At CreoLogic, an Edmonton web design company, we specialize in building custom e-commerce websites from scratch. It’s a good fit for businesses selling a unique product or simply wanting to go the extra mile. Custom websites cost a bit more- and take longer to design.

The alternative, is Shopify.

Here are 5 good reasons to try Shopify first:

1. It’s cheaper – and you can try it FREE for 30 days (if you decide to keep it, it’ll cost between $100 and $200 per month)
2. Your online store can be up and running within a few days
3. The templates look great and are mobile-friendly
4. It’s very Google-friendly, which will help buyers find your products online
5. They facilitate everything for you – from security and hosting, to transactions and shipping

Start with a FREE 30-day trial.

If it’s not your cup of tea, get a custom website quote from CreoLogic.ca.

Here are 10 things you better have in your confirmation emails if you want to make an impact.

1. A Personal Touch
   1. Don’t be afraid to get personal – have your confirmation email come from someone important, and include their name and a mugshot.
2. A Sincere Note
   1. Don’t forget to say “thank-you” and/or express how tickled you are that the website visitor chose to contact you.
3. A Phone Number
   1. By contacting you, the visitor has shown that they’re serious about doing business with you. Reciprocate this by providing the phone number of someone important. Don’t be afraid to include a direct line and extension.
4. A Link Back to Your Website
   1. Often overlooked, but definitely important.
5. Branding/Identity
   1. Email “design” has come a long way. Ask your web designer about options for jazzing up your confirmation emails. Make them look slick, deliver a punch, and match your identity.
6. Value Proposition
   1. By the book: (in marketing) an innovation, service, or feature intended to make a company or product attractive to customers. In other words, reaffirm their decision to contact you.
7. A Timeframe
   1. Let your visitor know when to expect a response- such as “same day” or “within 48hrs” – to ensure you’re properly managing expectations.

Unfortunately, most website owners put all their stock into a contact form and phone number.

Believe it or not, you’ll likely get 300% more leads using LeadChat.

The Purpose

The purpose of LeadChat is to make sure that there is a “salesperson” on your site 24/7 in the form of a chat agent.

The Benefit

The benefit of using a live chat box staffed by LiveChat agents is that your customers questions are addressed in real time.

What it Means To You, The Website Owner

LeadChat’s role when interacting with your visitor is to simply collect a name, phone number and email address to pass along to you. In addition to this, you’re automatically emailed chat transcripts as they happen. LeadChat is a great, cost-effective way to generate new leads.

Perfect Timing

LeadChat can be turned on/off whenever you like. For instance, if you’re convinced your website visitors are likely to call Mon-Fri, 9am-5pm, and you have the staff available to answer those calls – turn LiveChat off during this time. Turn LiveChat on again from 5pm-8am, and on weekends, so that you’re there for your customers when your staff is not.

Concerned About Dialogue?

Don’t be. Part of the sign-up process with LeadChat includes a detailed “survey” where you can specify how you want LeadChat agents to chat with your visitors. Specify greetings, parameters, canned responses, and answers to questions the visitors are most likely to ask.

Chat Widgets Usually Suck

Chat functionality has been around for a long time, and has never been overly popular for two reasons:

1. Most chat widgets are “automatic” (chat with a robot, not a human)
2. Most chat widgets are ugly, annoying, and intrusive (ultimately ineffective)

LiveChat Doesn’t Suck

Live Chat agents are experts at learning your business to ensure they deliver an exceptional outcome, every time. The chat widget itself is fully customizable to match your brand, and is the sleekest, most subtle yet effective chat widget available.

Leave Website Chat to the Professionals

One of the best things about LeadChat is you don’t have to manage it yourself. In other words, you don’t have to be on the other end of the line when a visitor initiates a chat. In fact, having this control would likely set you up for failure, as Gary Tramer (founder of LeadChat) describes here: http://www.leadchat.com/blog/pitfalls-of-inhouse-live-chat-and-how-to-avoid-them/.

LeadChat presents an opportunity to gather more leads and create more sales.

Click here to get started with a 30-day free trial.

