There’s nothing sexy about website security. It isn’t fun, nothing about it makes you more interesting to your clients, and you aren’t likely to be published in any trade journals for doing it right. However, if you don’t follow some basic steps, the likelihood of getting hacked is huge and, the results can be everything from a distraction on the low end and infuriating or business impacting on the high end.
How to protect financial advisors’ websites from hackers.
When your website is down, or worse – you are sending out spam email to your contact list because your website was hacked, you will wish you had heeded some of the “non sexy” advice below.
If you aren’t properly protected, it’s not a matter “if” you get hacked, it’s a matter of “when” and “how bad”.
Here are some tips and guidelines to protect financial advisors’ websites:
a) Software updates: It is essential that all the software that runs your website be kept current. That includes the main CMS engine, like WordPress, Joomla, Drupal – especially security patches. It also means updating any add-ons, plugins or extensions. This can be an onerous task as there are often inter-dependencies on versions so it should be left to a web developer and should never be performed without a backup, which we talk about next.
b) Backup: Websites should have an automated backup process to keep daily backups for a week then weekly for a month then monthly for a year. Most hosting companies provide this service for a minimal fee. There are also free options like Akeeba backup that can be installed directly in the administrative area of most mainstream website programs.
c) Active Monitoring: Websites should have a third party supplier that actively monitors the software that runs the websites and alerts the company when there are important security upgrades available to the software. One supplier we like is called Watchful. They also monitor and alert to suspicious activity or even general “website-down” issues. Their website is https://watchful.li/
d) Administration Protection:
1- Most websites (WordPress, Drupal, Joomla, etc.) have an administrative “back end”. Typically, these have a standard “admin” user. This user name should be changed to something else and the password should not be a dictionary word or a word that can be guessed based on the company name. For example, if your company name is ABC Financial and your administrator ID/Password combination is “admin” and “ABCF1nanc1al” that is easily guessed by a robot… more on that next.
2- Websites should install some sort of brute force protection that stops hackers from guessing the admin ID and Password. There are many out there. We use Brute Force Stop (available here: http://extensions.joomla.org/extension/brute-force-stop ) on all our Joomla sites. This diarizes and blocks any ip addresses that have 3 invalid login attempts to the admin area. A typical hack is to use a “robot” to try and login repeatedly – several times a second – until the ID and password combination is guessed. Once in the back-end, hackers can easily install viruses.
e) Strong Passwords: There are several different ID and Passwords involved in a website. Registrar, Hosting Company, Database(s), SuperUser(s). These passwords should always be “strong” meaning they contain special characters, numbers and upper and lower case characters. Making them “easy to remember” is an invitation to be hacked. If your password is “password” or “12345”, you may as well send out a hacker-party invitation.
f) Sharing passwords: Never – ever – share passwords through email. Always use an encrypting service like Privnote ( https://privnote.com/ ) to encrypt the data and destroy the transmission after it has been received.
That’s about it. Nothing is foolproof and hackers tend to find ways to get in if they want to. The trick is to not be “low hanging fruit” and they will likely move on to easier pickings and leave you alone unless you are big and newsworthy (or brag-worthy), in which case, these companies hire full-time security experts to fend off and manage attacks.
All is not Lost – There is Hope
On a final note, in the unfortunate event that your advisor website does get hacked, one service provider we’ve had a lot of success with to recover is called Succuri. Their website is https://sucuri.net/website-antivirus/. For a reasonable fee they can scan a website for viruses, remove the infection and often recover the website to it’s original state. Be warned though, once you’ve been hacked once, your website will on some subversive hacker’s list of easy-prey and will be targeted more aggressively so it becomes even more critical to “shore up” with the steps above.