Wednesday, May 03, 2017

How Not to Get Hacked

“Good advice is usually given by someone who was once a bad example.” ― Ljupka Cvetanova

As I explained in last month's blog post, my website was hacked. Someone accessed my Wordpress dashboard, began running some kind of storefront out of a secret page they had created on my site, sent fraudulent emails (a Nigerian Prince announcing your lottery winnings perhaps), and nearly crashed my site.

Since this happened, I've learned more about internet security than I ever wanted. Posts and articles about computer security had been warning me to take note for years. My computer guru had warned me. I failed to heed. Here's a list of things to help you learn from my mistakes.

1. Don't think you're too small: I thought since I was just a little writer in central Ohio, no big deal, I was immune. But hackers aren't looking for the next big deal. They don't necessarily want to take down the New York Times website. They may just want your internet real estate. Or they may just want to brag to their friends that they hacked a site. It's unlikely the hackers targeted my site specifically. Rather, they found a site (that just happened to be mine) with vulnerabilities they could exploit. That's what they were looking for.

2. Don't forget to change your password: While we can't be certain, this was most likely the point of entry. I'd had the same password since 2005. Yes. The same password "protecting" my website files for twelve years. This was a thing my guru mentioned, but which I ignored. Falling victim to my faulty thinking of number one above, I thought I was too small to be worried. My website hid nothing top secret or financially interesting. No one wanted my website, right? Wrong.

3. Don't choose a crappy password: Not only was my password old, it was lame. It included sequential numbers and was an abbreviation so easy to guess I'm ashamed to tell you what it was. And I'd used it on many different sites. Again, I just thought I was a nobody over here in the Midwest. Now my passwords are long and complex.

4. Get https: The next thing my computer guru did after we changed my passwords was to obtain an "SSL certificate" to make my site Hypertext Transfer Protocol Secure (HTTPS). This provides encrypted communication with and secure identification of a web server. In layman's terms, it makes my site more secure.

5. Get Google Authenticator: Because of the extent of the hack and the number of attempts to access my site, we added a third layer of security. Google Authenticator is an app that links to your website. Once you install it, you will need not only a username and password to log into your site, but also a numeric code generated on your phone. It was relatively simple to install and as soon as we did that, bam! The attacks stopped.

6. Keep tabs on your website host: I'd used the same hosting company for many years, but was unaware this small company been sold recently to a much larger company. I cannot be certain, but I have reason to believe their servers were hacked. When asked about it, the web host said any hacks were my fault. Okay. I admit my mistakes for my site, but not for their servers. That's on them. So my computer guru and I quickly changed hosts. Not fun at all, but that too made an immediate difference in the number of successful hacks.

7. Don't access your site on public wifi: I love to write in different locations. It turns out that hackers love these locations as well. They have tools that can pluck your passwords right out of thin air! While I can still hang out at the local coffee shop, even if the coffeeshop wifi is password protected, I won't use it to access my site. Instead, I'll get my own wifi "hotspot" from my cell phone company.

8. Check your home router: Wordfence, a security installation for Wordpress sites like mine, recently published a post showing how tens of thousands of hacked home routers are attacking WordPress websites. They also provided a tool to let you check your home router.

After my website guru spent days and days doing the equivalent of hosing down my site and tidying the mess, we took the above steps to lock down security. I'm not a security expert so I'm sure there are many more layers of which I'm unaware, but I hope this list will help you avoid being hacked in the first place.

NITA SWEENEY is a writer, creative writing teacher, and editor of Write Now Newsletter. She lives in central Ohio. Follow her on Facebook! Subscribe here to the monthly newsletter!

No comments: