With the increase in online shopping, virtual learning, and web browsing, it is more important than ever to protect your club’s web server from hackers and viruses.
A vulnerable web server can potentially:
Allow a Data breach
Once an attacker gains control of a server with a database containing user information they have a valuable asset. Even if the site does not process/store its own credit cards (the ultimate prize of any attacker) and all password data is properly encrypted, there are still many pieces of information that are useful to attackers. They can sell it, dump it for free on the dark web, use it to obtain other personal information through social engineering (phishing), use it to blackmail the user, even the encrypted passwords can be picked up by nefarious parties in hopes that they can one day crack these passwords for future mischief.
Weaponize your server
Most businesses hackers like to increase their profits while keeping their overhead low. They do this by using compromised servers as a means of storage, storing personal data through phishing sites they setup on your server, serving ads, and a platform for attacking other servers. There is even a way that they can turn visitors to your website into bitcoin miners. All of these can cost expensive service fees and damage to your reputation; both as a brand and to other servers on the internet.
Take Time to Correct
Depending on severity, you might not notice for an extended period of time that there is a problem with the compromised server. During this period you may see a drop in traffic due visitor experience or even find yourself in a position where clients cannot get to your site because blacklists, antivirus companies, or even your hosting company have marked your site as unsafe. The time sink continues once you discover there is a problem due to the complexity of WordPress and its subsystems. It can take time to find and fix both the original vulnerability and any damage caused.
Here are some steps your club can take to maintain a safe website:
Timely updates at all levels, from server to website
On the server level, periodically the OS and server software (i.e. SQL,PHP, Apache) need to be patched/updated to close any weaknesses that might exist. Many sites use WordPress along with customization through the plugin and theme subsystem. All of these items should be updated through the dashboard to ensure they also remove any vulnerabilities. Doing these updates is the most important part of protecting your internet facing systems. Part of updating is ensuring you have a way to “roll back” and/or fix the page if an update breaks functionality.
Maintain user security
User security is also imperative to server integrity. As a rule of thumb you should have as few accounts as possible with administrative access to both your website and server. Each user with this access is a potential target for hackers. Additionally, each user should have a password with a minimum length of 11 characters (using numbers, caps, lowercase). Direct admins to avoid common passwords and passwords that might be personal information easily found through internet searches. Finally, periodically rotating passwords is always a good idea. This information applies both at the website and server level.
Periodically review the site
Look at items such as users, updates, pages, server directories, and traffic analytics/logs. This can help catch users who should no longer have access, vital updates that may have been missed, a page that has been altered or might be popping ads from maliciously inserted code, directories that shouldn’t exist, or an increase in traffic from unexpected sources that indicate a compromised server.
Note: In some cases a web developer or hosting company might need to be engaged to implement these steps, and for some organizations a hosting company might handle all items related to the server. Firewall services such as Sucuri can add a preventative layer of protection to your site that stops known bad visitors before they can get to your site.
About the Author
Nathan Holbrook is a Systems and Network Administrator for Associations International, the parent company of the American Volleyball Coaches Association (AVCA).