Websites/applications:

• On the topic of hacking, the code within a website or application is truly is the last line of defense. Legacy code and functions + outdated websites are magnets for attacks.
• There are best-practice coding techniques that shouldn’t be optional, including handling of sessions, cookies, database connections, etc.
• The best way to test the websites is to attempt to hack them yourself. In-house developer “hackathons” are a great idea.
• All moving parts behind the website (HTML editors, upload components, mail components, SSL’s, API’s, etc) need to be upgraded whenever vendors release updates. Since these components are usually directly integrated with a database, they are a common vector for intrusion.

Monitoring/Auditing:

• Monitoring tools like Pingdom are great for detecting a downed-site. Similar apps are good for pinging each individual page to discover isolated errors.
• Vulnerability scanning is a must. There are companies like NewRelic and AlertLogic that have automated and hands-on monitoring and vulnerability scanning services.
• Obtain PCI (Payment Card Industry) compliance for all websites, even if they don’t use ecommerce. PCI compliance is a good protocol for ensuring your entire operation is up to snuff, from websites to servers and everything in-between. Companies like TrustWave offer a help with PCI compliance.

Hardware:

• Intrusion Detection Systems: Do a good job of identifying which visitors are human and which are bots and acting accordingly
• Firewall: Necessary to thwart of denial of service attacks and other bad news. Some higher-end firewalls have the ability to block countries/regions where most attacks originate.
• Web Application Firewall (WAF): This is something specifically designed to filter hacks against things like content management systems, web forms, forums, or web-based applications connected to mobile apps. Whether you need a physical WAF or Cloud-based WAF, go with Imperva.
• Load Balancer: One last layer to ensure performance and efficiency when the requests eventually reach the server.

Software:

• Anti-malware software like MalwareBytes does the trick against malware attacks.
• For Windows hosting environments, utilize IIS tools including request filtering and URL rewriting
• Sophos anti-virus has a good reputation for server-level scanning and protection against viruses.

http://www.quicksprout.com/2014/05/19/5-practical-steps-to-improving-your-websites-domain-authority/

Why?

Well, automatically redirecting from one website to another, especially from a home page, is generally a no-no. It’s not considered a best-practice approach. If those extra domain names do not have a history (ie, they were once used for a quality site that hosted good content), Google will simply ignore them as they have no value.

So Then What?

If you’re sitting on a bunch of parked domains and want to put them to use, go ahead and build a small 3-5 page website on them, referred to as micro-sites or mini-sites. The cost is minor, and you’ll be implementing a strategy vs attempting to score some easy hits. Keep the content on each website fresh, unique and toss in some quality pictures and/or video. You will now have a website that potential customers can find, and that website will ultimately forward leads to your primary website. It’s like having a small army of sales people (websites) online that are all forwarding leads to the mothership.

Any Exceptions?

SEO aside, there’s a good reason you might want to automatically redirect a domain name to your primary website – and it pertains to advertising. Let’s say you own “Expert Audio Engineering Inc”, and your primary domain name is “ExpertAudioEngineering.com”. You may also own “WeHearYou.com” which is short, sweet, and just has a nice ring to it. You may discover that “WeHearYou.com” is more memorable and decide to use it in some of your advertising. When people type this domain name they’re automatically redirected to “ExpertAudioEngineering.com”, which is fine, but don’t expect “WeHearYou.com” to go #1 in Google – you’ll be lucky if it’s even on the radar.

This post was created as a plain-English resource for both website owners and web designers. It’ll outline a few threats you should be aware of and address some other concerns pertaining to the health of your website.

If you haven’t experienced a website attack, hack or breach of some sort, consider yourself lucky – but don’t let your guard down. Do not get used to that feeling of invincibility.

Why websites get hacked:

Every website contains something a hacker wants, including a platform to spread a message, a group of visitors/users to infect, a page to takeover, people to spam, or data to steal.

In one way or another, it’s estimated that over 30,000 websites are hacked per day, 80% of which are small business websites. *

How websites get hacked:

There are dozens of ways to hack a website, but here are 5 common vectors:

1) FTP: Most websites have an “FTP account” which is used to access all files within it. Weak usernames (ie: the actual domain name itself) and passwords (ie: passwords without a combination of letters, numbers and special characters) are, over time, quite easy to crack.

