Your online platform may have many hundreds, or even thousands of customers on it – so it’s important to think carefully about its security. If you deliver your online training to external companies (B2B) they will often need want some reassurance about the security of your platform.
In this blogpost we will list some straight-forward tips to help keep your learning platform secure.
Firstly, it’s important to point out that, in our opinion, no system is impenetrable. We regularly see news reports of data breaches in some of the world’s biggest companies. Yahoo, Marriot Hotels, LinkedIn, Sony, Uber, T-Mobile and more recently even NASA. These are companies with enterprise level security and teams of security experts dedicated to looking after them.
These high-profile companies are obviously a bigger target for hackers, but that’s not to say that training companies like yours aren’t a potential target. It is reported that over 90,000 websites get hacked every single day (source: Hostingfacts)!
While large organisations are more likely to be the victim of a very targeted attack, smaller operations are still at risk from more automated types of hacking that are carried out on a much wider scale. These often carried out by “bots” (i.e. not humans).
There are a few reasons a hacker might target your online learning platform. Here are some of the most common:
To steal data
User data is valuable, particularly if it contains information that can be exploited such as credit card details. Hackers try to break into systems to steal this data and then sell it for financial gain.
To distribute spam
Hackers want to manipulate your platform to promote other websites. These are usually pharmaceuticals, gambling or porn sites. If they can gain access to your platform, they can use it to distribute spam emails, show your users spam adverts or even redirect your users to other undesirable websites.
To prove a point
Often hacking is purely for personal gain rather than any financial incentive. Often called “script kiddies”, these users get a thrill out of hacking into websites and often use widely available online resources to help them do this. These hackers will often deface a website, leaving their “calling card”, a bit like web graffiti…
Your online platform is one of billions of other websites and web apps on the internet. This is good in a sense, because there’s safety in numbers. The larger the number of websites, the lower the probability you will be singled out.
I heard an excellent analogy of web security at a WordPress conference in Leeds recently:
Imagine a thief walking down a busy street of parked cars. They want to break into a car, but which one will they pick? A Range Rover with an alarm and an immobiliser or a neglected old Fiesta with its window already partly open and an iPhone sat on the dashboard?
As a training company it’s highly unlikely that you have the budget to hire a security team, but you can improve your security extremely cost efficiently by simply making yourself less appealing to hackers than others. The tips below will help you to do this.
There are lists of the most commonly used passwords. Of course there are the very easy ones, such as ‘password1’, but also ones that you wouldn’t expect to be so popular, like ‘monkey’ and ‘shadow’. It is also very common for users to have a password containing their name or company name followed by a number.
With passwords this weak, it wouldn’t take MI5 to break into your system. Indeed automated “bots” mentioned above trawl through websites rapidly trying to log into websites using easily guessable passwords. This is known as “brute force” hacking and happens constantly and ruthlessly on the internet.
Want to know how quickly a bot could guess your password? Visit https://howsecureismypassword.net/.
For this reason it’s best to pick a password that isn’t easily guessable. Try to use both upper case, lower case letters, numbers and even symbols if you can. There are lots of websites that can help you generate a password, such as https://strongpasswordgenerator.com/.
It’s also regularly advised that you use different passwords for each service that you use (your bank, your Facebook etc.), and change these regularly.
Your Learning Platform is basically a piece of software. Just like when your laptop or mobile phone continually nag you to update, your learning platform also probably has regular feature updates and has security vulnerabilities that are found and fixed.
It is essential to keep your system and any plugins up to date. Software like WordPress, Moodle or Magento are extremely popular, and with so many people using them, vulnerabilities are commonly found. Once they are found, information about the vulnerabilities are publicly shared and it doesn’t take long before hackers try to exploit them via automated techniques. Vulnerabilities within popular platforms and plugins usually start to be exploited within hours of their discovery.
