Your Site, Your Security, Your Responsibility

Last time, we talked a great deal about why you never want to go to court and the reasons that good attorneys will fight tooth and nail to keep you to out of court and away from judges/juries.

However, one of the sad truths of the Internet is that it’s easily possible to find yourself in a legal mess through almost no fault of your own if someone else infiltrates your site.

It might seem like an unlikely scenario, but if your site is hacked or taken over, you can find yourself with a great deal of legal difficulties. Even if you can clear your name quickly, your site, your account and your server could become evidence in a much larger case and you could easily find yourself shut out of even your backups as authorities, lawyers or others try to piece together what happened.

The problem is even worse if you store user data, in particular sensitive data such as credit card numbers and personal information, such as names and passwords. Not only do you face a potential breach of trust with your readers, but the authorities will likely want to know more about the hack and, at the very least, you’ll need to be offline while you figure out what happened and you could be found to be in violation of legal responsibilities you have to protect such data.

If you want your site to run smoothly and be free from interference from government and law enforcement, security is crucial. It’s not something you can be relaxed on, even if you think no one would take an interest in your site.

After all, it’s the ones who think they can’t get hacked or won’t get hacked that fall first. Not because their hubris draws out attackers, but because they fail to take the basic steps that can prevent a security meltdown.

Sorry, You’re NOT Safe

When it comes to securing websites, a lot of people think that an attack won’t happen to them because no one would be interested in their site. After all, they have little traffic, no enemies and don’t post on controversial topics that are likely to motivate anyone to lash out at them.

The problem, however, is that most attempts at breaching a website aren’t motivated by targeting a specific site, but by attempting to access any site that they can. They don’t care whose site they hack, so long as they get into someone’s.

On one hand, this is good news for webmasters as most will never face an elite attacker bent on tearing them down. Similar to the recent WordPress botnet attack, these attacks tend to be aimed at low-hanging fruit, meaning that most people can avoid these attacks by just taking basic security precautions.

But if your site does fall, the danger you face in terms of enforcement is related to what happens next. Once someone has access to your account, depending on your hosting setup, they can do any number of things from:

1. Use your server to assist in a denial of service attack.
2. Post spam content.
3. Host illegal content ranging from copyright infringing material to child pornography.
4. Set up phishing sites to deceive others.
5. Distribute malware.

Obviously, if your server becomes a haven for spam, you’ll likely take a beating from Google and not much more. But if it becomes a haven for illegal content or other criminal activities, the problem could be much more severe.

Considering that it’s possible your site can be compromised and you might not be aware of it (many attackers leave the main site untouched to everything appears normal) this is a problem that could bite at almost any time.

If you don’t want to answer awkward questions about your site and content you didn’t upload, you need to do what you can to secure your site. Fortunately, the basics are actually pretty easy to do.

Securing Your Site

To be clear, no site is 100% secure. That is completely impossible. If someone with enough skill wants to hack your site, they can. It’s that simple.

However, most likely the attacks you’re going to face will not be targeted at you directly and, instead, aimed at picking off the low-hanging fruit. This opens the door to taking simple steps that can go a long way to protecting you.

These include:

1. Two-Factor Authentication: If you can use two-factor authentication, meaning a combination of a password and something else (text message code, phone app, etc.), you should enable it. Twitter, Google, Facebook and WordPress.com all offer this feature and there are also plugins for WordPress to enable it on your blog.
2. Strong Usernames/Passwords: Make sure both your uesername and password are not easily guessable. Don’t leave your WordPress username “Admin” and make sure your password is actually tough to guess and crack. Likewise, try to avoid using the same password for multiple services, using a password manager if needed.
3. Be Wary of Security Questions: Security questions can also be a weak link as they can allow others to reset your passwords. Either choose security questions that no one knows the answer to but you and can’t looked up online or, if needed, lie about the answers. The answer doesn’t have to be honest, just something you can remember.
4. Be Mindful of Apps and Plugins: Always be wary of what you connect to your site and your related accounts. Disable apps, plugins and tools that you aren’t using and keep the ones you are using updated. Make sure you trust anything that you give access to your accounts.
5. Be Careful Where You Enter Your Password: Phishing attacks are common so only enter your password when you’ve typed the URL yourself or loaded it from your bookmark. Don’t click links in emails, instant messages, etc.

While these steps won’t guarantee your safety and, hopefully, are all things you’ve heard many times before, they can prevent you from being the low-hanging fruit that gets picked off in the next wave of attacks.

Bottom Line

While you aren’t a criminal if your site is hacked, you and your server can be caught up in the investigation and that can mean a great deal of headache for you, your site and everyone who reads it.

When it comes to the law, the goal should never be to simply avoid doing anything illegal, but to avoid situations which can cause you legal trouble. Even if you can win in the end, it’s likely not worth having a weak password if it means going through the headache of an investigation.

It’s much better to take a few moments now, do what you can to secure your site and save everyone some hassle. Best of all, you’ll be doing your part to help keep the bad guys from gaining more ground online.

After all, a secure website is a clean site and a clean site contributes to a clean Internet.