Displaying items by tag: Security
None of our clients have ever received a message of this nature, and we aim to make sure it stays that way. We do that by ensuring that your sites, all addon components, and all server applications are up to date. Plus, the sites and the servers have additional commercial security applications in place as further lines of defence against unwanted visitors.
Just because no client of ours has ever experienced this scenario doesn't mean that it doesn't happen. It does......every day! If you look at the Sucuri Security Analysis you can see for yourself how many sites do get hacked......we're talking of thousands on a daily basis. The fact of the matter is that every 4 to 5 years, a site will reach the stage where it can't take any more security patches or run on later PHP versions. The reason for this is that the application is now totally out of date and contains multiple deprecated and end of life processes that need to be totally removed from the installation. That is the point where it needs to be replaced as you can't keep papering over the cracks.....you can only go so far. Though by that time it's going to look very visually dated to users anyway, which is not a good way to present yourself to potential clients. Dormant site equals dormant business in the view of end users.
At that stage we can no longer support sites of this nature as they represent a danger not just to themselves, but to every other client on the server. We won't take risks of this nature......the wellbeing of our clients' businesses is too important to us. Unfortunately, some clients refuse to accept our recommendations. Obviously they don't consider their site security to be of any relevance, so they find a web hosting provider who doesn't consider their server and client security to be of any relevance either. Now you have the perfect storm!
This is just playing Russian Roulette......and one day you will get the loaded barrel. It's just a matter of time. And that time arrived for one former client this week when he received this mail from his current provider.
We have found that your site is potentially compromised/hacked. Our scanning systems have provided the following information regarding the issue: Malware detected. Our Team cares greatly about your site's health and well being and we recommend one of the following options which we have documented in detail for your review: Have a developer clean the site or request a site sanitization from us ($90)
Due to the nature of the problem, we need an immediate response from you. Simply respond to this email letting us know what option you are choosing. If we do not hear back, the site will be isolated and blocked to protect your site data as well as the network.
His provider can clean up the malware for $90.......but that hasn't changed the status of his site one bit. All they will do is remove the malware - his site is still in the same outdated and vulnerable position it was before it got hacked. So within a week or so it'll get hacked again resulting in another $90 cleanup bill. And this will continue ad infinitum until he replaces the installation entirely.
Unfortunately, it's not just the cost of the cleanup processes! It's the lost business, the diminished client confidence, the disruption, and the resulting stress of a trainwreck like that. And just when you think it can't get any worse you find that Google has blacklisted your site because it's found the malware on there. Be aware that websites lose about 95% of their traffic when blacklisted by Google, and getting them to reassess your site status can take some time.
It's not the first time this has happened to an ex-client and it won't be the last. There is an easier way of course - just listen to the security advisories that we give on your site status. After all, if your mechanic tells you that your brakes are about to fail........do you then carry on driving regardless, thinking it won't happen to you?
Nothing is more important than security......and there can be no compromises in this area. Seriously......just don't risk it!
Now here's 3 questions:
1. Did your web developer personally contact you prior to the day and explain these principles?
2. Did your web developer implement these changes prior to 25th May?
3. Did your web developer make all the necessary changes to your site to ensure you were compliant without billing you for their services?
If you answered "Yes" to all three then you're obviously a WebSpain client. As I've said in the past, not all web designers are created equal. This is just another example of how we always go further in the area of client support.
As far as GDPR will develop in the future, there are no guarantees that the stipulations, or even the interpretations, won't actually change. And at this point it remains to be seen how closely the regulations are actually going to be enforced.
No doubt there are millions of website owners out there that haven't got a clue about all this.......because their web developer never bothered to bring them up to speed about their responsibilities. You'll be able to spot them quite easily if they don't have a "specific consent" option in their forms. Potentially, organizations not in compliance could face hefty penalties of up to 20 million euros, or 4 percent of their worldwide annual turnover, whichever is higher - so this isn't something that you can leave to chance.
But there's one area where the GDPR isn't clear at the moment.....and that's HTTPS/SSL encryption on websites. The GDPR regulations specifically state that all user information received must be stored securely, and all reasonable precautions must be taken in terms of it's security at point of contact and thereafter.
To me, that would infer it's necessary to have all connections encrypted rather than unsecured......despite the fact SSL Security isn't directly referenced. So my personal recommendation (as I've been saying for 3 years) is to ensure that you have an encrypted connection to your site.
Google has been saying this throughout this period, and now with the introduction of GDPR the onus is on you personally to ensure that you are seen to be complying with the legal responsibilities that you now have. Also, from July onwards, Google Chrome browsers will begin to flag every website that does not use HTTPS encryption with the warnings 'Not secure' prominently highlighted in the address bar. That's a business-killer if ever there was one.
Failure to secure peoples' data in the past was just seen to be unprofessional......now it breaks European law. There's a big difference. Seriously.......just don't take any chances on this because the stakes just got a lot higher.
We all know that over the last decade the technology that we use has advanced beyond anything we ever imagined!
But along with this increased sophistication comes increased danger. I'm talking about cyber crime!
Now before you dismiss this as another paranoid rant about something that's not relevant to you, just take a look at this......because what you see there is happening right now: Live Cyber Attack Monitoring Service.
