Security on Websites

The widespread availability of broadband technology in 2004 changed the face of the website from an online brochure into a profit-generating machine. It allowed businesses to communicate directly with its market, run transactions, build networks, capture and store data. It wasn’t long before websites became targets of hacker and spam attacks that scheme to steal valuable data and monetize them to meet their selfish agenda.

The Dangers of Hacker and Spam Attacks

Over the last few years, we have been inundated by media reports of large companies falling prey to hacking and spamming attacks.

US Retail giant Target was a victim of a massive hack job in 2013 where the cyber-thieves stole 45.7 million credit card numbers. The breach affected Target’s sales the following year.

Last 2014, JPMorgan revealed that cybercriminals were able to steal valuable information from its more than 80 million account holders. In the same year, Home Depot disclosed that hackers stole 56 million payment cards and 53 million email accounts.

Media coverage might have made it seem that only large companies are the targets of hackers and spammers. But in reality, even small businesses are not spared by these ruthless cybercriminals.

According to a 2013 survey by the National Small Business Association (NSBA), an estimated 44% of small businesses have fallen victim to hacking and spamming operations. On average, the attacks cost these small businesses $8,700.

The costs of hacking to your website go far beyond just the monetary considerations. Your reputation and all the time invested in building your brand can be seriously jeopardized.

Although consumers can accept the fact that you were a victim of unscrupulous individuals, some may view you as being “irresponsible”, “complacent” or “lackadaisical” in ensuring the protection of your customers’ information.

When a customer decides to patronize you over a competitor, he or she is not just giving you business. The customer has also entrusted you with his or her private information. It is expected that as the proprietor, you would do everything in your power to ensure its protection.

But how does your website get hacked? In a home robbery, a thief will carry out his despicable deed when you are away or asleep.

In the case of a cybercriminal, he knows your website is operational 24/7. He will look for an entry point to your website where he can come in unnoticed. If a thief will try to break in through a window, the cybercriminal will find his way through your front door.

This is why sometimes a hack job may start out as an innocent-looking email.

How Your Website Gets Hacked or Spammed

Has this scenario happened to you or someone you know?

When checking your email one morning, you come across a message with the following subject matter “Urgent! Please Respond Immediately”. You note that the email came from someone in your contact list; a good friend as a matter of fact, one whom you regularly correspond with.

You decide to click open the email and there is no content except for a link. You slowly move your mouse over to the link all the while believing it must be authentic because it came from your friend. By blindly trusting the email, you inadvertently opened the gateway to Internet hell for your website.

Your website has just been hacked. Depending on the severity of the attack, the next few hours or days will be memorable for all the wrong reasons.

The link that you just clicked on could unleash a virus that may lead to a number of worst case scenarios:

  • Valuable customer information such as credit card and social security numbers are stolen.
  • Your passwords are stolen.
  • Your server will be “hijacked” and used as a launching stage for illegal activity.
  • Your website will be defaced and used to promote undesirable propaganda.
  • You become a victim of ransomware.
  • Your email address will be used as a relay channel for inappropriate activities.

Email that is unwanted is called spam. Hackers are aware that consumers have gotten wise over the years and do not open email from people who are not part of their contacts list.

But so great is their greed that eventually hackers found ways to get the names and email addresses of your network. They call this “Email Harvesting”.

Here are some of the methods they will use to harvest your email addresses:

  • They hacked into a legitimate website you gave your email address to.
  • You signed up for a mailing list that was hacked.
  • You sent an email to someone who forwarded it to a 3rd party who decided to harvest your address.
  • A recipient distributed an email where your address was indicated as cc instead of bcc making it visible to everyone on the thread.
  • You gave up your email address to a focus or discussion group. Anyone from the group could have harvested your email address.
  • Someone saw your email address on your business card and harvested it without you knowing.

Cybercriminals can be creative when it comes to getting you to open their emails. They will come up with interesting ways to grab your attention and entice you to open their emails without hesitation.

We’re sure you’ve come across some of the following lures summarized below:

  • Personal Fraud – Potential fraudulent activity warning on your credit card or bank account.
  • Account Hacking – An email advise that states your account has been disabled because it was hacked.
  • Package Delivery – Notification that you have a special package waiting to be delivered.
  • Order Confirmations – A request confirming your order for an item; usually a popular branded merchandise.
  • Social Networking – An invitation to connect with someone influential in the industry.
  • Job Offers – Still very popular after all these years; and remains an effective way of infiltrating your defenses.

Remember all they need is for you to click on the link. It may release malware that could steal all of your information including email addresses.

