictionary. Skip birthdays and spouses’ and children’s names.
  2. Don’t use the same password across multiple sites. This is particularly important for people in your organization who work on more than one site.
  3. Don’t use a common password for everyone in a firm or department. The worst case is using something as universal or guessable  such as “Password” or your firm’s street address (150Madison).
  4. Don’t make your passwords so complex that people can’t remember them. When I worked for a major international bank, this was a common problem—and where did employees store their passwords? On a posit under their blotter.
  5. Use at least 8 characters for your passwords. Include a combination of upper and lower case letters, numbers and symbols.
  6. Understand your risks. Realize that signing into sites or allowing a website to see information from your computer or login to a social media profile can comprise your information.
  7. Update/change passwords on a regular basis. Even if you think you’ve kept your passwords safe, you can’t be 100% certain that they’re not on some old backup disk or in an old email archive.

Communications

  1. Don’t send usernames and passwords via email. If you have no other option, send the username and passwords in separate emails. Especially don’t put the word “Password” in the subject line.
  2. Limit communications to one person at a time. For example, don’t send a list of people an email with the same password.
  3. Always change passwords sent by third parties. This includes a range of services such as your hosting company.
  4. Have a crisis plan. Be ready to respond quickly to any issue.

Backup

  1. Make sure that you regularly back up your files and database (if your website has one.) If you have a technology department that’s responsible for this, this is a good time to go over and talk with them. If you don’t have a technology department, call your technical support person and decide how you should handle backups and where they should be stored. (Note: This is important in case of other emergencies such as a fire.)
  2. Have the contact information for the person who can restore your files if necessary. Make sure that the appropriate people can get in touch with this person, especially if it’s at night or on a weekend.

Software

  1. Upgrade important software whenever there’s a new release. To this end, make sure that any blogging or other marketing sites are part of your technology department’s checklist. The reason for this is that when new releases of software are made public, they announce the security holes that have been fixed. Therefore, hackers learn where to look to hack websites that are still using older software versions.

Realize as I did that hacking isn’t about you. There are people and bots out there that consider this a challenge and will try this just because they can.

Happy Marketing,
Heidi Cohen


Heidi CohenHeidi Cohen is the President of Riverside Marketing Strategies. You can find Heidi on , Facebook and .

For those of you in Raleigh, NC, please join me for Internet Summit November 11th through 13th. Internet Summit
Use the code HEIDI50 to save $50 OFF any pass level.

Even though Content Marketing World is finished until next September, you can still get all the content from 2014's exciting conference. The CMWorld On Demand package includes: Audio and video from the 2014 keynote sessions, audio and PowerPoint presentations of all the breakout sessions, over 40 audio sessions from the leading B2B and B2C brands, as well as keynote video performances.

CMWonDemand

Free Webcast!

Return on Authenticity:
Making Effective Storytelling and Content Performance Align

Return on Authenticity: Making Effective Storytelling and Content Performance AlignJoin the discussion on Wednesday, October 29, 2014 at 10:00 AM PT/ 1:00 PM ET with Nancy Slavin, SVP of Marketing, Macy's Merchandising Group, and Dan Kimball, CMO, Thismoment.

According to research by Nielsen, 70 percent of global consumers trust online consumer reviews and rate reviews as the second most trusted form of advertising. And according to BazaarVoice, when it comes to trust, marketers may as well eliminate their own brand websites as a fountain of customer trust as only 16 percent of US consumers said they trust the content on a brand's website compared to the 51 percent who trust content generated by other users.

Today's digital currency is arguably authenticity, and what attracts customers - especially the digitally dependent, savvy millennial - is not just content. It is the delivery of authentic, unvarnished content from their peers.

Join the CMO Council on Wednesday, October 29, at 10am PST/ 1pm EST for a one-hour webcast that will invite industry experts in content marketing and user-generated content who are effectively leveraging authentic storytelling as part of their content marketing strategies. We will also feature an interactive Q&A session at the conclusion of the speaker presentations.

Register for this Free Webcast today!


 

 

Related Articles

 

Photo Credit: http://www.flickr.com/photos/svenjajan/3128894157

Tags , , . Bookmark the permalink.
  • FromPushToPull

    Thanks for sharing your experience, Heidi. This is valuable to know and this is a good list of safeguards to implement. I have found that blocking spammers IP addresses is also helpful to prevent the same spammer from repeat abuse.

  • http://www.shannonhutcheson.ca/ Shannon

    I just don’t understand why people *still* use easily guessed passwords. Not to suggest that’s what happened to your site. But people tend to use the same password everywhere they go online. All that does is ensure that the hacker gets to log in to ALL of your accounts.

    I use Roboform. It’s a safe and secure no-brainer way to generate and remember very strong passwords. No keylogger will benefit from my browsing habits. One click and I’m logged in to whatever site I belong to. No typing, or remembering, passwords.

  • http://www.monicawomble.com/ Monica Womble

    I just wish that hackers and people who do similar activities would channel that energy and time into something useful and productive. This world would be such a better place. Glad you got everything worked out!

  • Rob Newman

    My customer’s site was hacked even though he used a complex password. He’s a painter who style reflects Norman Rockwell. His password was “Rockwell123!!!” He was shocked that his password was discovered.

    I explained that a “person” did’t sit there and guess his password. Instead, a malicious computer program tried logical password possibilities. A website with a strong Norman Rockwell influence could probably contain a password that was also influenced by the same famous painter. Adding a sequence of number and special characters to the end of a password is a very common practice by people.

    My advice: Think of a combination of letters, numbers and special characters, mix ‘em all up, and then use that jumbled mess as your password.

  • http://pvariel.blogspot.in/ Philip Verghese Ariel

    GREAT TIPS HERE
    PASSWORD THING
    IS REALLY GREAT
    BEST
    REGARDS
    SAVING IT