A trusted website such as your nonprofit’s is the last place from which you’d expect visitors to get a virus. After all, it’s your website, and your organization built it (or relied on a volunteer to build it or paid a trusted individual or firm to build it). Why shouldn’t you and your visitors trust it?
Your website is probably more vulnerable to malicious attacks and being hacked than you are probably aware. In an earlier blog post, I explained the difference between dynamic and static websites. More website owners than ever before are converting their websites into a dynamic format, which rely on a database backend. Dynamic websites often incorporate an editor that a website owner can use to update content through the web browser. As explained in the earlier blog post, examples of dynamic websites include sites that run off of “Content Management Systems” (CMSs) such as WordPress or Drupal. Our website (Barred Owl Web) runs off of WordPress.
The ability for someone to do more with less technical know-how brings potential vulnerabilities one may not be aware of. Because WordPress and Drupal (and other CMSs) are used by so many website owners, and because they are complex systems, it is no wonder bugs and security vulnerabilities are found.
As of this writing, if you visit the National Vulnerability Database and search for either “WordPress” or “Drupal”, you will see 492 and 626 results, respectively. Granted, many of these are either very old or irrelevant. But the fact remains that many vulnerabilities do exist in many shapes & sizes, and website owners must be vigilant about taking steps to protect their websites.
Here are just a couple steps you can take to protect your website from would-be hackers:
Always keep your website code up-to-date.
This is probably the most important step you can take to keep your website secure. Maintainers of Content Management Systems are constantly updating and revising code, and implementing bug fixes and addressing security concerns. The vast majority of websites are hacked because their owners fail to update the CMS code when updates are made available.This is extremely important because not only do the various vulnerabilities exist in outdated code, but the vulnerabilities are made public, so if an attacker wanted to hack your website, that person would only have to try to use an exploit made publicly available.
Most web traffic that flows to and from a user’s computer is unencrypted. A person who gains access to any part of the connection between you and a website (either legitimately such as a network administrator, or illegitimately, such as a hacker) can very easily see the user’s activity – what pages they visit, what information they submit, etc.
Think of it this way: You write a letter to your best friend and put it into the mail. If it was on a postcard that you did not put into an envelope, then any mail carrier along the way would be able to read what you wrote. However, if you put the letter into an envelope, then no one would be able to read what you wrote (without tampering with the envelope). HTTPS adds a layer of encryption to your web traffic so it is much harder for would-be attackers to “sniff” and read information you send and receive from a website, including usernames and passwords (Note that I did not use the word “impossible” here – it is still very possible, with the right tools and know-how, to break HTTPS encryption).
“HTTPS” connections require a SSL certificate, which can cost as little as $15 per year. Implementing SSL is not hard or complicated for a web developer. If possible, you should ALWAYS use SSL (HTTPS) communication when you login to your website and make changes to it.
Millions of people have malicious intent on the internet, and it is your responsibility to keep your own website safe. You should always keep your website code up-to-date, and if possible, you should use HTTPS. By following just these two suggestions, you will reduce the likelihood that your website gets hacked.