Small Business Web Security Tips- Common Vulnerabilities and How to Fix Them
Small Business Web Security Tips

Common Vulnerabilities and How to Fix Them

If you think of info security as something that only large companies with vast amounts of sensitive customer data have to worry about, think again. Website security is a critical part of information technology doctrine no matter the size of your business or website.
Many small business owners view their website as an insignificant, irrelevant property that would be of no interest to hackers and bad actors. This couldn’t be further from the truth. Small business websites are a primary target for bad actors for precisely this reason. Hackers know that websites like these are often very poorly secured making them low hanging fruit.

“Many small business owners view their website as an insignificant, irrelevant property that would be of no interest to hackers and bad actors. This couldn’t be further from the truth.”

So what will a hacker go after? What are they looking to gain? Below are three of the most common vulnerabilities that we at InterActive Circle find on client sites and what you can do right now to make sure your site isn’t an easy target for hackers.

1. Poor Passwords

Sure, low-strength passwords are easy to remember for you, but they are also easy to breach for a hacker. In what is known as a “brute force attack”, a hacker uses a program to enter alphanumeric combinations into the password fields on your website admin login, a company email account, or any other place they could access potentially valuable information, until the correct combination is found.

    What can you do?

Use strong passwords and store them in a secure location such as a password vault. Do NOT keep passwords in an unencrypted file or cloud document! Using password manager programs with enterprise scale capabilities such as LastPass, Zoho Vault, or Keeper are all very worthwhile investments! You will be able to seamlessly store every new password you create, recall the password on demand for autofill, and be able to share login information with other team members that you plug into your password manager program.

2. Not Using Spam Filters

Most website owners have become so accustomed to spam messages coming through their contact form that they have resigned themselves to them simply being a fact of life. You may think the offers for viagra alternatives or Russian language emails may be harmless and simply delete them, but there are many more bot-driven scams that can leverage an unsecured contact form to attempt to breach your data security. THe most common such scam is the “Phishing” scam which involves getting a recipient to open a link that will lead to a website that will install a malicious payload on the user’s machine or network. This can serve as an access point to sensitive customer information, financial information, and more. It could also be a ransomware attack which would lock down a user’s computer or network until a ransom is paid to a hacker.

What can you do?

Since most contact form spam and scams are driven by bots that crawl the web looking for unsecured contact forms, most of the danger from these schemes can be avoided by employing a robust spam filter on your website’s contact forms. Standard captcha plugins are not enough these days. You will also want to use a honeypot as well as a security question that a bot will not be able to answer such as filling in a missing letter or a simple arithmetic question.

**Important note: These security measures are not meant to replace antiviral software and email security protocols. Never open any link if you are not 100% confident in the source- even if you have spam filters in place.

3. Failure to Use Multi-Factor Authentication

Even strong passwords get hacked from time to time. Brute force attacks can still breach them or they may fall into the wrong hands for a multitude of reasons. This is where multi-factor authentication, often called two-factor authentication or 2FA, comes in. Two factor authentication requires a second verification step after you’ve entered a correct password before you access a platform. This can be a security question, receiving a verification code to a second device, or entering a 2FA code from a purpose-built authenticator application. Most people see these extra steps as an annoyance, but trust us, nothing is more annoying than removing malware from your website.

What can you do?

Besides simply opting into two factor authentication every time a program or platform asks you to, using an authenticator application such as Authy or Google Authenticator makes the 2FA process very easy! Install the application on your mobile device and begin loading TOTP codes for the various accounts you want to have 2FA enabled on. The application will automatically generate a time sensitive 2FA code every time you open it which will be your key to logging in to your account. Since this code is unique to your device and application, the only way a bad actor would be able to access your account is by having your device in hand making this an extremely effective security measure.

These measures amount to a baseline for all websites but unfortunately are not a comprehensive solution that will protect you from everything. We offer a WordPress Security Suite service that will get an experienced info security technician into your website and hosting accounts to audit for vulnerabilities, correct mistakes, and apply state of the art security programs that will give you peace of mind and lasting security hardening as well as a support resource should anything go wrong. The Security Suite is included in our Website Hosting & Maintenance packages, but can also be purchased as an a la carte service for clients on third party hosting platforms. We’d love for you to contact us and learn more about it!

  • Contact InterActive Circle