Do you know which content management system (CMS) your website is implemented on? Do you care? Probably not. And why would you, unless something really, really bad was to happen to your website as a result of your site being implemented on a particular CMS and that CMS being prone to attack.
Last month, an estimated 12million websites implemented on the popular Drupal CMS were breached by attackers who took advantage of a bug in the widely used software. These automated attacks allowed the infiltrators to take control of the sites they targeted, exposing all data contained within.
I have had personal experience of working with a large law firm whose website was hacked and tuned into a propaganda vehicle for a faux foreign independence movement. For a firm whose website received large numbers of visits daily this wasn’t great PR to say the least. The fact that the hack was easily rectified did not side step fact that it had been allowed to happen in the first place.
While your law firm’s website may only house basic data as opposed to having a secure client portal or an online billing system, clearly the thought of a malicious 3rd party gaining control of your website is enough to set alarm bells ringing.
6 steps to prevent attacks on your law firm’s website
While Moore Legal Technology does not implement client sites on Drupal, preferring instead to use Joomla!, the integrity of our client sites is of paramount importance to us . We called on our Tony Partridge, our senior developer, to outline steps we have in place to prevent such a breach taking place. Tony said “We keep a very close eye on issues surrounding security, rest assured we do not take any chances in that regard. The best way to ensure data is secure is:
- Update to the latest version of your CMS and keep it fully updated at all times
- Restrict user access directly to an in house on demand basis
- Use uncertainty to protect against attacks users standard hacking attempts
- Use SSL Certificate to encrypt all data passed through the site
- Have a secure individual passwords for all users, minimum of 8 characters, containing one number and one capital. The administration interface should be locked down with a single password, with an IP block after 3 failed attempts
- Ensure that you or the relevant individual in your organisation are setup to receive security announcements from your CMS provider
Tony continues “If Joomla! was compromised with a bug like this, we have a high backup retention of a month, a week, a day. If there was any uncertainly as to when the attack happened, or even if the site had been breached, we can restore the site from a week or two week old backup and instantly upgrade to the latest version of Joomla! to protect us. The backups are stored locally for instantaneous restoring. But we also have an offsite backup in case of server failures.
“As with all software, there are bugs and security experts are there to find them. With server side software updates there are patches which can introduce bugs. But the main thing is having an active web development team to keep your site running around the clock.”
Google focus on secure websites
Google are continuously working to make the Internet a safer place generally, trying to make sure that websites people access from Google are secure. They recently called for “HTTPS everywhere” (Hypertext Transfer Protocol Secure, a more secure version of HTTP which adds a layer of security to standard HTTP communications). Not only is there a security benefit to be had from adopting HTTPS on your website, Google are now counting this as a ranking signal and there is therefore an SEO benefit to be had too.
The fact that Google recently set up a security team to hunt down and fix fundamental security flaws tells us that making the Internet a safer place generally is important to them. They recently called for “HTTPS everywhere” (Hypertext Transfer Protocol Secure, a more secure version of HTTP which adds a layer of security to standard HTTP communications). Not only is there a security benefit to be had from adopting HTTPS on your website, Google are now counting this as a ranking signal and there is therefore an SEO benefit to be had too.
Operations Director Gavin Ward said “given that there are security and SEO benefits to be had from implementing HTTPS, it’s certainly a conversation we will be having with our clients, if we haven’t already done so. Moving on to HTTPS is inexpensive. While the security benefits are obvious, the ranking signal is certainly something we are keeping our eye on. It may not be particularly strong at the moment, but every little helps and Google do seem to be focusing on security with increased fervour. Watch this space”.
If you are concerned about the integrity of your law firm’s website please email Chris or give him a call on 07969 336 526.