Why You Should Secure Your Small Website

Date aired: August 14, 2018

Have you ever thought that your website might not be so important and just too small to need website protection of any kind?... Time to think again! We will discuss some of the reasons why every website big or small needs security.

Joshua Hammer

Sales Operations Manager

Josh is managing the sales chat team for Sucuri. When he is not reading about the newest hacks or delving into website security, he is at home playing boardgames with his family or video games with friends.

Questions & Answers

Question #1: Does the web host matter when it comes to who gets hacked?

Answer: Not really. Any host will work, however, some managed services will include security and make things harder for hackers.

Question #2: Are hackers out there just looking for the easy stuff then combing the web hours a day just so they can pick a site?

Answer: It's all automated. A script is written that combs the web for any site using this version of WordPress or that version of Joomla then walk away, go to your day job, and let the scripts do the rest.

Question #3: Are all attacks random then?

Answer: Not all. Some are targeted but the vast majority of them are random.

Question #4: Is my website a target if a particular CMS or service runs on it and should I stay away from specific scenarios?

Answer: No. Like the PC vs Mac thing. It's not that Mac is immune to hacks, it’s that it is a less used system. If I have a pool of 800 people vs a pool of 400 people I will go after the 800. More opportunity, right? So the higher the market share the more of a target. That being said, an updated WordPress install is still more secure than many homemade sites.

Question #5: If hackers run a script to find my backups folder, will it help if I rename it, even if it is stored in my public_html container?

Answer: Security through obfuscation is a failed concept – if they can't see me they can't attack me :-P It’s a folder and a file. It does not matter what the file is, it can still be infected offsite and is much safer. Scripts when they upload or attack upload to all files or types of files... the name means very little :-(

See all Questions & Answers

Expand

Transcript

Name: Joshua Hammer - Title: Sales Operations Manager

Hey everybody. Once again this is Joshua Hammer. I'm a sales operations manager here at Sucuri. A little bit about me if you haven't seen the other webinars, I've been here for about four years. Once again, the sales operation manager, married to a beautiful wife with two little girls. And I love games, video games, board games, even security is a game. So let's have some fun and learn a little something.

So today, we're going to go over hacker motivation. The age old question of, "Why me," why your single page site is important to secure, and easy and cheap prevention tips. So that brings the question, "Why me?" Why were you targeted? Well, why are hackers targeting you? Why are hackers hacking? Well, money. There's a lot of money out there. Redirects can give them money. There are some black cat SEO companies out there that boost your SEO ranking by hacking other sites. Not saying it's common, but they are out there. Pharmaceutical hacks, of course you know, the ever popular Viagra hacks.

Crypto mining is a big one right now. So they can use your servers resources to mine for Bitcoin. Or there's data theft out there. Why else do they hack? Well, they do it for credibility. Of course they can hack the sites and show thheir friends, "Hey, look what I did." Or show the different hackers in the community, "Hey, look. My name's on that site." Maybe they do it just for the lulls. They do it because it's fun. They find a little secret or a tip and they can go in there and just hack it.

So one of the big questions and one of the big thought processes out there is that the hackers are out there looking for you. They target the sites individually.

So, "My site's not important. They're not going to target my site, so I don't have to worry about it." But that's just a myth. The truth is that it's bots. I mean if you look, 21.8% of the traffic out there are bad bots. 20.4% are good bots. Just taking a look at that, that means that 42% of the traffic out there is bots. It's almost half of the traffic on the internet is just computers. So these hackers, do they target sites? I'm sure some of them do, but for the most part it's just bots that are sent out there looking for vulnerabilities. When they find one, that's when the hackers come in and attack.

So who gets targeted? Well, the low hanging fruit. Humans like order. We like to pick the path of least resistance, right? So the hackers are the same way. They're going to go after whatever's easiest to obtain. If we take a look at some sites, I mean you've got your mom and pop website. These are the ones built at home or by a small developer. They're left alone. They're not managed. There's no security. Maybe if there is security, it's a small, free plug in.

On the other side of that, you got the big business website. They're built by a large team. They're managed. They have a plan for updates. They have a test site, a live site. The security is there. It's always up to date. They pay for protection. They've got an inhouse team protecting the site.

So if you had these two sites and both of them could make you money, which site would you attack? I don't know about you, but it's going to take me a heck of a lot less time to probably target that mom and pop site than it would be to target Walmart's site. There's going to be easier for me to get that vulnerability on the mom and pop site. So the path of least resistance? Mom and pop websites. The small websites. So that brings us to, "Come on. I'm not made of money. What am I supposed to do here? I've got to protect my sites. I've got to do something. But I can't throw tons of money at it. I don't make the money that Walmart makes." So there's different things. You've got backups. You've got plugins. You've got the web application firewalls, updates, all of this stuff. But let's look at them a little bit more closely.

So backups. Big key here for the backups is rolling off site backups. I'm going to say it again. Off site. So I can't tell you how many times when we go to clean a site, we see a backup folder right on the host. Horrible idea. If I'm in there and I'm playing around and I'm hacking your site, and your backups are sitting right there in the same folder, yeah, I'm just going to upload some malware into the backups too. When you restore, you're restoring my malware. Fantastic. Thank you. You got to get them off site.