Thankfully, such vulnerabilities are usually fixed extremely quickly and newer versions of the software are released. However, it is still up to you to apply the new update to your own system. If you don’t, sooner or later the vulnerability in your system will be exploited allowing a hacker to cause damage.
We would go as far as to say that most small companies don’t routinely update their system plugins, or leave them several months / years in between updates (which causes problems in its own right). Don’t be one of these companies!
We often used WordPress as a basis for our client’s online learning platforms, and complement this with plugins to add additional functionality.
The WordPress plugin repository has over 50,000 plugins available (Source: https://www.codeinwp.com/blog/wordpress-statistics/). While most of these are created and maintained by skilled developers, some are not. Anyone can submit a plugin to the WordPress plugin repository, so when choosing to use one in your own learning platform it’s best to make an informed decision. Choosing the wrong one could lead to severe security issues.
The plugin repositories for most pieces of software will let you know how popular a plugin is, and when it was last updated. These are 2 key pieces of information to bear in mind when choosing a plugin:
If a plugin has millions of active installations you can safely assume that it has been robustly tested and has probably been developed over several years. On the flip side, a plugin with only a couple of hundred active installations could contain bugs or vulnerabilities that have gone unnoticed.
For this reason we would suggest avoiding plugins with low numbers of users. Every plugin has to start somewhere though, so if you do want to use a plugin with low usage make sure to ask a skilled developer to take a look at its code and check it for any obvious risks.
Also check when the plugin was last updated. If a plugin hasn’t been updated for years, then it has likely been abandoned and could therefore have unaddressed vulnerabilities as a result. Most plugin repositories will remove plugins if they aren’t updated after a certain time for this reason.
Web security and cybercrime are a big issue at the moment. Each day more and more threats arise on the internet. Thankfully, there are many 3rd party companies who are dedicated to improving your security to keep you one step ahead of threats. Here are two free services that we use regularly:
CloudFlare is a popular CDN (Content Delivery Network) backed by the likes of Microsoft and Google.
It acts as an intermediary between your site and web. If anyone attempts to reach your website, be they a legitimate user or a hacker, they will reach CloudFlare first. CloudFlare determines whether or not to allow them access. It decides this based on various factors such as the user’s reputation, location and if they are even human… If they aren’t deemed reputable then they will be rejected access to your site.
An additional benefit of CloudFlare is that it caches some of your platform’s resources (such as images), so they load more quickly.
WordFence is a security plugin for WordPress. Like CloudFlare, it analyses visitors based on their reputation and blocks them if they appear malicious.
It also runs a daily scan of your system’s code to look for changes to core files, themes and plugins, bad URLs, backdoors, SEO spam, malicious redirects and code injections.
An online learning platform (or website) needs a “web host” to store its files and data. There are hundreds of hosting providers available and prices can range from a few pounds a month to thousands of pounds a month.
When choosing a hosting company you really do get what you pay for and it’s definitely best to avoid the cheapest end of the price range. Aside from the lack of reliability and poor support you would get from a cheap hosting provider, you are also likely to open yourself up to certain security risks.
When you are on cheap web hosting your website or learning platform is often stored on a server with a large number of other websites who are also doing things on the cheap. Among these other websites there may be spam websites or websites with their own vulnerabilities. This combined with the lax security practices of the hosting provider mean that it’s entirely possible that your system could be inadvertently compromised because of another website who use the same hosting.
That’s not to say that web hosting needs to break the bank. The majority of hosting providers are reputable and have good security practices, while still being affordable. Our advice would be that if the cost of a hosting provider looks too good to be true, then it probably is!
You’d be amazed how many companies fail to use these simple, common sense tips to improve your system security. By employing these yourselves you should improve the security of your learning platform or at least take it to a level where it is less likely to be targeted by hackers. Every little helps!
At Candle Digital we offer all of our partners a support agreement after any large project. As part of this we take care of things like plugin updates and patches and ensure these are applied in a timely manner and with a safe pair of hands! If we can help make your learning platform secure get in touch.