Website Security Check Should Include Vendors
The most common website security checks cover the risk of hackers breaking through and damaging the site content or software.
Even worse, they look for personal information.
Anyone who watches web hosting reports closely will see that even a small local site will get suspicious visitors from Asian and East European countries.
The visitors have no business coming to the site except to search for entry points and cause mischief.
The less serious mischief includes registering on the site to post comments. The comments often have links to other sites that sell questionable products and services.
The more serious mischief includes stealing credit card or other personal information such as Social Security numbers.
But another risk exists, and it doesn’t come from other countries or even hackers living in the United States. The risk comes from the site’s vendors or employees.
Why Vendors and Employees Hack a Site
I have been hired to fix or completely rebuild a half dozen websites that were hacked by vendors or employees.
In every case, the company owning the site had terminated the relationship. A vendor contract lapses because another vendor is cheaper or gives better customer service. An employee is fired, demoted or laid off. An unprofessional vendor might have long overdue invoices or the employee didn’t get a raise.
Some people will ask an obvious question. Why would the company still allow a former vendor or employee to have access to the site?
The answer also seems obvious to some people but not to others. The company doesn’t have procedures for checking and maintaining website security for these situations.
Priorities compete for attention. A busy person with decent organizational skills will focus first on the priorities with the highest importance or urgency.
A website security check may fall to the side of the road because, well, the site has been secure for 10 years, so why bother now? That lapse is exactly a chance for someone to take advantage of it.
Former vendors and employees also can hack the site because the owners naively gave out their own administrative logins and passwords and didn’t change them after the termination.
Maybe they do protect or change the login and password to the site publishing software such as WordPress. But they forget to change the credentials at the hosting account that gives access via FTP or Cpanel.
Simple Website Security Check
The following steps increase security for a site against the possibility of hacking by former vendors or employees.
These steps are just a starting point for increasing security and may not stop someone with strong technical skills. So it is important for the site owner to consult with the hosting company or other reliable providers on other ways to increase security.
- Create new logins and passwords for new vendors and employees. Do not hand out existing credentials.
- Site publishing software has levels of permissions for each user category. Limit the “super admin” category to the fewest possible users.
- Keep the super admin logins and passwords in a secure place.
- Create user logins and passwords with the lowest possible permissions for nearly all vendors and employees.
- Use complex passwords with a combination of numbers, symbols, uppercase letters, lowercase letters.
- Delete account access for vendors and employees right BEFORE terminating the relationship.
- If anyone has access to other accounts, such as a domain registrar (GoDaddy, Network Solutions) that is separate from the hosting company, make sure those accounts are changed as well.
- Use different logins and passwords for site publishing software and hosting accounts.
- Keep in mind that someone might gain access to someone else’s login and password during employment. Use site administrative logs after termination to look for unusual activity.
- Make sure the hosting account has at least weekly and preferably daily automated backups of the site software and database in case a previous version of the site needs to be restored.
The half dozen sites I fixed or rebuilt did not follow any of these steps and faced painful results that cost them a great deal of time, stress and money.
A simple website security check may go a long way in avoiding the same results.