2) Injection: HTTP and database injection methods (including SQL Injection) allow hackers, malware and spam bots to do their worst and once they gain momentum, they’re hard to stop.

3) Exploitation: Many hackers take advantage of vulnerabilities referred to as exploits. Exploits can be found in weak coding of websites/applications, 3rd party tools plugged into a website, or outdated web servers.

4) Targeting the domain name registrar: Each website has a domain name registrar which is responsible for managing nameservers. The nameservers are one of a few devices that tell browsers where to find and load any given website. The administrative management consoles for every domain name on the web can be accessed via a domain name registrars website via username and password authentication. Hackers have been known to target a domain registrar vs the website itself, and in some cases might have better luck gaining control of a website by hacking the registrar username/password and proceeding to redirect the website to another source by altering its nameservers.

5) DOS Attacks: DOS (Denial of Service) attacks are a different type of breach. The end-game of a DOS attack is usually to crash a website or server by “virtual” force. Methods include delivery of too much automated traffic for a website to serve, or deploying scripts that repeatedly run without end thus consuming too many resources for the server to handle causing it to stall or crash. Even a fail-safe server reboot due to excessive load is considered a victory to DOS attackers as reboots result in necessary downtime.

According to the Web Application Security Consortium, the most common types of hacks include denial of service, SQL injection, cross-site scripting, brute force, predictable resource location and stolen username/password credentials. No website is immune. In fact, most websites are susceptible to each and every type attack. The impacts/outcomes of such attacks are typically leakage of information, downtime, defacement, malware, monetary loss and disinformation. **

What the heck are “bots” and “scripts”?

Bots and/or scripts are software programs that run on servers. Their goal is to gain unauthorized access to websites, servers, computers, bank accounts, email accounts and more.

For example:

“One of cybercrime’s most important products is the botnet, short for robotic network, software programs that run on servers. The person in charge of the botnet is called a cracker. The goal of the botnet servers is to install malicious software on computers and turn them into zombie computers. Zombies take orders from the botnet servers. They may be commanded to send out spam, engage in denial of service attacks, or install software on other people’s computers that enables them to track keystrokes. By tracking keystrokes, zombie computers can get access to user names and passwords linked to online bank accounts.”

– Bill Davidow

Talk about hacking

Many companies enlist a creative agency to design and develop a website. They talk about everything including shades of blue, pictures and text. What about website security? What about the safeguarding of personal and/or sensitive data collected by the website?

Are all hackers thieves?

The majority of hacks are actually quite harmless. For example, a hacker can expose vulnerability in a website contact form, and exploit it to repeatedly send spam to the website owner/host. Take a business directory website as another example: a dedicated hacker can find a weakness in how that website transmits messages and use it as a platform to send more spam to more users. Other hacks include “DOS” (Denial of Service) attacks in where the hacker simply attempts to distrupt a users experience on a website. For example, a typical DOS attack is simply bringing a website “down” without actually breaching any security protocols used to protect sensitive information. Not all hackers are thieves – however they expose security flaws in your website or application. More serious types of hacks include exploiting not only a website but the web server itself, in which case a hacker can gain access to sensitive database information, user accounts, passwords, etc, and cause some pretty serious damage

How can you prevent your website from getting hacked?

Start with a trusted web host with a reputation of reliability and security – we recommend Rackspace. Choose a host that’s best-positioned to host the specific requirements of your website as determined by your website designer/developer. Ensure your website is created using best-practice coding techniques. If you require the use of 3rd party tools, ensure they are up-to-date and trusted components. Each host, website and application can use several layers of security to filter out malicious content that could result in the exploitation of your website. Website hardware and software firewalls are essential to filtering traffic as are FTP firewalls. FTP firewalls should always be used to ensure only those accessing your FTP have been granted explicit permission to do so.

What to do with a hacked website?

