Charles Tips – Best practices for mitigating website hacks

We at CharlesWorks are often asked by our web clients if their site is protected from malware and getting hacked. They also want to know if there site IS hacked, whether there be a charge to fix it.

The totally hack-proof website

The totally hack proof website has no access to it. So it’s not connected to the Internet. No one can view it. Such a website doesn’t sound like its of much use if no one can see it.

So, let’s agree that it is unrealistic to believe that a publicly accessible website can be totally hack-proof. Any website that is accessible via the public Internet is consistently subjected to attempts to break into it. Believe it or not, that’s the norm as opposed to the anomaly.

That being said, however, there ARE things you can do to mitigate website hacks. I have to stress the word mitigate here. Mitigation is defined as the action of reducing the severity, seriousness, or painfulness of something.

Site hacks are based on odds

My goal here is to simply remind you of what you most likely already know: that we can reduce the probability – the odds – of your site being hacked. We at CharlesWorks want that probability to be so low that it hopefully it doesn’t ever happen to you.

The major hacking causes

I have been operating CharlesWorks since 1998. In my experience, there appear to be two major reasons why sites get hacked:

      • The access credentials/passwords have been compromised.
      • The software that operates them wasn’t kept up to date.

Lets take a look at each of these below.

Compromised Access Credentials

Compromised passwords and bad actors gaining access to website login credentials is the major reason we see sites hacked. Think about this in terms of your car. You could have alarms on it. But if you make a copy of your car key and give it to someone, they can do whatever they like with the car. Whether its a drive along the beach or to rob a bank, your car is theirs to use with the key you gave them. Credentials – log in and passwords – work pretty much the same way.

CharlesWorks has many clients who want to be able to do things themselves. We are strong proponents of doing it yourself when it’s feasible and convenient. This is especially true for adding posts or page materials. It also makes sense when making other changes or modifications to your site. It is, after all, YOUR website.

However, many people fall prey to phishing schemes. Directly or indirectly, they usually end up tricked into giving out their website access credentials (as well as credentials to everything else they own). This is especially true if your email account is hacked and the hackers are able to access emails containing your website’s (and other) login credentials.

This problem is exacerbated if you have shared your website’s administrative or other access with others. Think of your emails containing various authorizations or login information as a potential weak link in a chain. If you have shared that information with others you have now created more weak links. This increases the odds of a potential compromise.

One of the best ways to mitigate these situations is to change your site’s access passwords so they are different than those possibly stored in your emails. And, to hope that anyone you may have shared your website access with has done the same.

Obviously, should site access be gained in such a manner, it would be your burden to have the site restored. I’ll expound upon this a little more at the end of this article.

Out of Date Security/Software Updates

Malware and virus protection on home computers operates a little differently than the same types of protection on servers. Website servers operate in the publicly accessible Internet. This results in many more entry points for potential issues. There are a number of very standard server protections available (which we utilize here at CharlesWorks).

After bad actors getting (or guessing) your passwords, the next major reason sites get hacked surrounds unapplied security updates and other software update issues. At CharlesWorks we mitigate such issues by running anti-malware software on our servers. Also, WordPress sites hosted on our servers are kept up to date automatically via automatic updating of the WordPress core as well as automatic updating of the the website’s plugins and themes.

There are literally thousands of individual pieces of software that must work in unison to operate most websites. These are developed by many more thousands of developers around the world. Unfortunately, no company can guarantee that a website will never get hacked. They can only mitigate security compromises and hope against the worst.

Restoring your Website

Regardless of which of the two situations above may have led to your website’s issues, your website will most likely need to be restored. That’s because after a bad actor or a hack back doors into the site will most likely have been installed for the bad actors to gain access again.

Many Internet companies claim to have automatic backups. In most of those, those backups are accessible to the user in their account. If the account is hacked, how safe do you suppose that is?

Some Internet companies delete and account upon a website being hacked. In those cases I have seen many left with no website or backup as a result.

What I believe is most important regarding this topic is the manner in which our WordPress sites are backed up every day for 30 days. Our backups are made to separate servers – external to those your the site operates on. For security reasons, the site administrators do not have access to these backups. So even with a site administrator’s compromised passwords there is no access to the backups. With these backups we can usually restore an average site in about 10-30 minutes if it needs restoring. And we can go back as far back as 30 days. We would only bill our web client for the 10-30 minutes (again – for an average website) which results in only a minor charge to restore it. Note that some websites are extremely large and require much more time to restore but these are very rare).

In my experience running CharlesWorks since 1998, we’ve built and handled more than 5,000 websites. At this point in time, I do not recall the last time a website we built and totally maintained was hacked (unfortunately I recall several instances of sites maintained by others that failed to ensure the site was updated and/or had their passwords compromised).