The nice part is, there's tons of plugins out there for WordPress, Joomla, Drupal, all those. They all have backup plugins. Some of them are free. You could download it right to your own computer, to a different server. You can pay companies to do it. Of course I'm going to say, "Hey. Come to Sucuri. We'll do it for you." We offer backups for $5 a month. It's a 90 rolling backup. So if you need to go back 15 days, we got it for you. If you need to go back 19 days, we got it. You need to go back three months, we got it for you. No, it's an add-on. It's not something that we do by itself. You've got to have one of our other products, but it is an option out there.

What else can we do? We can get some security plugins. The plugins out there, there's tons of security plugins. Our plugin, which of course I know the most about, is a free plugin for WordPress. It monitors simple changes. If you update WordPress, is it going to alert you? Absolutely. The files have changed, so it's going to tell you, "Hey. The files changed." If you go, "Well, I just updated WordPress. Makes sense. Files changed." But if you haven't touched it in like two months, haven't done anything, and all the sudden you're getting alerts that files changed, that may be a key. I may want to restore to a backup or I may want to take a look and see what's going on there. Once again, knowledge is power here.

What else can we do? Well, firewall. A way for web application firewall. So there are tons of firewalls out there. Everybody's got a firewall. Your host has a firewall. Heck, if you're watching this video, I guarantee you there's a firewall on your computer and you probably even have a second firewall that's your router, your modem in the other room. They're both firewalls, but they're both designed for different things. Your host's firewall is designed to protect the server. Your site is not the server. It's completely different. So because a firewall on your computer won't protect your website because it's designed differently, different things attack computers and websites. A web application firewall's designed to protect your website. Most of them, they're inexpensive. Our plans start at $10 a month, go up from there. But any kind of web application, firewall's going to help you out. It'll protect your site if it's a good firewall, even if your site's out of date, it'll virtually patch your site for you. That way you can take your time for your updates. They're relatively easy to install. At $10 a month, they're pretty inexpensive.

I'm going to flash back to one of our other webinars that we did not too long ago about cross-site contamination. Guys, if you're just protecting one site on your host with a web application firewall, all those other sites are just back doors. So you want to make sure you protect every site on your host.

So what else? Update. Updates are fantastic. You'll hear us say this over and over again in our blog posts, online in tweets, and on all of our webinars. Keep your stuff up to date. However, you've got to have an update plan. How often are you checking for updates? Just saying that my site's up to date, how often do you check that? Do you have a system in place for it? Do you have somebody whose job is to check it every 10 days? Or maybe it's your job. Do you have a calendar reminder to make sure you check for updates? Do you just hit a button to update it or do you have a test site that you update first, see if it breaks anything, and if it doesn't break anything, then you update your main site?

If you're using a test site, do you have a web application firewall that is in place that protects your site for those 10, 15 days until you update your main site? Because during that time, basically when a security update comes out, what it's doing is saying, "Hey guys, we have a vulnerability on our stuff. Hey, everybody out there. Vulnerability." If you're not updating it right away, they just announced that these are the vulnerabilities we patch, so anybody who's out of date, guess what, these are the vulnerabilities you can use.

In there with the update plan, I threw in a password manager because ... You know, it's funny to me. I'm still seeing passwords out there that are still ABC123 or password. I think there's an old hacker movie that said the most common passwords are like love, god, sex, they're still being used. Heck knows why.

I put in this old password, this is one that company I used to work for a long time ago said you know what, we're going to make everybody's password their last name, their first initial, and a number. Hammerj1. Hey, it's easy to remember, right? Well, guys out there, there's password managers out there. 1password is one of them. The one that a lot of us here at Sucuri use is Lastpass. They're easy. Lastpass is the one I use, so I know more about it. $12 a year and you can sync it with your phone, keep all of your passwords on your phone. I don't even know what my passwords are. They're this weird combination of letters, numbers, symbols, all that, that are like 20 to 30 digits long that are impossible to crack. But impossible to remember, so Lastpass is my key for all of those.

So hopefully this give you an idea here that the, "Why me," question, it wasn't you. It was the path of least resistance. Once again, since this'll be my last webinar for a little while, I want to give out some more prizes. So I picked at random five people from today. I'm going to go ahead and shoot you out a website firewall trial. Jose Colito, Julie Vargo, Kuno Gupta, Paul Fiello, Adrena Baduna, not only did I botch your names, but I will get an email to you and shoot out that firewall trial.

So if you guys have any questions, comments, concerns, wise cracks, send them to me. I'm happy to answer all of them for you.

See Full Transcript

Expand

Similar Past Webinars

In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.

Webinar - Preventing Cross-Site Contamination for Beginners

Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it.....

Webinar - Fire Chat: Reactive and Proactive Protection for Web Agencies

In this fire chat, we're looking to find answers to some of the questions web agencies have been asking us for years, in hopes of shedding more light into how you, as an agency, need to respond to security threats your customers face.....

Webinar - Security for Web Agencies

Website security is challenging, especially with a large network of sites. We want to help you understand how you can create a security plan and reduce the risk of a hack or security incident. In this session Dana covers the implications of a security breach and why security should be important to your agency. Dana shows you a tiered approach to we....

Webinar - Beginner's Guide to CDN's

All content is not created equally. Reducing the time it takes for each piece of data to travel from the host server to the client will provide lower latency and a more optimized user experience. Ultimately, this helps avoid dropoffs in users as a result of extended load times.....