You could restore a backup of your website, but that will only buy you time before it happens again. If a website is hacked, there are several ways to detect the intrusion method, patch the leak, “clean” the infected/altered files, and then restore the website as a whole. This work should be performed by your website designer and website host. If your website has been hacked more than once it’s time to reconsider your web hosting options and/or switch hosts. Note that many web hosts do not perform what they refer to as “forensic application” services, meaning a lot of the investigation and fixing/cleaning work falls on your web designers lap. If hacking issues persist, decommission your web server and request a new one, or reconsider your hosting options all together. Why? The end-game of many hacks is to install a virus on the web server itself. Once this is done, it’s VERY difficult to clean 100%. It’s often quicker, cheaper, and ultimately safer to decommission the server.

Who’s responsible for a hacked website?

If your website has been hacked, a childish finger-pointing game can start if you question who’s responsible and demand compensation. It’s a futile argument, considering the many factors that could be responsible for a breach. Since the source of the intrusion is difficult to prove, one has to be open to considering any/all sources, such as:

• You may have a trojan virus on your computer that’s responsible for stealing your website or FTP login information.
• You may have accessed sensitive website files from a shared computer infected with a keystoke recorder or virus.
• Your web designer may have built an insecure application that’s easy to “crack”.
• You may have outsourced your website or SEO services and inadvertantly given authentication information to an untrusted 3rd part.
• Your website may have been infected with malware by another website within the same hosting environment.
• Your weak username/password combinations may have been compromised.
• There may have been issues with your SSL vendors product or encryption resulting.
• A 3rd party tool or widget may have been exploited allowing unauthorized access to your website files.
• Your website may have been targeted by a determined individual/intruder
• Your website may have been been targeted by the latest strain of malware

The simple fact is, sh*t happens. Even websites like ebay.com, paypal.com and amazon.com (who invest millions in IT infrastructure and security) have been hacked in one way or another – so venting frustrations and questioning how this could have possibly happened isn’t going to help moving forward.

The Ponemon Institute, an independent company conducting research on privacy, data protection and information security policies, calls the chances of an organization being hacked in a 12-month period a “statistical certainty”. **** Juniper Networks backs this report and adds that 90 percent of businesses had been hit by at least one IT security breach in the past 12 months, with more than half, or 59 percent, citing two or more breaches in that period. ***** The one hack you may experience may be the single successful attack out of potentially millions of threats your website has been faced with. Your service providers (including ISP’s, website hosts and web designers) are amongst many IT professionals throughout the world working to thwart website attacks on a daily basis, and their efforts are often taken for granted.

Common-sense precautions:

Website issues, like computer problems, are bound to happen at some point. Use common sense and consider WHEN, not IF, website problems occur – what could you have done to limit the fallout?

1) Don’t retain personal information within a CMS or database. If you collect customer data via your website, put an off-site storage plan in place and frequently purge any online, temporary data.

2) Don’t retain financial information within a CMS or database. If you run an e-commerce store, ensure credit card numbers are purged from your system after the credit card processing procedures are completed.

3) Keep your website under lock and key. If you need your website updated, do not outsource the work to someone you’ve never met. Use local, trusted designers whom you’re confident can keep access to your website, files, databases, etc safe and protected. Remember that in order to have your website updated, you need to give your web designer top-secret usernames and passwords required to access your website files.

4) Use anti-virus programs religiously. Every device within your network or office environment, including shared computers, handheld devices, servers, etc should be protected with an anti-virus application such as Avast.

Redundancy:

Recovering from a breach of any kind warrants the use of a trusted, dedicated back up system. Managed backup services ensure website files and data are backed up automatically – preferably to an off-site location and data integrity checks should also be implemented. If you suspect your website has been hacked, it’s necessary to change each and every password associated with your entire hosting network. This process of challenging passwords should be performed regardless as least once a month.

Use SSL security:

SSL encryption has long been the industry standard protocol for protecting sensitive information (including order information and personal or financial information) while in transit over the web. It’s relatively easy to setup, comes at a minimal cost, and protects data from prying eyes.

