Keys on a key-ring

I’ve mentioned in previous blogs that the longer I work in this industry, the more obsessed I’ve gotten with security. This still holds true, especially when you consider how often I see vulnerable websites.

When I ask a potential client how many people have access to their website, the most common answer I get is, “I don’t know.” This answer sends a shiver down my spine. If you owned a brick-and-mortar store and I asked how many people had a key and the alarm code, I bet you’d know. How would you feel if you discovered there were people you don’t really know who could get into your store any time they wanted. Kind of a scary thought. Your livelihood is wide open to a complete stranger, or maybe several strangers.

While doing a website audit for potential clients it’s not uncommon for me to find numerous people have access to the site. I’ve seen old employees, web developers, support services, or just plain mystery people with active logins, and not a small number of these with full administrator privileges.

I’ve heard stories of disgruntled employees (both past and current) ruining websites they still had access to. I’ve also heard of sites ruined by web developers who took it personally when a client decided to work with a different developer. If you were to fire an employee or contractor who had a key and the alarm code to your hypothetical store, at the very least you’d get your key back from them. Better still, you’d get your key back and change the alarm code. So why wouldn’t you do the same thing for your website?

Most of the time people just don’t think of it. Either they gave the person access for a specific task and never revoked it, or it’s out-of-sight, out-of-mind. Unless you’re logging into your site on a regular basis, it’s easy for something like this to slip your mind.

Ideally, you want as few people to have access to your website as possible. If you have an app or plugin on your site that needs support, it’s often easiest to give temporary access to the support team. I’d recommend creating a new login just for this purpose, then deleting it once the issue is resolved. If you’ve ever given your personal admin login to support personnel, go change your password. Sure the company might be trustworthy and reputable, but are you 100% certain the employee you gave access to is as well?

Then there is the issue of actual hackers. If you discover unknown administrator logins on your website, there’s a chance you’ve already been hacked. If you have been hacked, just deleting the mystery login might not be enough, since the hacker has most likely already installed a backdoor and can create new admin logins at will. If you suspect a hacker has compromised your site, talk to a professional who knows how to clean hacked websites. Even if you only get a handful of visitors per day, there are good reasons an attacker would want to hack your website.

Finally, it’s important to realize that every login on your website is a potential vector of attack. You might implicitly trust the integrity of everyone with access to your site, but do you know their personal security practices? Do you know how or where they are storing their login information? Are you certain they have used a strong password, and that it’s not one they’ve used somewhere else?

Your website is valuable. Regardless of whether it’s your primary source of income or just a hobby site, you’ve sunk resources into it, either in the way of time, money, or both. Being aware of who has access to your site is an easy way to protect that investment.