Preventing Cyber Attacks on Your Radio Station Website

Cyber attacks can scar us. You’re more likely to view security differently if you’ve ever been hacked or had your identity stolen online.  For those of us who haven’t, we continue to do things that open ourselves up to cyber-attack intrusions.

A successful intrusion can result in a huge loss in traffic and revenue because your site has crashed or been suspended by your hosting provider.  It could even result in identity theft of your content creators, administrators, and possibly your members if you run a membership site.

No matter how big or small your website is, or how awesome your hosting provider or website service is, you can still become a target.  So, it is very important to secure your websites, which means putting protection in place and doing what we can to fend off attackers.

The stats are amazing…

  • Cyber-attacks happen once every 39 seconds.
  • 95% of cyberattacks are due to human error.
  • Cybercrime costs the United States economy a reported $3.5 billion each year.
  • An estimated 30,000 websites are hacked each day.
  • 43% of cyber-attacks target small businesses but  14% of small businesses are prepared to defend themselves.
  • It takes 196 days on average to identify a data breach.

How do cyber attacks work?

Cyber-attacks work by infecting a computer with malware or spyware. These types of attacks are often delivered through email attachments, malicious downloads, or websites that you may visit.

Malware is code designed to disrupt the operation of your device and possibly make it perform hazardous operations.  You may think, what could a hacker do with my little radio station website that only gets a few hundred visitors per month.  They can do a lot because they will use that server’s resources to run robots that infect other machines.  Their operation will have nothing to do with your business.

Spyware is software designed to gather information about your online activity without you knowing anything about it. They will use that information to access other systems.

Ransomware is a newer trend that will lock up your system until you pay the hacker to remove it.

While it’s impossible to create an absolute impenetrable fortress with your station or company website, it is possible to put measures in place to make it very difficult. Many times, a little difficulty is all it takes to send hackers on to their next target.  This is where a comprehensive security plan comes into play.

A Comprehensive Security Plan

While we could talk about server firewalls, keeping the CMS software up to date, requiring an SSL license on your domain, and other technical aspects of a comprehensive security plan, most of those will be handled by your website or hosting provider.

Today we’ll only talk about things you can immediately pass down to your team to be aware of in keeping the website safe from intrusions.

You may think that some or all of these tips are common sense, but unfortunately, most are not common practice.  Here are steps you should take today to protect your radio station website against cyber-attacks.

1. Ensure Proper Contacts Are Prominent/Accessible

Have all the necessary contacts handy, including those of your website developer, hosting provider, or security partner including names, e-mails, and phone numbers.  It’s most likely that these people will know of an intrusion before you do because they have alerts in place to let them know.  However, contacting them as soon as you notice an issue is vital to the website not being further infected and your data being compromised.

Be very specific in what you tell them.  Not “the website is broken”.  They are going to send you a barrage of questions, so try to anticipate and answer those questions in your first e-mail or phone call.

Send screenshots of what you see, tell them what you were doing when you first started noticing the problem, what the error specifically says, and if you tried multiple browsers/computers/networks, etc.

All of these will help your team member resolve the problem quicker.

2. Continuously Monitor Your Site for Cyber Attacks

Website owners can be unable to immediately identify malware and viruses since they are capable of hiding them. This contributes to why malware programs are among the most prevalent threats to website security.

Ensure your people actually put their eyes on your websites each day. Good to have website AND server software monitoring your site for intrusions and downtime.

The following are some of the crucial signs that indicate website security issues require being addressed:

  • Logins are happening without a user’s consent (my last login was at 2 am?)
  • The website files are modified or deleted without the owner’s knowledge or consent
  • The website repeatedly freezes and crashes (DDoS attack)
  • Search engine results indicate warnings on harmful content or blacklisting
  • If there is a rapid increase or drop in the website’s traffic

The presence of the above signs can signify that a website could be infected. It’s always best to have a comprehensive scanner continuously monitoring your website.

If you have a website partner, they are likely doing this for you BUT ask them about it.

3. Make Frequent Backups

The basic premise for all security procedures is to stay prepared for the worst and always be ready to be the victim of an attack.

Regularly backing up a website is not just a good idea, but it is an essential measure for protecting your content and any private information you may have collected from your audience.

A website backup consists of a snapshot of all the essential site components like themes, plugins, databases, and essential files.  This can be done at the website level or server level.  Ensure this is happening at least once/day and not weekly or monthly.

If a backup ever needs to be restored from a point earlier than the intrusion occurred, it means anything created since then will be lost.

What recent content might need to be recreated?  Some of the content lost within a backup restoration might not be unable to be recreated.  For example new club members, contest entries that you received in the last few hours, event registrations, etc.

So, there should be a plan in place to always keep those important type entries duplicated offline more often than regular backups occur.  Perhaps you export the club database each time a new member is added or receive an e-mail each time someone enters a contest.

Backing up your radio station website should be a top website security practice.

4. Use Secure/Strong Passwords

We can sometimes forget just how important passwords are and overlook that a password is really the only thing standing our personal information and a hacker. Not only are passwords a vitally important step in your information safe, but they’re also one of the easiest things you can change to increase the security of your website.

The average person needs to have 38.4 passwords for various things.  That’s a lot to remember, so people tend to use the same password for multiple things (password recycling).