Why your website host matters:

1) Some web hosts pack hundreds of websites on a single web server, which we consider pollution. Hosts that operate this way are typically high-volume hosts who charge a minimal amount for monthly hosting. While the deal may be great, your website is now on a congested “block” and you are at risk if/when any of your “neighbors” websites become affected in any way. Since all websites reside on a single server, it only takes one website breach to potentially affect all which are connected – as they all share the same operating system. While the cost is high, it is always a good idea to have an exclusive, dedicated hosting solution to limit the number of potential breaches you could face.

2) Some hosts do not use firewalls, specifically hardware firewalls. Why? Nobody forces them to and it’s expensive. The truth is, any web server that resides behind a hardware and software firewall is much more safe and protected than one that isn’t.

3) Hardware and software matters. You’d be surprised to know that your website may be hosted on a network that is over a decade old. A lot changes in a decade, especially technology. Choose a host that keeps their web hosting infrastructure up to date using the latest hardware and software solutions available from companies like Microsoft. Who’s the best host? We say Rackspace, hands down.

4) Support is everything. If your website has been hacked, your web designer can only do so much before requiring the assistance of your web host. That assistance is typically desktop or root-level server access required to diagnose the web server as well as the website itself. Many web hosts do NOT offer telephone support, while others like Rackspace Hosting offer 24/7 live phone support. The more accessible your web host, the better chance your web designer will have in identifying and fixing issues.

Useful 3rd Party Tools:

Websites and web servers must be supported by 3rd party tools and used as additional security layers to protect your applications.

Pingdom: A website uptime monitoring tool that will alert you within 1 minute of a website issue being detected.
http://pingdom.com

Google webmaster tools: A monitoring resource from Google available to all webmasters to help improve website performance.
https://www.google.com/webmasters/tools/home

Software firewalls: Software specifically used at the server level to filter out malicious traffic. There are dozens of options. Consult your web designer or host to find the option that best suits your hosting application.

Hardware firewalls: Hardware specifically used at the server level to filter our malicious traffic and impose restrictions for server and FTP access. Like software firewalls, there are dozens of options. Consult your web designer or host to find the option that best suits your hosting application.

Malware bytes: Popular anti-malware software ran at the server-level to help detect malicious content and prevent spreading of such content.
http://www.malwarebytes.org/

Sophos anti-virus: One of the industry’s most trusted anti-virus software applications used to monitor web servers and detect intrusions.
http://www.sophos.com/en-us/

Sucuri: A web monitoring and malware clean up service.
http://sucuri.net/

Tips for Scanning Websites on Windows Servers:

Below are a few commands that a web host can follow to scan for potential website security flaws on a Windows hosting platform.

Icacls: If an arbitrary file has been injected within your a website, it’s agenda may be to install a trojan virus or compromise the website and/or web server itself. In order to do so, many malicious scripts attempt to alter the folder permissions of a website directory, particularly in older Windows server systems. Use the DOS icacls function to quickly search the web server for instances of “everyone” permissions, which pose a high risk for further intrusion methods.

Example: icacls c:\websites\*.* /t /c | findstr Everyone > c:\permissions.txt

This command will create a text file at c:\permissions.txt containing a list of all websites found to include “everyone” permissions within file/folder attributes.

Search: A thorough scan for strings within web pages and files may be useful in revealing malicious files that have been injected in an attempt to compromise your website.

Example: findstr /n /i /c:\websites\”server.createobject” *

CMS Upgrades:

CMS websites that use 3rd party tools have become targets for hackers. Some of the 3rd party tools include HTML editors and file-upload components. The HTML editor tools are commonly used to style HTML text when editing pages. The file-upload components are commonly used in photo galleries and resume-upload functions on online applications systems. These tools become outdated and vulnerable over time. Since most of these tools are so widely used, hackers target them in order to exploit applications on a massive scale and use bots and/or scripts to scour the internet and sniff out victims. It is necessary to upgrade these CMS tools and ensure other up-to-date security measures are in place to protect websites from being hacked.

Database-Driven Content:

Websites that utilize a database to produce content are also a target for hackers. Organizations have been known to hire hackers to “steal” content from websites, such as business directory listings, product databases, etc. In other cases, “bots” are enlisted to obtain the same results. This process is basically automated data-mining on a massive scale. Database-driven websites require constant upgrading to thwart off such attacks/breaches and ensure the security and integrity of your website and data.

