In part 1 of this short series we provided some background information about why hackers hack and why websites are susceptible to hacks. If you haven’t read that, go back and read here. If you have, let’s dig into what you need to know before you work with a website developer to decide the best course of action for building your website.
Client Managed Websites – The Crux of the Matter
Depending on the technical abilities and time availability of a company’s internal staff, many clients want to be able to manage the content on their website themselves. This is really the main reason why small business website security has become an entire industry. Let me explain. In order to allow a non web developer to manage their own website, the website needs some sort of Content Management System (CMS). A CMS is a software program that is used as the platform for the new website. It is literally the foundation that the website is built upon. It can be coded by your developer to meet your specific needs, but there are pre-existing CMS’ out there that already do a lot of what you need. Some of the more popular CMS’ are WordPress, Joomla!, or Drupal. According to statistics from Web Technology Surveys, these three platforms combine to support over 75% of all CMS-powered websites currently online. For security, a website with no CMS is the best and safest option but if Content Management is a must for your company, then the decision must be made to either use a pre-existing solution or build something custom.
Pre-Existing Content Management Systems
As we pointed out earlier in this post, usually hackers don’t give a prying poop about who they are hacking – they aren’t necessarily doing this to harm you, but to benefit themselves. With that in mind, as hackers develop hacks for websites they develop them in a way to allow them to reuse the hack over and over again on as many websites as possible. Therefore, the more popular the CMS software your website uses, the more of a target your website will be because hackers can use the same exploits to access a larger number of servers through insecure websites just like yours. A CMS has a core set of features that most websites need but they can’t do everything. When it comes to building additional functionality, you can generally assume that other website owners have wanted to do the same things over time that your website needs to do, so things like event calendars, blogs and photo galleries are created to ‘plug in’ to the popular CMS softwares. These are called ‘plugins’ (go figure). Using pre-existing plugins can keep the initial costs of building websites to a minimum because you can ‘plug’ features into your website without having to build them from scratch. You simply customize them to your needs. The more popular your CMS is, the more likely it is that you will be able to find a plugin that does what you need it to do. The problem is that each of these plugins is a software in and of itself and hackers will target them, finding security holes that give them access to your server. So not only does the platform itself need to be kept updated but all of the plugins that were used to create the functionality throughout the site. A recent study found that over 20% of the fifty most popular WordPress plugins were vulnerable to hacking, while a massive eight million of these susceptible plugins have been downloaded from WordPress alone. Considering that most users have at least 3-4 plugins running on their CMS platform, it’s apparent how they can further expose their sites to new security risks. To complicate matters further, if a plugin developer doesn’t keep their plugin’s code updated, it can become incompatible with the newer versions of your CMS platform. This means that after updating your CMS you can find yourself in a position where you have broken functionality on your website that can only be fixed by re-writing or finding a new plugin that is compatible with your newly updated CMS.
Custom Coded Content Management Systems
Another way to manage the content on your website is for your developer to build a CMS solution from scratch. This means that your website has been coded specifically for you. The code is developed to do what it needs to do and is fully controlled by the website developer in a unique way that has likely never been done exactly before. In order for a custom coded site to be hacked a hacker would have to figure out the ins and outs of your specific website which would only benefit them one time. Unless they have a personal vendetta against you it’s not generally worth their time. They would rather focus on using their pre-existing hacks for pre-existing systems that all have the same security holes than try and find specific security holes in a custom made site.
So for most small business website owners, the crux of the matter is content management. It seems that if you want to be able to update your websites yourself, you find yourself faced with two options:
- Using pre-existing software
This will keep the initial costs down but will mean your website solution is not secure.
- A custom solution
This will be more secure but take more time and resources to build.
Let’s take a short break from websites themselves and talk about a related matter. Hosting.
What does hosting have to do with it?
Hosting is when you pay for your space on the internet. For most small business that space is shared with other hosting customers. This allows your hosting provider to take a big box and section it off into smaller squares, keeping your hosting costs low. A good hosting provider will have adequate security measures in place to recognize malicious attack patterns, put up appropriate ‘walls’, monitor and if necessary respond to security breaches and malicious activity (usually by shutting your website and email down before it becomes a bigger security risk). The more websites are on a single server the harder it can be to customize and tighten these security measures. To make matters worse, a breach in one website can negatively affect other accounts by allowing access to their websites and users and/or giving the server a bad reputation. There are various agencies online that police this and a bad reputation with these policing agencies is a very bad thing indeed. All of a sudden you will find that you are not able to send emails because someone else’s website was compromised and your ip address was used to send out a bunch of spam emails and you were added to a bunch of blacklists, even though you didn’t do anything wrong.
So with a bit of back knowledge, we find ourselves back where we started and we’ll dive into what you can do about website security in part 3 here.