Sites getting hacked for out of date software happens far less frequently (if at all) when security updates are kept up to date and bad actors are kept out.

I hope this helps you understand a little more about this topic.

Charles Tips – Inflated Maintenance Plans

Along with all the many scams out there on the Internet are what I’d call the “inflated monthly maintenance plans”.

Paying expensive expensive maintenance fees
Paying expensive expensive maintenance fees

These are usually fixed monthly pricing plans that include hosting and website maintenance. Such plans are touted as providing the business owner with a means to budget ongoing website maintenance, so-to-speak.

I’ve seen many of these offerings since 1998. I’ve also spoken with many website owners who have had such plans. They’re almost never advantageous to the business owner.

In most cases, business website owners had paid up to several hundred dollars a month for these plans – for many years in some cases. Most never had any work done to their websites. Those who did have work done indicated it was far less value than they had paid for with their “budget”.

Put specifically in dollar terms, some had paid thousands of dollars for only about a hundred dollar’s worth of web updates over time. For that reason I highly recommend businesses avoid such plans.

In short, be very careful about doing business with web companies or web developers that want to sell you these inflated monthly maintenance plans. Paying for website work on an as-you-need-it basis will almost always cost you much, much less in the long term.

Charles Tips – No Domain or Hosting Contracts

Two components of a website are the domain and hosting. Websites are accessed easiest with these.

Domain names are labels typed into web browsers that point to a particular website. Usually they’re a word or words pertinent to the website. Each domain is unique. There can only one of each in the world.

Hosting is a server space for a website. It’s available 24-7 for anyone anytime it is accessed. Websites usually contain coding that shows what the site visitor would view as a website.

Finally, the website coding can reside in the hosted web space. That’s what makes the site appear. Or the coding may just jump off (redirect) to go to a different address.

My favorite analogy is to a house. There’s an address (domain name). It’s rented each month (hosting) so one can show off its furniture (web coding). It doesn’t matter whether there’s a little or lots of furniture – they pay rent (hosting).

No Written Hosting or Domain Contracts Required
No Written Hosting or Domain Contracts Required at CharlesWorks

Does your web company require hosting or domain contracts? Reputable ones won’t. They’re willing to ALWAYS provide the best service to you instead of just before contract renewals.

Contact your hoster to determine whether they’ve locked you in or you’re free to move where you can get the best service.

Charles Tips – Hosting Includes Encryption

Website visitor safety is extremely important. I’ve mentioned terms here before like SSL, encryption, security and so on. A padlock that shows with an encrypted site using https in some browsers.These involve that little green or grey lock in front of the web address in your browser. Clicking on that tells you whether the encryption is valid and what site it’s issued to.

Providing encryption was traditionally expensive for website operators. However, it can be had for free these days. There’s no reason not to have it.

Encryption refers to a method on website servers that helps ensure you are actually on the website you think you are on. This greatly reduces the risks of fraud.

Ripping you off is a top priority for many nefarious individuals and organizations on the web. One method is tricking you into giving your credit card or other personal information on a “fake” site or web page. These pages often look exactly like those of your bank’s or credit card company’s or even your email’s login pages.

There’s usually a small one-time charge for initial setup. Website owners should check with their hosting company or web developer to ensure website encryption (SSL) is included in their monthly hosting at no extra charge. If need be, it’s worthwhile to move to a company whose hosting provides this.

Charles Tips – Nightly Website Backups

Your website is an important investment. Whether you made it yourself or paid to have a professional develop it for you – you wouldn’t want to lose it. We have taken on clients who were with the largest company in the world who lost their website because of having no backup. The terms for doing business with that company even state they are not responsible for the loss of the website.

Nightly Backup Server

I couldn’t imagine not backing sites up. Nowadays the technology is ever present to back everything up. In the not too distant past, hard drives were much more expensive than they are now. Hard drive space is extremely inexpensive nowadays – so there’s no excuse for a company to not make backups.

One third of today’s sites are on a platform called WordPress. Security updates happen often and changes can be readily made to WordPress sites – so they need backups at least every day. Whether there’s a server catastrophe or simply one of your employees blowing up your site while making changes – it can be recovered.

Definitely protect your website investment by hosting with a company that provides daily backups of your WordPress website every night for at least a month. That will avoid having to restart your website from scratch.

Charles Tips – Forming Reciprocal Relationships

It’s always great to get referrals from others. That’s why it’s important to deal with a web company that understands your community and reciprocates by referring business to you.

Businesses built upon reciprocity help each other with success
Businesses built upon reciprocity help each other with success.