Monitor Sign in Pages and Record User Access

If you have a CMS login, or any other password-protected area of your website, you can easily monitor access. For example, whether the login forms username/password combination is authenticated or not, you can utilize email scripts to notify you of the attempt. Most brute-force attacks include repeated login attempts by an automated source. If you are monitoring the login attempts, your emails will notify you if a login fails validation. When used in conjunction with session or server variables, you can obtain the IP address of the attacking source.

I have the IP Address of an Attacking Source, What Do I Do?

You can forward it to your local authorities. Cyber crime is taken very seriously nowadays and the authorities will act accordingly. You may also write code within your login structure to disallow access to the login or password-protected area by the problematic IP. If you are running a software or hardware firewall, you can add the problematic IP to a ban list thus preventing future access to your website or server all together. Note that banning an IP address is not 100% foolproof and it is advised that you still work to secure your application. Attacker IP’s can change if the source operates from a dynamic IP location (vs static IP), or if the attacker is using an IP-spoofing tool used to mask their true IP.

HTML Injection:

Many HTML injections are not necessarily done to bring down a website or steal any content/data. A common HTML injection includes the placement of 3rd party links hidden within your website and used to springboard SEO efforts of another website by establishing a mass network of back-linking. Many HTML injections go undetected, unless you’re specifically hunting for them. A common HTML injection string includes the placement of 3rd party links hidden within a div tag. The contents of this tag are often hidden as they’re placed within a div set off-page.

For example:

Most HTML injection attacks are harmless and while relatively easy to correct it is a time consuming task. Perhaps one of the biggest nuisances with these types of attacks is that Google can detect the injection and publicly mark the website as “compromised” in the search engine results page. If you spot this under your website URL when searching your domain name in Google contact your web designer and have them clean the website. Once clean, you can re-verify the website in Google’s index. The “compromised” notice will be removed at the discretion of Google – as quickly as same-day.

Suggestions in the Interest of Security:

– Limit CMS access
– Remove 3rd party tools
– Closely monitor access and start/update a website “ban-list”
– Subscribe to webmaster tools monitoring services
– Subscribe to pingdom.com monitoring services
– Limit retantion and amount of personal or finiancial records kept online
– Implement a local website/data backup procedure
– Avoid handing data in a way that invites XSS attacks
– Use captcha and strong form-validation techniques
– Secure your email. …password resets to inbox…

Signs that someone – or something – is trying to hack your website:

1) Spam: Spam is a nuisance, and with the help of junk mail filtering by email software like Outlook, it can easily be ignored and/or filtered out of sight. However, spam doesn’t just affect your inbox. Each instance of spam exposes an underlying issue with website security. If the spam is originating from your website, it identifies a requirement to secure your website forms to protect them from robots (aka scripts or spam-bots) scouring the internet looking for flawed websites or those with specific vulnerabilities.

2) Injection: Look for arbitrary/questionable files throughout your website. If your website has been targeted by a hacker, one of the first intrusion attempts will be a cross-site scripting or HTML injection attack whereby the hacker aims to plant arbitrary pages/files within your website.

3) Spike in website traffic: If you’re on average receiving 100 hits per day, then spot a 1,000-hit day, odds are you didn’t have a lucky day of popularity. Instead, you were likely targeted by a single source. You can verify this by viewing your website logs.

4) Spike in FTP traffic: This may be hard to detect, but your FTP server will retain a log. When your website is being attacked via FTP (aka, brute-force FTP attack), your FTP server logs will be huge, indicated a higher-than-normal amount of traffic – each instance in your logs is likely a report of a failed username/password attempt.

5) You haven’t been hacked (yet): Yes, the fact that you have not yet been hacked could is a sign that an impending hack is en route – because hacking has become a statistical certainty. No website is immune or free of vulnerabilities. Start a discussion about the health and safety of your website and hosting environment with your IT personnel and web design team.