I've seen attacks in excess of 5 million per day taking place, it's literally a battlefield......and you're in the middle of it. Every day!
What can we do to protect ourselves? Firstly you need to understand that we can never be 100% impervious to cyber attacks, because if governments and giant multinational corporations can be taken down, then what hope do we have?
But realistically the elite level operators who commit acts of that magnitude are not interested in you and I......they want the big fish! And invariably they get them......as nearly 300 million records were leaked and over $1 billion were stolen in 2015.
The lower levels of hackers would certainly be interested in us though. To some it's just a game (and there are online games going on where they score points for defacing sites)......or to some it's personally motivated. By that I mean people with a grudge, or competitors who would like nothing better than to take you out of the game.
What makes it more dangerous is that the entry level for attackers has now been lowered considerably. You don't need to have any skills or knowledge whatsoever, you just pay for access to one of these online cyber attack service portals and you simply click a few buttons. The cost is minimal for basic services, but the more you pay then potentially the more mayhem you can create. Yes.....we now live in a world where you can go online and order whatever services you want in order to commit internet crime.
All we can do is take the necessary precautions......and take security seriously! The server software is always kept current, and whatever security measures we can deploy are always in place for your protection. But that counts for very little if your site software has become end of line and has had no security updates for some time. Because someone could potentially get access without raising any alarms, and the first you'll know about it is if your site gets defaced or thousands of e-mails get sent out supposedly coming from you. Obviously the content contained in those e-mails is not going to be pleasant, and will no doubt result in your domain name getting blacklisted right across the internet.
I would strongly recommend that you don't go down this path of outdated site software.....it's not going to end well. It will result in complete disruption, loss of business, and a degree of diminished client confidence.
As far as our clients are concerned, we always make people aware if they're in that situation, as we believe in complete transparency and keeping people informed. But ultimately what they choose to do is up to them.
I would suggest you now go back and check the Live Cyber Attack Monitoring Service and see how the daily figure has risen since you started reading this article. And if you're knowingly running outdated site software, then go and check your site to make sure that you haven't become Just Another Victim!
Last September we published this article: SSL for SEO! It related to Google announcing that sites which had HTTPS/SSL encryption would be looked on more favourably in terms of search engine positioning. This represented a major step in their stated initiative of making the internet a safer place.
At that time it wasn't clear how big a ranking signal it would be, and since then no major changes were really noticed....until 10 days ago! Because since then, Google’s ranking data for HTTPS pages has increased by 9.9%......which is a huge swing. You can get the full analysis Here!
But be aware that this doesn't mean that having SSL encryption on your site is some sort of SEO magic bullet, it just means that the priority given to secure sites appears to have been increased. There are numerous other factors involved in the process of search engine ranking......with content and mobile compatibility being the main ones.
Nothing has been officially announced by Google, other than changes in algorithms were coming up. And even then, they wouldn't be drawn on exactly what those might be. But in light of the massive revision in the status of HTTPS/SSL sites over the last ten days, it appears that this is the direction they're taking.
Just to recap, HTTPS/SSL is a 2048bit data encryption method that encrypts the connection to sites giving a higher level of personal security. Essentially, users have a secure connection to the site to prevent the theft of personal and private information. In many cases the data may not be highly sensitive, but setting up a HTTPS connection ensures that no external party is spoofing addresses to retrieve information from users that they would not normally divulge. This activity is now becoming more common and a HTTPS connection safeguards against these attacks.
Strengthening web security benefits everybody, and by implementing this process on your site you'll be demonstrating to users, and Google, that you take this very seriously. Our position on this is that we certainly wouldn't want to be in the position whereby fingers were pointing at us as being responsible for the theft of users' data. Which is why we have always had SSL security on this site.
The difference now is there seems to be measurable search engine positioning benefits that you can gain from it as well. So it's a win-win situation for everybody.....except the cyber criminals of course!
Google has recently announced that they are starting to use HTTPS/SSL as a ranking signal within their search engine algorithm.
The official wording was: “Over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search-ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal.”
So what is HTTPS/SSL?
It's a 2048bit data encryption method that previously was only ever in general use on ecommerce sites to make online payments safer, and on sites that required personal information like NIE, National Insurance, or Passport numbers to be input. Simply because SSL encrypts the connections to the site giving a higher level of security. Google has been going down the path of encrypting their own sites for some time, and now they want other sites to follow suit in order to make the Web a safer place to use.
Obviously anything that strengthens web security, online safety, and the secure transmission of personal data is a benefit to everybody. In addition, it definitely enhances a potential client's perception of you being a legitimate and professional business.....that's the reason we use SSL encryption on this site.
Having better site security and demonstrating professionalism is advantageous on many levels. But now that Google has announced this new initiative of favouring sites that demonstrate security measures are in place, people have been given an incentive to put these processes into place.
But one important point here is that just because you have an SSL certificate in place does not mean your rankings on Google will suddenly increase to top positioning. The reality is that if your site is technically poor with low quality plagiarised content then you'll be going nowhere! Because achieving high rankings on search engines is a combination of many different factors, and this announcement just means that HTTPS/SSL has now been added to the list of website criteria that will be evaluated.