Hackers love this trend because it takes just seconds for hacking software to test thousands of stolen sign-in credentials against popular online banks and shopping sites. If a username and password pair is recycled, it’s extremely likely it’ll unlock plenty of other lucrative accounts.

A survey carried out by the UK’s National Cyber Security Center put together a list of the top 10 most hacked passwords. The top 10 are:

  • 123456
  • 123456789
  • qwerty
  • password
  • 111111
  • 12345678
  • abc123
  • 1234567
  • password1
  • 12345

If you are using any of these, rejoice that you have never been hacked, and then go change them as soon as possible.

In my 10 years of doing radio station websites exclusively, we’ve only had one intrusion and it was because of a weak password.

Here are some good password tips…

  • Combine three random, unrelated, but memorable phrases
  • Use a randomly generated sequence of characters
  • Never reuse passwords and use a password manager to keep track of them
  • Always make your passwords long
  • Never use personal information in your password – it’s the first thing hackers will try.
  • Change your passwords regularly. Experts suggest once every quarter.

There are all kinds of password tips out there and even password generators you can try.

Either way, do not ever share your website accounts or passwords with anyone.

For an additional layer of security, consider implementing a two-factor authentication or multi-factor authentication security layer that requires an additional code to be entered from the user’s cellphone or e-mail.

Even if your username and password were compromised, a hacker would also still need to somehow disable this to gain access.

5. Implement Access Control Measures

Access control is integral to the success of any security program. This is the process of ensuring that only the right people have access to only what they should have access to.  The same applies to website protection.

The need for strong access controls arises from the fact that human activities are the highest cause of cyber-attacks.  A recent research study identified that 95% of cyber-attacks are due to human causes.

I’ve seen many stations where everyone who has access to the admin area has the same clearance level.  Employees with access permissions to specific website areas can make errors that result in disastrous attacks.

For example, there would be no need to allow a content creator to access the website’s coded part. Only a developer or a website administrator should have access to that.  In the same token, someone who only produces news content or blog posts should not need access to contest entries, banner ad information, or the newsletter list.

Applying proper access principles minimizes the chance of an erroneous mistake that can lead to unwanted website security events.

6. Check/Clean Spam Comments

Spam is annoying, to say the least. In most cases, comment spam is used by bots to place backlinks to other websites to increase their search rankings.  Google blocks these.

Some spambots have more malicious intentions, though, and can overload your server and even install malware on visitors’ computers. If these malicious links are found on your website by Google’s crawl bots, they could rate your entire website as unsafe.

WordPress has the ability for vetted commenters to post auto-approved comments. Be wary of approving generic comments from visitors with any free e-mail address like Gmail, Outlook, etc.

Ensure the comment matches the post/article and is not generic in nature like “Great post.  Do more like this!”, “This is exactly what I needed today. Thanks.”

You may opt to choose Facebook comments instead or a comment service like Discus, both bypass the website comments capability altogether.

7. Scan Your Local Computers

Yes, your local machine may be a serious security threat to your station website. Hackers often target personal computers to gain a foothold into secured websites.  Malware can be written to steal website login and FTP information so they can inject malicious files into websites.

Important to run deep scans of your laptops and station machines on a regular basis.

The most malicious file type is still the infamous EXE file, making up 52% of all malicious files. In 2nd place is PDF files, comprising 20% of all malicious files, followed by Word documents in 3rd place.  There are some image file formats that can contain viruses.

Beware of public or open internet connections.  If you’re working in a shared space like a cafe (or hotel conference room), the wi-fi connections might not be secure.  Use VPN Service.

Over 84% of all cyber-attacks were distributed via e-mail in 2021. This is a drastic rise from 2019 when only 64% of all cyber-attacks were sent via e-mail.

Never click on links in emails that seem suspect (e-mails from Gmail, etc).  Just delete the email right away!

Seems like common sense, but phishing emails (get your information) are becoming increasingly realistic – so always remain on high alert.  Hackers prey on people’s curiosity.

Eradicating a virus or malware is important, but the most critical solution is understanding how you got the malware or virus and ensuring it doesn’t happen again. This eliminates the possibility of reinfection.

Wrapping Up!

Do not let your website staff fall victim to security fatigue.  It’s everyone’s responsibility to ensure the station website is safe and secure.  Have a security plan that includes…

  • Ensuring proper contacts are prominent/accessible.
  • Continuously monitor your site for issues.
  • Making frequent backups, especially of high-priority events/contests.
  • Use strong passwords
  • Only grant specific access to admins you can trust.
  • Clear out spam comments
  • Scan your computer regularly.

You wouldn’t leave your front door open, so why would you do the same with your website?  Web-based malware and spyware attacks are on the rise, so do all that you can to ensure your team is security-minded so that your website is protected and not an easy target.

Want to upgrade your radio station website?  We’d love to help.  Reach out to us.

Jim Sherwood serves as the chief creative, brand strategist, lead developer, meticulous project manager, and station collaborator for all Skyrocket Radio sites and projects. Jim is a 30+ year radio veteran with a resume spanning several small, medium, and large markets including roles as Digital Content Manager, Program Director, Production Manager, and Morning Show Host.