A Quick Tip for Monitoring Website Health:

Websites that utilize a database, WordPress or other CMS solutions are typically targeted more than others, and require database connections. Upon each connection to your database is a chance to have a look at who is accessing your website or application. Use visitor-data collection methods such as session and server variables that trigger an email-script to have this information emailed to you. You’ll be able to spot-check each instance of a user visiting your website. Some visits will stand out to you as quite obviously malicious and your website designer and host can respond accordingly.

How to look closer if you suspect website hacking:

Note: it is easier to perform these checks if you have a dedicated server in which you have root-level access to work from the server operating system vs your FTP. If you do not have root-level access, your web host can perform these tasks for you.

1. Look for what doesn’t belong: For example, if your website is comprised of only HTML pages, look for instances of ASP, .net, PHP, JSP, etc files. These types of files and programming languages are designed to execute server-side scripts and will pose a risk if they don’t belong on your website in the first place.

2. View change logs: Each change made to your website is recorded, and includes at least the page title/file, date and method of modification. If the logs do not match your service/update records it’s a sign that unauthorized users have access to your website files.

3. Search for common injection keywords: Many HTTP injection attacks result in the creation of arbitrary files on your website. While these files can be anything, they are usually associated with websites or products related to cialis, viagra, nike, gucci, louis vuitton, replica watches, handbags, etc. Running a keyword search for any/all of these commonly-injected files may reveal exploits.

4. Monitor uploaded files: It’s quite common to have functionality within your website to have a user upload a file. This may be to upload a resume as part of an online job application system, or an upload form to share photos, videos or other files. A common intrusion vector is to upload a script disguised as a safe file – such as hackthiswebsite.php.pdf. Your web designers upload scripts may allow this file to be uploaded as it appears to be a friendly PDF file. However, it’s quite simple at this point for a 3rd party to trim the .pdf extension and run/execute the page as a PHP file, triggering a potentially harmful script within. This type of vector is quite common on Windows hosting platforms. While there are security checks to be placed at the application level, another important update requires setting all “upload” folders/destinations to be read-only, thus preventing them from being able to “run/execute” any files.

5. Search for strings like “createobject” as word/phrase in your website files: Regardless of which vector is used for a hacker to do some damage, the end-game usually includes the execution of a page/script containing a “createobject” command. These commands are used to arbitrarily create files and/or overwrite existing ones on a server. If home/index files are overwritten a hacker has effectively brought your website down.

Calling Cards

A lot of hackers leave tags or calling cards as signatures on the work they have performed. A simple search for “hacked by” may reveal an exploit that you were previously unaware of. Remember that many hacks do not produce an immediate result – they may result in alternation of files that remain undetected on your website for months.

******************

How Common are Hacks and Other Website Security Breaches?

Below are some articles related to website hacks, exploits and other security issues for various companies and organizations throughout the world:

US Marines Recruiting Website Hacked and Redirected to Pro-Assad Message
http://www.ctvnews.ca/sci-tech/u-s-marines-recruiting-website-hacked-redirected-to-pro-assad-message-1.1436867

Security of Gov’t Websites Inadequate and Prone to Hacking
http://www.dnaindia.com/india/1886201/report-security-of-govt-websites-inadequate-prone-to-hacking

Mark Zuckerberg’s Facebook Page Hacked
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/19/mark-zuckerbergs-facebook-page-was-hacked-by-an-unemployed-web-developer/

About Time We Got Hacked
http://www.stanforddaily.com/2013/08/14/hack-me-once/

The Costs of Cybercrime
http://www.business2community.com/tech-gadgets/cost-cybercrime-0608822

New York Times Website Down After Suspected Hacking
http://www.bbc.co.uk/news/business-23859572

Dalai Lama’s Site Hacked, Infecting Others
http://www.iol.co.za/scitech/technology/security/dalai-lama-s-site-hacked-infecting-others-1.1561388

Amazon.com Struggles With Website Troubles
http://www.foxbusiness.com/technology/2013/08/19/amazoncom-goes-down-temporarily-for-us-canada-users/

The Easiest Way to Deface a Website is to Target the Domain Registrar
http://www.darkreading.com/attacks-breaches/the-easiest-way-to-deface-a-website-is-t/240160677

