With security monitoring detecting a recent rise in the number of unauthorised login attempts on clients’ hosting accounts, this post will highlight the risks of weak account security and discuss the measures that website owners are recommended to implement to protect their client portals from hackers.
Contents
The risks of unauthorised access
Unauthorised access to your client portal gives hackers access to your data and enables them to undertake a multitude of malicious tasks. Your hosting account contains personal information, like contact and bank details, and access to your services and domains. With access, hackers can make illegal use of your personal data, potentially even using banking details to steal from you.
Furthermore, they can also change passwords, locking you out of your own account and taking control of your websites, data and files. With this, they can modify your website, install malware, redirect payment gateways, set up new domains and email accounts and much more. They can even purchase new services from your host for their own means, with you having to foot the bill. Unchecked, the consequences can be disastrous and include financial loss, data breaches and ruined brand reputation.
Is your site secure? Read 6 Security Questions Every Website Owner Needs to Ask
Types of attacks
While hackers are always seeking new and more sophisticated ways to gain access to accounts, three of the most common methods are brute force attacks, phishing and credential stuffing.
Brute force attacks involve the use of specialist tools that attempt to guess usernames and passwords. Armed with advanced algorithms and databases of leaked login credentials from the dark web, they make informed choices rather than random guesses, enabling them to quickly crack default, weak or commonly used passwords. At the same time, hackers make use of VPNs to mask their locations and prevent the attacks from being detected and blocked by firewalls.
The most common form of attack are phishing emails, which are cleverly disguised to look like those from web hosts. Designed to panic readers into making hasty decisions, they often inform you of a problem with your account that needs urgent attention, such as the account will be put on hold until your login credentials are verified. Clicking on the link provided in the phishing email, however, takes you to a fake login page that steals your credentials as you type them in. To prevent you from getting suspicious, the submit button on the fake login page is actually a link to your real host’s login. You may be baffled why you have to log in a second time, but you will be unaware of the credential theft that’s just taken place. Phishing can also be conducted by SMS or by phone. With phone phishing, someone will impersonate your web host and ask security questions that get you to reveal your login credentials.
For more information, read: The Tell-Tale Signs of a Phishing Email
With credential stuffing, hackers try to log in using leaked or stolen usernames and passwords that are easily available on the dark web. You are at risk here if the login details you use for your hosting account are the same as those you use for other accounts, especially if one of those other accounts has been the victim of a data breach. This is why it is vital never to use the same password for more than one account. Certain password managers and antivirus companies now inform users if any of their login details have been discovered in a breach or on the dark web.
Keeping hackers out
Strong passwords are the basis for keeping your client portal protected. Ideally, these must not be used anywhere else and should be difficult for people or hacking tools to guess. This means they should be composed of a random string of upper and lowercase letters, numbers and special characters, and at least 16 characters long. The easy way to create a strong password is to let your phone or computer suggest one and then save it in a password manager. This keeps them secure and means you won’t need to memorise lots of different complex passwords.
No matter how strong your password is, on its own, it is not invincible to a cyberattack. For this reason, you should also set up two-factor authentication (2FA). With 2FA, you need to input a time-limited 6-figure code besides your username and password. The code is generated on your phone and only lasts for 30 seconds. This means without a hacker having your phone in their possession, they cannot know the code and cannot log in. And with the code changing every 30 seconds, brute force tools don’t have the time to crack them. There are alternatives to this solution, some codes are emailed or texted to you, and sometimes you can use biometrics or physical tokens instead of a code.
Despite some people finding 2FA a bit of an inconvenience, it’s never going to be as inconvenient as having your hosting account hacked. Considering the potential consequences, it’s an extremely effective way to prevent unauthorised access to your client portal and is highly recommended.
For more information, read: 8 Ways to Ramp Up Website Security
Setting up 2FA
If you wish to implement 2FA for your Webhosting UK client area, follow these simple instructions.
- First, install an authentication app on your smartphone, PC or tablet. Google Authenticator and Microsoft Authenticator are recommended and can be downloaded for free from either the Google Play Store or Apple’s App Store.
- Once the app is installed, log into your Webhosting UK client portal.
- In the menu under your profile, select 2FA/Security Settings.
- Click on the Click Here to Enable button.
- When the screen opens, click Get Started and a QR code will appear on the screen.
- Scan the QR code using your authenticator app or enter the code provided into the app.
- The app will then create a six-figure code. Enter this code in the box on the client portal and click Submit. This will complete the 2FA setup. From now on, you will need to input the code displayed on your authenticator app whenever you log in.
Additionally, during set-up, you will be given a set of backup codes. Should you lose your phone and access to the authenticator app, these can be used to gain access to your account. Each backup code can only be used once. To avoid being locked out, make sure the backup codes are saved and kept secure.
Conclusion
With a rise in attempts at accessing client portals and the significant damage unauthorised access poses, it is crucial to keep your hosting account secure. Implementing two-factor authentication is an effective and easy way to do this and we recommend it for all our clients.
Suspicious Activity? Contact Us Immediately
If you ever receive a suspicious email or call regarding your hosting account, or detect any suspicious activity, don’t hesitate to contact us immediately via phone or live chat on our official website.