Now envision how you would feel if you woke up one morning and your website wasn’t working at all.  It doesn’t load or the homepage has been replaced with an offensive message — or even a warning from Google that this site is no longer secure. That’s right, you’ve been hacked and your website has been kicked off Google.

Think this can’t happen to you? It’s actually not uncommon.  It happens to small businesses every day when their website gets attacked one too many times for Google’s liking. Mberry, a small business based in Tempe, Arizona, is one of those businesses. This innovative company that sells the very cool, very fun “mberry” tablets that make everything you eat taste oh so sweet for 30 minutes.  Mberry had a rather sour experience when their site was banned from Google.

Mberry’s saga started about a year ago when their site was hacked – not once, not twice, but three times in two months. They rely on their site as a main portal for their revenues.  Having their site down multiple times going through the process of getting it cleaned up and back online was costly, annoying and damaging to their brand. But it wasn’t until they got the boot from big daddy Google, that things really got much worse.

“For a startup like ours, getting hacked and then kicked off of Google almost put us out of business,” said Charles Lee, founder and CEO of mberry. “The time and effort we had to spend working through the process to get back in Google’s good graces was arduous. Not to mention, we lost thousands of dollars by being offline for so long. There is no telling how much we lost in terms of brand reputation and vendor relationships. Small businesses simply cannot afford to get hacked.”

Can this happen to any website?  Yes. But here’s the reassuring news — everything you need to help protect your online business from hackers is in your power.

Google to the rescue

When you’re the entrepreneur living through this nightmare, Google definitely seems like the bad guy. Google does do a good job of upholding their responsibility to keep your website and it’s visitors safe. After all, you, your development team, and your hosting provider are responsible for protecting your website, not Google.

Google can be your friend in this situation. Their Webmaster Tools provide some useful services and articles aimed at helping prevent a problem with hackers from ever getting as far as it did with mberry. Google provides a quick checklist on their website that spells out the high-priority (and completely achievable) protective measures in a simple way. For example,

• Scrutinize third-party content plug-ins and use them only when required. Go with well-respected providers.
• Use Google site search to see which of your website pages Google has indexed. Type “site:__<yourwebsiteaddress.com>__” into the Google search bar, and if unfamiliar content shows up, you have problems.
• Sign up for a Google Webmaster account and get access to:
  • Notifications about potential vulnerabilities
  • Notifications about new software versions
  • Notifications when signs of suspect, hacker content like spammy links or comment spam infiltrate your code
  • Google also recommends you rely on your hosting company for support and advice. Ahem.

The White Knight – website hosting

A capable, security focused hosting provider can be a big part of prevention and identification when problems arise. Here are some of Google’s quick checklist recommendations that should be addressed by your hosting provider.

• Lock down your server’s configuration settings for directory permissions, server side includes, authentication, and encryption
• Stay up to date with the latest software patches for all the operating system and applications on your web server.
• Monitor logs and store them per a conservative retention schedule
• Regularly check and monitor your website with anti-virus and vulnerability scanning
• Use secure protocols for data transfer (SSH and SFTP only) and a high level of encryption when data is at rest

Don’t overlook importance of extra security measures like redundant firewall protection and web application firewalls. These protective layers could have kept Mberry from the one-two punch they got from hackers.

Since Mberry put the right protective measures in place, they have not been hacked once. Their customers’ data is totally safe, and life is once again sweet on Google.

Consider this example:

Mary frequently visits an online shopping website. One day, hackers use a cross-site scripting attack on the website, embedding malicious code. Mary returns to the website and buys a pair of new shoes, unknowingly passing her confidential information to hackers. Before she realizes what happened, someone has stolen her identity and ruined her credit.

Every business owner has more important things to do than mitigate a very public theft of your customer’s personal data, so make securing your customer data a priority today.

Unfortunately for consumers and businesses, many hosting providers don’t take effective measures to prevent cross-site scripting (XSS) attacks on their clients. If your hosting provider doesn’t address cross-site scripting attacks (XSS) properly, your company’s website could easily fall prey to hackers and expose your customer’s personal information.

Security is the primary focus at FireHost. We pride ourselves on providing industry-leading secure hosting, which includes a WAF to prevent cross-site scripting (XSS). This hardware security device stops hackers from exploiting web applications, securing your website, business, and customers from cross-site scripting (XSS) attacks.

To discover more about our secure hosting and prevention of cross-site scripting (XSS), contact a FireHost Agent today.

SQL Injections are the number one vulnerability exploited by hackers, by far. According to security vendor Sophos, 16,000 new websites are hit by the attacks every day. WordPress, Joomla, Drupal, .NET, classic ASP, PHPBB websites have all been hit with SQL Injections. Do NOT roll the dice on this one! Every web site big or small is vulnerable to injection by automated scripts attempting SQL-Injections through your webforms, dynamic URLs, etc.

This video from Graham Cluley of Sophos discusses the impact of a SQL Injection that hit BusinessWeek.

What can you do NOW to help secure your website?

1. Ensure all logins use strong passwords
2. Employ web form validation and/or CAPTCHA
3. If you’re using a CMS or website platform, ensure it’s up-to-date (including all plug-ins)
4. Ensure all components are current (ASPupload, etc)
5. Use static URLs instead of dynamic URLs

FireHost takes SQL Injection protection to the next level by:

1. Analyzing your website and web applications to assess the potential for SQL Injections and other hacking vulnerabilities
2. Protecting your website using our secure and transparent Web Application Firewall
3. Monitoring your website for new vulnerabilities