Hackers Put a Bulls-Eye on Small Business Websites
http://www.pcworld.com/article/2046300/hackers-put-a-bulls-eye-on-small-business.html

Hackers Can Take Over Cars and Homes Remotely
http://bits.blogs.nytimes.com/2013/08/11/taking-over-cars-and-homes-remotely/?_r=0

US Dep’t of Energy Hacked Again
http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-302903/

Alberta Gaming Company Hit by Hackers
http://www.torontosun.com/2011/06/17/alberta-gaming-company-hit-by-hackers

******************

Glossary

Here are definitions to help you interpret any geek-speak found in this post.

IP Address:
An IP address identifies the physical address of a visiting source including a visitor to your website.

Website Breach:
An incident where protected, sensitive or confidential data has been viewed or stolen by an unauthorized party.

Website Hack:
The use of computer programming skills to gain illegal accesses to online resources.

Exploit:
A vulnerability taken advantage of to initiate a website breach or hack.

Web server:
The hardware system responsible for hosting website files to the public.

Web host:
A company responsible for configuring and running web servers used to host websites or applications.

Web designer:
An individual responsible for coding/programming each page that makes up your website or application.

******************

Sources

* SOPHOS
** WASC (Web Application Security Consortium)
*** TechTarget.com
**** Eweek.com
***** TeckWeekEurope.co.uk

1) Allow Customers to Opt-in On Paper
Invite customers to subscribe by paper and pen while at your store or at the counter.

2) Place an “Enter to Win” Box in Your Store
Keep an “Enter to Win” box in a highly visible location to encourage customers to drop their name, phone and email address for a chance to win something special.

3) Utilize Comment Cards
Customers love giving feedback, especially when they’re asked. Make a point of introducing yourself and stating that customer feedback matters to you. Ask them to include their email address so that you may follow up with them if required, and invite them to opt-in to your email marketing lists at the same time.

4) Reconnect and/or Follow-up With Your Customers
If you’ve been in business 20 years but only recently started collecting email addresses, take the time to follow up with existing clients and have them update their information with you – including putting a current email address on file and opting in to your newsletter.

5) Offer On-the-Spot Specials and Discounts
A good time to offer a discount is at the till or checkout counter. Help your consumers save some money by having them opt-in to your email lists. In exchange, offer them 10% off on the spot. It’s a worthwhile investment!

You might ignore these negative reviews because you know you’ve got hundreds, maybe thousands of satisfied customers, but some potential customers only know what they’ve read in your reviews.

If you read a poor review of a new movie, how far would you go to seek a second opinion? Would you call the theater to ask if the review was accurate? Would you write the reviewer and ask for confirmation or have them elaborate on what exactly was so bad about the movie? Probably not. You’re more likely to play it safe and simply pick another movie.

How do you fix negative reviews? We suggest 2 methods:

1) Connect with the customer who submitted the negative review. It’s a rewarding experience to turn an angry customer into a happy one, and you’ll find that most consumers are willing to give a vendor a second chance to make things right. The outcome may be a negative review turned positive, and you’ve now reconnected and rekindled a relationship with a customer who can share that positive story online and recant their previous statements.

2) Focus on producing positive reviews. Take the opportunity to invite happy customers to share their experience with others. Point them towards websites like Foursquare and Yelp and ask that they support your business by sharing a positive review of the products or services received. Chances are, the happy customer would be more than happy to do so. For their time, perhaps you could offer them a discount next time they buy from you. Another effective way to combat negative reviews, is to water them down with a higher number of reviews made by your Facebook and Twitter followers. You DO have Facebook and Twitter followers, right? These followers are part of your online community and by liking/following you they’ve made it public that they’re in your corner. Reach out to them – invite them to submit positive reviews of your business online to combat or water down the negative ones. This group of loyal followers will likely be more than happy to vouch for your business.

What potential consumers read about your business online could make or break their purchasing decision. They are likely to share what they’ve read with others, and whether or not the reviews are accurate, they make you work much harder to protect and maintain your reputation. Try and take control of your online reputation before it’s too late.