According to a recent report from Google, nearly all website owners rely solely on Google’s Safe Browsing program to alert them when their site has been hacked. The report concludes that only 6% of webmasters discovered an infection via proactive monitoring for suspicious activity. That’s alarming.
Why is this a problem?
“Waiting for Google to tell you that your site is infected would be like waiting until your engine seizes to replace your oil.”
Owning a website can, in many ways, be compared to owning a car. An experienced car owner should know to routinely check things like fluid levels, tire wear, and look for cracks in their belts/hoses. Likewise, an experienced webmaster should know to proactively audit their website for malware or vulnerabilities. For those of us that aren’t so mechanically, or in the case of websites, technically inclined, it is prudent to hire a professional to perform these routine inspections and follow-up maintenance. Waiting for Google to tell you that your site is infected would be like waiting until your engine seizes to replace your oil. By the time you’ve been made aware of the problem, much of the damage is already done.
For lack of an inexpensive oil change, you’re now looking at a bank-breaking engine replacement. Equally as damaging, for lack of inexpensive proactive security measures, you could be facing a business-ending data breach event.
There’s also no guarantee that Google will say anything to you at all. Only webmasters using the Google Webmaster Tools system actually receive direct alerts.
If you opted not to utilize Google’s free Webmaster Tools system for your website, you probably won’t receive any direct notification from Google that your site may be compromised. Instead, you’re more likely to receive the feedback from your site’s (would-have-been) visitors after they’ve been stared down by a daunting warning message about how YOUR website is going to harm their computer. Your reputation has had better days and if you’re in eCommerce, your sales probably have as well.
Google can’t evaluate every page of every website on the internet.
While the web giant has expanded by leaps and bounds in the world of site indexing, it’s not practical to assume that Google’s going to check every page of every website on the internet for malware. Google’s evaluations are limited to pages that have been indexed by the search engine, and there’s no strict timetable on even how often their system evaluates those pages.
You’re responsible for the security of your visitors, not Google.
It is important not to forget that the responsibility for your website and your visitors’ experience ultimately lies with you. Not with Google. Not with your hosting company (in the vast majority of cases). Cutting corners with security measures will almost certainly catch up to you. With many of today’s modern websites often costing more than your average mid-sized sedan to build, it’s time to start protecting your investment.
What should webmasters be doing?
Take proactive security measures including routine monitoring for suspicious activity. Depending on how your website functions, both visitor-facing and behind the scenes, the most appropriate approach can vary somewhat. As a general rule of thumb, every website should at least be performing some iteration of the following:
1. File change monitoring
Establish a baseline of what your website’s file structure should look like, then regularly check for any changes to that structure. When changes occur, inspect them for anything suspicious. SiteLock Secure Malware Alert & Removal Tool (SMART) provides ongoing file change monitoring and immediately inspects any changes for suspicious code.
2. Malware scanning
Even with the best security posture, infection is still possible. There is no magic bullet for preventing infection 100%. Scanning for malware incursion at least once a day ensures that even in the event of compromise, you’re notified as early as possible. SiteLock’s scanning systems are able to scan your website both externally via HTTP/S and internally via FTP/SSH. SiteLock’s SMART actually goes a step further and automatically removes any known malware it finds.
3. Vulnerability scanning
Hackers are often quite a clever bunch. They’re always looking for new and creative ways to exploit the applications running in your web environment. Taking a proactive approach by routinely inspecting any code that has been or will be placed in your production environment is one of the best preventive measures you can take in securing your website. Vulnerability scanning should be a part of your secure development life cycle. SiteLock offers daily vulnerability scanning for SQL injection and cross-site scripting (XSS), as well as TrueCode SAST “whitebox testing” to scan for more advanced threats.
4. Web application firewalls
While there’s no solve-all preventative measure in securing your website, a Web Application Firewall (WAF) is, for most websites, the best option available in defending your web environment. WAFs inspect the traffic coming into your website for malicious content before allowing execution. A good WAF should protect against the OWASP top 10 threats. SiteLock’s TrueShield WAF employs the latest state-of-the-art preventative measures with a threat database that is updated every five minutes.
5. Consult a professional
Like we mentioned earlier, different environments and functionality can call for different security measures. In the same way you would consult a mechanic regarding your vehicle, you should consult a security professional to help you establish what your security posture should look like. SiteLock’s professionals can help you learn more about how to secure your website.
Don’t allow yourself to be broadsided by a compromise. Become an informed webmaster and secure your website today.