As a point of curiosity I usually ask when the last time was that a company received referrals from their web hoster or web developer. Usually the answer is never. I am amazed to usually find out at that point that even their local folks they give their web business to don’t bother to refer others back to their own clients.

You need a web developer that does that as a rule rather than as a request. You need a developer that one or more of its staff are in high powered networking chapters and experienced at referring business back to their own clients.

That’s what reciprocity is all about. You need a web company that practices that at every opportunity.

One way that can be done is if the web development company has a directory they can be part of. That helps clients get found on the web and increase their web traffic by keeping information about them on thousands of sites on the Internet.

If you have been feeling that your relationship with your web company is rather one sided, it’s time to deal with one that cares about you!

Charles Tips – Leaving a Voice Mail

Do I really have to say a web developer simply has to have a phone contact where one can at least leave messages?

As unbelievable as it may seem, there are those out there without a listed phone contact. I saw a website recently where there was no telephone number or email address on it to reach someone for service. I know you won’t believe it when I tell you that individual has been in business for many years.

The owner asked me how I managed to get so many clients and grow CharlesWorks to handling thousands of websites. I couldn’t resist mentioning there was no contact information on the website. The response was they didn’t want lots of junk emails and people knowing their phone number.

It reminded me that back in 1998 I started CharlesWorks because I wanted to help as many people with their web related needs as possible. I knew from having been in business earlier in my life that there are always going to be spam phone calls (just like spam emails). But that’s part of the cost of doing business.

So think twice if you can find a phone number to talk to someone.

Charles Tips – Forming Reciprocal Relationships

It is great to get referrals from others. That’s why it’s important to deal with a web company that understands your community and reciprocates by referring business to you. I always ask folks I meet when the last time was that they received referrals from the web hoster or web developer before moving to CharlesWorks. Usually the answer is never. I am amazed to usually find out at that point that even their local folks they give their web business to don’t bother to refer folks back to their own clients.

You need a web developer that does that as a rule. You need a developer that one or more of its staff are in high powered networking chapters and will refer business back to their own clients.

That’s what reciprocity is all about. You need a web company that practices that at every opportunity.

One small way CharlesWorks does that is through its CharlesWorks Directory. We help our clients get found on the web and increase their web traffic by keeping information about them on thousands of sites on the Internet.

If you have been feeling that your relationship with your web company is rather one sided, it’s time to deal with one that cares about you!

Charles Tips – Better Business Bureau Accredited

When exploring who to have build your web presence or do your SEO (Search Engine Optimization), look to see that the web company you’re considering is an accredited member in good standing with the BBB (Better Business Bureau). The BBB does a lot of your homework for you. It actually checks out businesses for things like the fact that they really are in business and what the company’s website states.

This can be very important: make sure the company really is accredited by checking for them on the BBB website. There are many unscrupulous companies out there that place a BBB logo (with is a copyright infringement) on their site and have never even applied for BBB accreditation.

Companies must apply to and pay a fee to pass accreditation member of the BBB. Once again, these are all factors that point to the integrity of the company – it’s reliability – its dependability. You want a company that is going to help you and that thinks about its web clients – so the web company’s BBB accreditation is very important.

Charles Tips – Committed Presence in Networking Groups

Reliable web development companies often maintain a committed presence in local networking groups. This keeps them in touch with those in their communities. It also makes the web company more accessible to those needing services. Developers usually give great service to those they see face to face weekly.

There are many networking groups out there. I don’t consider chambers of commerce networking groups. I say that for a few reasons. First is that there is no commitment to go to the meetings. Many join chambers and never attend meetings. One can join just about anywhere without committing to attend. Some belong to many chambers with no commitment to attend. That being said, it doesn’t hurt to belong to a local chamber and actually be involved.

Web development companies belonging to BNI (Business Networkers International) are ahead of the game. In order to participate in BNI the company’s representative must commit to a minimum one year and agree to show up weekly. Relationships are built among BNI members. This encourages referrals passed among members.

Bear in mind the web company should be able to pass all the items on our checklist (click to see the list again in a new window). That will be the most homework you can do to ensure the best probability of a great outcome with your website development.

Charles Tips – Are they a Registered business?

Our exposure to thousands of web clients has shown us many folks who’ve been exposed to scam artists, fly by nights, and outright crooks over the years. We’ve had clients that had paid money down to previous developers with no work done whatsoever.

Luckily, most legitimate reliable web development businesses have ethics. Part of building confidence in one’s client base is doing what is necessary to be a legitimate business. Fly-by-nights don’t bother with registering their business or any of the other numerous details of doing business that being a legitimate business entails.

It’s very simple to check to see if a business is legitimate – i.e., registered. Here are links to websites where one can check out businesses in several states in and around New England: NH MA ME VT

Doing a little research like this can save you a ton of headaches later. Dealing with a business that is willing to do the initial work of operating legitimately greatly increases the odds they are going to be reliable and honest in their dealings with you.

While there’s never a total guarantee, coupling this with other items in our checklist helps narrow the field to give you the best odds of developing a good business relationship.

Charles Tips – Web Developer Checklist

It’s increasingly difficult sorting good companies from bad ones on the Internet. There are still ways to find the best, reliable web development companies. We’ve compiled this recommended checklist as a starting point. The order these are in isn’t necessarily important since ALL points are important!

Check to see if your web development company:

will ensure that YOU own your website when it’s paid for
is legitimately registered to do business within its State: NH MA ME VT
has been in business for at least 10 years
has several or more people
carries workman’s compensation on its employees
carries liability insurance
maintains a committed presence in networking groups
is accredited and has a good rating with the Better Business Bureau (https://BBB.org)
understands your community and reciprocates by referring business to you
has a phone contact where one can at least leave messages
has an email contact where one can send information
provides automatic site updates at no additional ongoing charge
backs up websites every night for at least a month
provides website encryption (SSL) at no additional ongoing charge
does not require hosting or domain contracts
does not overcharge you by selling sell inflated monthly maintenance plans
provides partial hour web work billing (9 minutes work charged 9/60 of hourly rate)
can respond to most maintenance requests in 3-4 days
has general familiarity with trademark and copyright issues
is proficient with WordPress through experience and training

Over upcoming weeks check here for details about each. Contact us with any questions, we exist to serve you!

Charles Tips – About Ten Seconds

People purposely search the web, looking for services or information. Ten seconds is what websites have to grab their attention.

They land on your impressive looking site with beautiful graphics moving all about the page.

The clock’s ticking. “Come on already!” they’re thinking. They hit that back arrow – they’re off to another website!

Or they’re at your page with oodles of information! They scan left to right, top to bottom. “Oh, that looks interesting over there!” and in the blink of an eye, they’ve clicked on an ad – and off to someone else’s website.

Viewers always judge websites by clarity, design, and detail.

Do your aesthetics relate its message, using appropriate colors, fonts, graphics, etc.?

Is content structured to quickly determine:
•What is your website about?
•How you can help them?

Is your website cluttered with ads or distractions, diluting its message?

Whether you or a professional designed it, have someone unfamiliar with your website or your business sit down and give their opinion.

Ten seconds is about all you have to gain a viewer’s trust and interest. Both the design and structure of your content are crucial elements in keeping a viewer on your site – and turning them into a customer.

Charles Tips – Businesses on Facebook

Many tell me “Facebook is a waste of time – a real time-sucker.” That’s true for those who believe it. Yet, there’s great value in a Facebook presence.

Many business startups think just a Facebook page can grow their business. While not impossible, it’s as likely as winning the lottery.

Sending potential customers to Facebook subjects them to Facebook’s ads promoting one’s competitors. I’ve also seen embedded Facebook information on business pages listing the business’s competitors. Part of a web presence is to only have one’s business put in front of potential customers. That’s what effective advertising is about.

Facebook is free. It’s amazing what people do NOT notice when they think they are getting something for nothing.

Many forget Facebook is online to make money for Facebook. Businesses exist to generate income and keep the people running it employed. Nothing wrong with Facebook doing that. We just need to understand when it’s helpful for our own cause – and when it is harmful.

Links from other websites to your own are very helpful for increasing search engine placement. The very best value of Facebook business pages is to have lots of information on them that links visitors back to your own website.

Charles Tips – The Cloud Defined

So many services try to persuade us to access, link to, or download from “The Cloud.”

What is “The Cloud” anyway? A magical portal in the sky wherein lies knowledge and wisdom? Information stored in the atmosphere’s ionized particles? Aliens storing our information in flying saucers accessed by our Smartphone’s?

“The Cloud” simply refers to computer networks connected to the Internet. We’ve renamed something that’s been around for a while now.

When you’re using any device – whether it’s a desktop, laptop, smartphone, iPad, table, or whatever – that is connected to the Internet, you’re accessing a massive network of computers. This is often called accessing “The Cloud.” There really are no “clouds” involved at all. All of the servers and machines that supply all of the information we access all reside in various physical machines in many places all over the planet.

While all of what’s necessary to make the Internet happen is complex, it’s not magic. Dealing with local companies – a local “cloud” – really helps local economies. By lumping everything Internet into “the cloud” it’s easy to be helping distant economies instead of your own.

Local web companies can set people up in a LOCAL “cloud” where they can store the files needed to operate their websites to do business.