All too often web site security is somebody else’s problem. It shouldn’t be. If you work on websites, you should know the basics of web security. The more popular a site becomes, the more value it accrues, the more likely it is to become a target. As you apply search marketing techniques to a site, you are inherently increasing the risks that it will be attacked. Therefore, it is your obligation to understand these risks and help manage them.
Matt’s Cutts recently stated on the official Google blog that, for the fifth year in a row, they will be placing a lot of emphasis on hacked sites in 2011. In 2007 Google started scanning sites for malware and removing them from search listings. At the time Google said, “In the past year, the number of sites affected by malware/badware grew from a handful a week to thousands per week.” In August 2009 Google said, “[W]e have seen a large increase in the number of compromised sites since April. The number of entries on our malware list has more than doubled in one year, and we have seen periods in which 40,000 web sites were compromised per week.”
Malware is inserted in sites by hackers looking to build botnets that can then be rented out for criminal purposes. But not all hacking results in malware deployment. Some hackers are black hat SEOs looking to do link building. When Google detects spam links, they can ban the site, or I think more appropriately, label the site as hacked.
This year I had a client suffer this type of hacking. Another SEO performed a site review, and referred the client to me to fix everything that was wrong. Among the items to be repaired were some oddball links that kept appearing in their header and footer. We’d take out the links, and they’d appear again in a few hours. Apparently the server had been compromised and a hacker had uploaded a php file that would deploy the links. Finding this file among the many thousands of files on this ancient (yet highly profitable) website was the first step. Removing the script helped, but to be safe I convinced the client to switch to a better hosting provider, and they’ve had no trouble since.
How can you prevent hacking? Use a good hosting provider and don’t share File Transfer Protocol (FTP) passwords. Use a unique, strong password for each user for each site. When somebody no longer needs access to a site, cancel their FTP account. If possible configure your web server’s firewall to lock down FTP and web hosting control panel access to the IP addresses where your computers are located. This will prevent anybody from getting in, even if they have stolen or guessed a password. Passwords are typically compromised when one of your developers gets a malware infection on their computer. Given enough time and developers, this is very likely to happen.
Backups are critical. If you get hacked, or more commonly, make a mistake editing your site, you need to be able to go back to a working version. Too many people assume that their hosting provider is taking backups, only to discover that when needed, the backups aren’t helpful. Ask your provider how often they take backups, what they back up, and how long those backups are retained. Some providers take seven days of rolling backups. If you have a problem, you need to discover it within seven days or you are out of luck. Other providers may take a monthly “image” of your virtual private server. Restoring that backup could take your website, database and email boxes back a month—not something you would want to do. Hosting is a commodity business where cutting corners is rewarded with additional profit. Many hosting provider backups are grossly inadequate.
Another reason to have reliable, up-to-date backups is in case you get into a dispute with your hosting provider or web developer—or they suddenly disappear. If you don’t have your own copy of the latest code, your negotiating position will be much more complicated. Yes, you can hire a lawyer and force the other side to hand over your code and data, if they retained it, but why would you want to suffer that delay and expense? Over the last year I’ve had two clients get into this situation, and it cost them a bundle. Your best option is to choose a third party backup provider so that you don’t leave the fox guarding the hen house.
All those scanning services that tell people your site is safe are nothing more than security theater. Notable security expert Merrick Furst told me that the best scanning available only detects 30% of threats. Most modern threats are polymorphic, which means that the code changes from instance to instance in order to defeat scanning algorithms. Real security requires verifying the files on your server to ensure that none of them have been tampered with. File integrity monitoring (FIM) systems can do that for you, but they require an expert server administrator. Even without such a system you can reduce your risk by clearing cruft files from your server, periodically inspecting to make sure no unexpected files have appeared, and making sure that the latest timestamps on your files match the last time you edited the site.
Even if you don’t have a high volume site, there is a risk that cybercriminals could abuse your servers as a platform for distributing malware, sending spam, or launching denial of service attacks. Do you have a portfolio of trusty old websites that you don’t pay much attention to? Those are an attractive target for parasitic hosting. The bad guys can have their fun, misusing your server, your brand and your trust. Meanwhile, you suffer the loss as your virtual property becomes blighted and develops a bad reputation. If you have sites and servers running on autopilot, you need to check them periodically to make sure they aren’t being abused. File integrity monitoring can help, or you can inspect server logs to look for suspicious web traffic.
Denial Of Service Attacks
This year I had a client who was repeatedly hit by denial of service attacks emanating from China. The client believed that a competitor was responsible. The site went down repeatedly for days at a time, and eventually the hosting provider, Earthlink, cut off the victim’s hosting service because the attacks were impacting Earthlinks’s data center. My recommended replacement hosting provider was able to fend off the attacks. It pays to use a competent hosting provider so that your site doesn’t get taken down by an unscrupulous competitor. The cost of web site and email disruption is much greater than the cost of buying the best available hosting. When selecting a hosting provider, look for somebody who has a reputation for responding quickly and is technically competent. Hosting is often priced as a commodity service, but not all hosting is the same quality.
What this jargon have to do with search marketing? PCI stands for payment card information. If your conversion action is to take somebody’s money, you may be handling payment card information. Deep in the contract between you and your merchant processor, there is probably a clause that says your site must be certified “PCI compliant” by a vendor such as Trustwave, or else you are liable for hundreds of dollars per customer record if there is a data security breach on your site. In other words, if a hacker steals credit card info from your site or database, you will be sued out of existence. To top if off, states have laws that require you to notify their attorney general and every one of your customers in that state if you suffer a data security breach. This recently happened to one of my friends. It cost him $50,000 in legal fees, printing and mailing costs just to send out the required notification letters. The guy couldn’t sleep for months, worried that he was going to get sued for ten times that amount by Visa.
An excellent approach to solving PCI compliance is not to store or handle any credit card information on your site. You may be able to fob the entire problem off to Google Checkout or Paypal. If however, you have an osCommerce cart, XCart, ZenCart or similar site, and you store customer credit card numbers in your cart’s database, you definitely need to start asking questions. I once found an unencrypted database backup file containing thousands of customer credit card numbers, expiration dates and addresses in the top level directory of a site. It was a half-million dollar penalty waiting to happen. Can you afford to run that risk?
The Importance Of Managing Risk
Risk is an unrealized expense, possibly one that could put you out of business. Now would be an excellent time to review your risk exposures and start managing them properly. Your website is a valuable asset, possibly as valuable as your car, home or office building. You probably have an alarm system and insurance on those assets to protect against loss or liability. Shouldn’t you treat your websites with the same level of care?
If we allow the open internet to become overrun with malware and hacked sites, users will flee to the protection of walled gardens. That would be a very bad thing for search marketers and search engines alike. So let’s work together to confront these problems.
Opinions expressed in the article are those of the guest author and not necessarily Search Engine Land.