Cyber Security is something all SEO experts should keep in mind at all times. Those who have dozens, or even hundreds, of websites and online businesses know how important it is to keep each and everyone of them as watertight as possible.
But, is everyone in the SEO world taking care of their cyber hygiene? I´m afraid not.
Many imagine that cyber criminals are a bunch of cool people working from a dark basement full of awesome gadgets. They create code that looks like video games while wearing clothes taken straight out from a futuristic Anime series.
The truth is, most of them are just regular guys, sitting on their couch eating crackers on their open laptops.
That being said, the majority of cyber attacks are not that elaborate as you imagine. In fact, you can prevent them by just following a few simple habits.
Most platforms nowadays claim to be continuously ramping up their safety measures and cyber security systems. Unfortunately, there are always ways around them. Here is when individual responsibility plays a major role in protecting your most valuable assets: your websites.
So, let’s talk about some easy ways to make sure your sites are protected. Here are the 5 most common types of cyber attacks.
Cyber Security 101: Password Strength
At this day and age, this should be extremely obvious: 1234 or password are not strong passwords.
Passwords that use real words and numbers are relatively easy to guess. These usually leave sites open to dictionary or brute force attacks.
A dictionary attack is when a hacker grabs a word database. Often, said database is just an old password list. The hacker tries every entry in it (and combinations) on your login page hoping he will one day hit the jackpot. It may sound impractical, but with the right bot, a hacker can make millions of attempts per minute while sipping his favorite Starbucks latte and watching old torrented reruns.
The same goes with brute force attacks. They´re a bit less elegant, but use the same principle. A bot tries every word/number/symbol combination on your login page. Theoretically, anyone can eventually guess any password this way. However, the longer the password, the harder it gets (Note. This is 2020. It is no longer politically correct to use Michael Scott´s jokes. But that’s what she said).
This is the reason most password generators recommend to use a combination of letters, numbers and symbols and at least 12 characters long passwords. Every additional character exponentially increases the difficulty of someone guessing your password.
Keep an Eye open for SQLs!
SQL injections are not as common as they were a few years back. Don´t think it is because devs have got smarter, though. It has more to do with the fact that most platform updates come with built in SQL code protections, and there are quite a few plugins for that.
Still, they remain one of the most devastating cyber crime attacks a company can suffer. Online forms and login pages are like door locks or window cracks. No matter how tightly you think they are, there is always a way to slip something inside. Whether it is a valid key, a thin envelope with an invitation to your BFF´s wedding, lockpicking tools or the flat end of a crowbar.
Hackers apply the same principle here. By filling out forms or login fields with pieces of code, they can make your website perform certain functions. Some attacks would execute commands that scramble your databases just for giggles (or to “stick it to the system”). Others aim to gain access to your website, impersonate a user or administrator, or force your website to reveal all of its secrets.
These attacks are particularly nasty but, as we have said, they are not as prevalent today. Just have all your plugins and themes up to date, and make sure your cyber security team and devs keep an ear on the ground in user forums. These are constantly posting reports, patches and updates for their products.
A Word on Malware
The dangers of malicious code injected into your website can never be overstated. Malware is among the most common ways hackers use to attack unsuspecting website and business owners. And it is incredibly effective.
We are all made to feel secure by companies like WordPress when they say that their platform is totally secure against cyber crime. This happens because it is TRUE. However, they are not the problem. When we create our website, we want it to look pretty, and also have certain functionalities. So we install great looking themes, and awesome plugins to make our website feel like a million dollars. Unfortunately, these third party pieces of code are not as safe as the platform, and sometimes come with malicious code that infects our website with malware.
A malware attack can allow a hacker to create a backdoor to your site and grant them permanent access. They can then edit your content, or freely steal information from your databases.
If you notice that your website is going unusually slow, there might be a script running in the background. These can be used for many different things. Often hackers use them for adding pop up ads that redirect your visitors to other websites, or even use their browsers for cryptocurrency mining. Your website might have been recruited as part of a botnet, and part of your server´s computing power now goes into performing DDoS attacks to other websites (more on that later).
I hope you now feel the urge to go check if your plugins and themes are up to date. It is the best way to prevent these attacks. Just make sure your cyber security team check their mail for updates from your providers. They often send notifications when they discover vulnerabilities and create appropriate patches for them. Bear in mind that hackers ALSO get these timely notifications. In response, they immediately launch their bots seeking out users who ignore them and never update their themes or plugins. If you haven’t updated your website in a while, visit your provider´s forums and check for updates. It is important to have the latest versions, and remove all unused plugins and themes.
Do it now!
Mind your XSS
I know we’ve been through code injection. But we have only seen how hackers manipulate SQL databases What about when they get ahold of your whole website and servers by injecting code?
This is what they call XSS injection, and even when this type of attack is among the oldest in the cyber security books, it is still the most common website vulnerability.
The attacks have a wide range of effects. From defacing, to hijacking your website, to redirecting all your traffic to an attack server and store all your customer’s information with none being the wiser.
The prevalence of XSS cyber crime is due to the fact that it is extremely easy to test a website for vulnerabilities. So a hacker with enough time in his hands can just try a bunch of code into your website´s forms or comment sections and see what happens. If they can successfully insert a line, then they start poking holes into your website to their heart’s content.
Hackers love doing this for a lot of reasons. Sometimes they just want to prove their worth by pulling a prank on a popular website, changing the content and making it unavailable for a while. This costs the owner a lot of money as he loses customers, people stop trusting the website, and he has to rebuild the website from scratch and convince Google that it is trustworthy again. Not easy.
But other hackers are a lot more subtle, which makes them really dangerous.
The worst part is that it does not matter how secure your website as a whole is, one vulnerability in a tiny section is enough to bring the entire site down.
Are your Servers DDoS ready?
Alright. So far we covered attacks that people might do for fun or out of boredom.
This one, however, is different. This is the manifestation of evil itself.
You might say that other attacks can cause more damage, or that there are evil people doing all kinds of stuff. Yes, all that is true. However, while individuals can perform all other types of hacks for different purposes, only those who seek to cause targeted premeditated harm will pursue the wicked ways of DDoS.
First let’s explain what DDoS are.
Imagine a website is like a person. So, here comes a user and taps this person on the shoulder trying to get its attention and start a conversation. If it’s the only user around, the conversation, and any exchange between them, happens quickly and everyone is happy.
But, what would happen if suddenly a million users started tapping this person’s shoulder at the same time? Well, I’ll tell you. That person won’t be able to start any meaningful conversation with anyone, and will eventually collapse from all the touching.
That’s basically a DDoS attack. It is a Denial of Service caused by a sudden influx of communication requests. Best case scenario: your website´s response time becomes sluggish, and bounce rates go through the roof. Worse case scenario: your whole site crashes, making it impossible to access for your users and employees.
Today’s servers have immense processing power and can handle thousands, or even millions of these requests without a problem. And that’s precisely how we know that only evil people can perform these attacks and have the desired effect: they need a huge amount of computers, all in sync, to be a real threat to any decent server.
So, only super rich hackers can do this?
Nope. Remember when we talked about malware or code injection used to hijack a website or a server? Well, it all can also be used to infect other devices, such as regular desktops and laptops, phones, and smart appliances such as fridges, microwaves, smart locks, sound systems…. you name it. And their owners will never know their appliances are now literally zombies. That’s why these attacks are called Distributed Denial of Service. They cannot be pinpointed to a single source.
Once a hacker (or group of hackers) have created a massive botnet (a network of infected appliances and computers), they can launch an attack on any website they want, slowing it down or crashing it for hours, days or even weeks. Some have reported that a DDoS attack can cost a business from $20.000 to $300k EVERY HOUR, as it keeps it down as users are unable to purchase or get tired of waiting for the site to load.
Why would anyone do that?
Well. The saying goes, if you´re good at something, never do it for free. These botnets can be rented by anyone with enough coin. Many of these attacks are performed by people who need their competitors out of business so people buy from them.
Others use these attacks as leverage for ransom. If you´re losing thousands of dollars every hour, you might as well give the hackers a portion of that if that means they will leave you alone. So, it is kind of a racket.
There are some who use these attacks as distraction. Some other attacks can be disguised as DDoS, so while you´re running around putting fires off, another hacker might be injecting code into your servers.
You might think the best solution is to have huge and powerful servers that can handle billions of requests. You can always test your server´s strength and find vulnerabilities by conducting IP stresser or booter attacks against yourself. It is a cost effective solution that will help your IT team find and fix any shortcomings they encounter.
However, the cost to have an invulnerable server is prohibitive, and it will always feel like an overkill every second you´re not attacked. Another solution is just deny requests from everyone and everything. That is great for preserving your infrastructure, but then you won’t have a business as your users won’t be able to access your website.
So, instead of brute force solutions, your IT team needs to be smart. Machine learning has provided us with the tools to discriminate between a legitimate user and a bot, and they have become really good at blocking requests that are not typical for a website. It is not hard to single out bots as they do not behave like your regular customer. They try to open pages in a weird order, or they cannot respond to challenges like captchas. A good team will identify the kind of attack and put the right measures in place without disrupting your regular traffic.
So, what do you propose?
I hear you asking that question.
As usual, I only recommend leaving website building and hosting to the experts. You need to run a business and take care of your customers, not learning how to code or becoming a cyber security expert. Right?
There are thousands of ways to deal with each of these problems, and they all come down to how good your developers are. Generally, the problem is not a lack of experienced and smart web developers. The problem is that many developers prioritize functionality over resilience. Safe coding requires time and sometimes they feel that their websites or apps can´t wait.
Partnering up with a solid SEO company is the best way to make sure your IT department is run by people who care for your business and not only for the infrastructure or the money you pay them.