Blogging: I Got Hacked And So Can You

20 Actionable Security Tips To Keep Your Site Safe

Guy in Hoody Hacking. It’s not just large, high profile retailers like Target and Neiman Marcus that get hacked. You can too.

The Target, Neiman Marcus and other retail hackings were the result of malicious malware created by a 17 year old Russian from St. Petersburg. To be clear, he didn’t actually hack the stores’ systems. He sold his software hacking kit for $2,000 a copy on the black market.

Over the weekend, the Actionable Marketing Guide website was hacked. Unlike major retailers where customers’ financial information was exposed, this site’s hacker(s) posted a racy ad under the header on each page.

We were lucky. My webmaster estimates that the break-in occurred less than 12 hours before we knew about it. He was able to locate and replace the compromised files quickly. We then proceeded to change usernames and passwords to prevent a reoccurrence.

This hacking wasn’t personal. Like Target and Neiman Marcus, it was about financial gain and experience. But it’s a warning for other bloggers and website owners. Hacking can happen to you.

Blogging-I got hacked

20 Actionable security tips to keep your site safe from hackers

So what can you do to reduce your blog or website’s exposure to hacking attacks?

Administrators and other users

  1. Never call your admin user “Admin”. This is the first thing that a hacker will try.
  2. Don’t use real names for the people who have administrative privileges on your website. Nothing that can be found on your site, directory or other social media profile.
  3. Have a backup administrator in the event that your admin is on vacation or unable to act quickly to restore your site.
  4. Keep the number of users and respective privileges limited. Don’t give your guest bloggers admin or editor privileges.
  5. Make sure that you have a level of redundancy. As with your administrator, ensure that someone within your organization can handle the system in case of an emergency or if the people in charge aren’t available.
  6. Remove people from your systems once they leave your organization. For companies, this should be part of your HR notifications. This is particularly important if the parting isn’t amicable.

Passwords

  1. Skip words that can be found in a dictionary. Skip birthdays and spouses’ and children’s names.
  2. Don’t use the same password across multiple sites. This is particularly important for people in your organization who work on more than one site.
  3. Don’t use a common password for everyone in a firm or department. The worst case is using something as universal or guessable  such as “Password” or your firm’s street address (150Madison).
  4. Don’t make your passwords so complex that people can’t remember them. When I worked for a major international bank, this was a common problem—and where did employees store their passwords? On a posit under their blotter.
  5. Use at least 8 characters for your passwords. Include a combination of upper and lower case letters, numbers and symbols.
  6. Understand your risks. Realize that signing into sites or allowing a website to see information from your computer or login to a social media profile can comprise your information.
  7. Update/change passwords on a regular basis. Even if you think you’ve kept your passwords safe, you can’t be 100% certain that they’re not on some old backup disk or in an old email archive.

Communications

  1. Don’t send usernames and passwords via email. If you have no other option, send the username and passwords in separate emails. Especially don’t put the word “Password” in the subject line.
  2. Limit communications to one person at a time. For example, don’t send a list of people an email with the same password.
  3. Always change passwords sent by third parties. This includes a range of services such as your hosting company.
  4. Have a crisis plan. Be ready to respond quickly to any issue.

Backup

  1. Make sure that you regularly back up your files and database (if your website has one.) If you have a technology department that’s responsible for this, this is a good time to go over and talk with them. If you don’t have a technology department, call your technical support person and decide how you should handle backups and where they should be stored. (Note: This is important in case of other emergencies such as a fire.)
  2. Have the contact information for the person who can restore your files if necessary. Make sure that the appropriate people can get in touch with this person, especially if it’s at night or on a weekend.

Software

  1. Upgrade important software whenever there’s a new release. To this end, make sure that any blogging or other marketing sites are part of your technology department’s checklist. The reason for this is that when new releases of software are made public, they announce the security holes that have been fixed. Therefore, hackers learn where to look to hack websites that are still using older software versions.

Realize as I did that hacking isn’t about you. There are people and bots out there that consider this a challenge and will try this just because they can.

Happy Marketing,
Heidi Cohen


Heidi CohenHeidi Cohen is the President of Riverside Marketing Strategies. You can find Heidi on , Facebook and .

For those of you in Raleigh, NC, please join me for Internet Summit November 11th through 13th. Internet Summit
Use the code HEIDI50 to save $50 OFF any pass level.

Free Download!

Lead Generation and Management for SMB Sales and Marketing

Lead Generation and Management for SMB Sales and Marketing4 Key Action Items For Marketers And Sales Teams Intent on Success Ad Age, BtoB, and Act-On deliver the results of research into the factors of successful lead-generation strategies and tactics, with findings and recommendations most pertinent to the SMB marketer and sales director.

Download this important research report today!


 

 

Related Articles

 

Photo Credit: http://www.flickr.com/photos/svenjajan/3128894157

Tags , , . Bookmark the permalink.
  • FromPushToPull

    Thanks for sharing your experience, Heidi. This is valuable to know and this is a good list of safeguards to implement. I have found that blocking spammers IP addresses is also helpful to prevent the same spammer from repeat abuse.

  • http://www.shannonhutcheson.ca/ Shannon

    I just don’t understand why people *still* use easily guessed passwords. Not to suggest that’s what happened to your site. But people tend to use the same password everywhere they go online. All that does is ensure that the hacker gets to log in to ALL of your accounts.

    I use Roboform. It’s a safe and secure no-brainer way to generate and remember very strong passwords. No keylogger will benefit from my browsing habits. One click and I’m logged in to whatever site I belong to. No typing, or remembering, passwords.

  • http://www.monicawomble.com/ Monica Womble

    I just wish that hackers and people who do similar activities would channel that energy and time into something useful and productive. This world would be such a better place. Glad you got everything worked out!

  • Rob Newman

    My customer’s site was hacked even though he used a complex password. He’s a painter who style reflects Norman Rockwell. His password was “Rockwell123!!!” He was shocked that his password was discovered.

    I explained that a “person” did’t sit there and guess his password. Instead, a malicious computer program tried logical password possibilities. A website with a strong Norman Rockwell influence could probably contain a password that was also influenced by the same famous painter. Adding a sequence of number and special characters to the end of a password is a very common practice by people.

    My advice: Think of a combination of letters, numbers and special characters, mix ‘em all up, and then use that jumbled mess as your password.

  • http://pvariel.blogspot.in/ Philip Verghese Ariel

    GREAT TIPS HERE
    PASSWORD THING
    IS REALLY GREAT
    BEST
    REGARDS
    SAVING IT