7 Tips to Protect Your Website from Hacker and Spam Attacks

Oftentimes it could be a challenge to decide on whether to click on the email or not especially if it appears to be someone you know. You may have to take a more proactive approach to defend your website from hacking and spamming activities.

1. Regularly Update Software

Hackers use automated crawlers or bots to scour the Internet; constantly looking for websites with openings to which they can deliver malware-infested content. These openings are outdated software and programs that you hardly use.

Here are 3 things you should have on your software update checklist:

  • Make sure your web host service provider regularly updates the security features on its operating system.
  • If you subscribe to third-party software, sign up for their mailing list so you can be immediately advised of program updates.
  • Ask your website designer to conduct a frequent audit on your site. The purpose of the audit is to identify outdated, hardly used and corrupted software programs that put your website at risk.

2. Use Strong Passwords

If you find recalling passwords cumbersome, then so would your site users. But the fact is having a strong password is a necessity given the brazen nature and frequency of hacking and spamming activities.

The usual guidelines for a strong password are to have at least eight characters with at least one capitalized letter and one number.

Never use your birth date and even if you have poor short-term memory, don’t use passwords like 12345678 or worse, password.

3. Get SSL Certificates

SSL or Secure Sockets Layer certificates is a program that assures the recipient of the file or message is from a verified sender by encrypting communication between networks as data passes through the Internet.

You can read more about the benefits of having SSL certificates in our article, “SSL: What is It and Why Your Business Needs It”. Getting SSL certificates is very important especially if you have an online business that requires users to provide sensitive information such as credit card numbers.

You know if a website has SSL certificates when you read the URL and it leads off with “https” instead of “http”.

4. Manage File Uploads

If your website allows users to upload files, you should remain vigilant and view all content with suspicion. There is always the risk that the uploaded file may contain a script that will be activated once the server opens up your website.

The best solution would be to restrict access to your web server. There are 2 ways to do this:

  • Prevent users to have direct access to all uploaded files. Under this set up, all files will be uploaded to a folder located outside the webroot of your site. The web designer can create a script that will allow the files to be fetched from the folder for delivery to the browser.
  • Set up your database on a different server.

5. Install Human Verification Programs

You’ve probably had your fair share dealing with “Captcha” images. It may seem frustrating at times but that is exactly the point.

The purpose of these captcha images is to assure the site it is dealing with a human being and not a program that is devoid of emotion.

Captcha is an example of human verification program. Captchas are popularly presented as jumbled up characters.

But hackers have found ways to bypass this so you need to up your game and use versions that require greater human interaction. Some versions utilize puzzles and games.

6. Fortify Your Defenses Versus SQL Injections and XSS Attacks

SQL injections are a web form field used by a hacker to access and manipulate your database. Web designers can use parameterized queries which are standard feature for most languages to prevent SQL injections.

XSS attacks corrupt your web pages by using malicious JavaScript. This can have many devastating consequences to your website.

  • It can contaminate your users’ browsers.
  • It can alter your page content.
  • It can steal valuable data.

Web designers may use Content Security Policy (CSP) which creates restrictions on the type of JavaScript that can be used on your page.

7. Follow Standard Safety Guidelines

Last but certainly not the least is to make sure you have safety guidelines in place when it comes to managing your website activities. These measures are pretty much basic but often overlooked:

  • Exercise caution when giving out your email address whether to connections or to websites.
  • Create backup email addresses if you plan to transact with websites you are somewhat uncertain with.
  • If you are suspicious about the subject matter in an email sent from a contact’s address, give him a call or a message and confirm if the communication came from his side.
  • Make sure all anti-virus, malware and firewall programs are updated and running all the time.
  • In addition to using strong passwords, it is advisable to change it from time-to-time.
  • Do not click open websites that ask you to provide access to your social media account information.
  • Ask your web designer to test your defense systems frequently.
  • Frequently conduct moderation procedures on your website. You can check your admin page for messages or content that your automated spam filter program may have missed.


The Internet is a beautiful thing. It gives us access to information anywhere in the world with just a click of a mouse or a tap of the keyboard. But just like in the real world, there is the constant battle of good versus evil.

Protect your website as you would your own home. Do not let suspicious characters in and make sure all entry points are tightly secured.

The bad guys are always trying to stay one step ahead of the good guys. As a business owner, your time is best spent focusing on tasks that will help you stay ahead of the competition not worry about what these cyber criminals are plotting to do.

As long as you follow our guidelines, you should be able to sleep soundly every night knowing your website is secure from hacker and spam attacks.

Would you like to know more about fortifying your website defense systems? Please don’t hesitate to give us a call or drop us an email. Your website’s safety is also our concern!