Protect your website and close the door to hackers: digital security advice for journalists

This article is part of the book, "Innovative Journalism in Latin America," published by the Knight Center for Journalism in the Americas, with the help of Open Society Foundations' Program on Independent Journalism.

By Jorge Luis Sierra, ICFJ Knight Fellow

Are you concerned about potential cyber attacks? Was your online news publication recently shut down? Are malicious hackers infecting your website and introducing unwanted ads?

At the same time that all media publications rely on the internet and have an online presence, corrupt governments, private companies, abusive intelligence services and sometimes even criminal organizations attack independent publications. A successful attack might mean a strong headache for journalists, but it can also lead to spending a lot of money, time and resources to recover a website.

Protecting your online publication shouldn’t be expensive or mark the end of your news organization. But also keep in mind that the risk of a cyber attack can’t be eliminated, just reduced.

However, if you are proactive and take preventive measures, you can significantly reduce the chances of your website being hacked.

Below are some suggestions based on my experience hearing and learning from colleagues and helping online news publications around the world:

•          Protect computers and mobile devices with antivirus software and hard drive encryption.

•          Always keep your software and applications up-to-date.

•          Protect the physical security of your newsroom, as well as the location of your networks and servers.  It is common for hackers to break into offices and newsrooms and to steal computers to gain acess to your platforms and email and social media accounts.

•          As a journalist, you should be aware of basic information about digital security tools and the types of cyber attacks: Security in a BoxISCProject toolsEFF’s Surveillance Self Defense, and the Salama security library, which I created during one of my ICFJ Knight Fellowships. You can also learn about the ten most common cyber attacks at OWASP.

•          Avoid spear phishing and protect yourself and your team from social engineering. You can find a guide here.

•          Don’t click on unexpected links or files, even if they come from known sources. Scan them with antivirus software before opening.

•          Use diceware to create six or seven-word passphrases. This is the best way to create passwords that are difficult to crack and easy to remember.

•          Take advantage of pro-bono help from Equalit.ie, a Canadian non-profit that created the Deflect platform to offer free hosting and protection from Distributed Denial of Service (DDoS) attacks. You can opt to use Google Shield. Of course you can hire commercial services, but Deflect and Google are better suited to understand the needs of independent media.

•          Host your website on a dedicated server. I have seen that a lot of colleagues host their online publications in shared servers with hundreds or even thousands of other websites. That might be very risky and dangerous for your online platform as you share not only the server, but also the risk.

•          Purchase a security certificate and a unique Internet Protocol (IP) address. It will help the credibility of your website and encrypts communication between your users’ browsers with your server.

•          Hide your login area and customize your login address. Many hackers easily exploit websites’ vulnerabilities when they show the traditional website.com/wp-admin URL to log in.

•          Remove information about the WordPress version, and the meta tag generator. This will provide additional protection from hackers.

•          Avoid long URLs. Many malicious hackers can exploit long URLs to access your files directory and conduct an attack such as a “defacement,” which changes your homepage.

•          Don’t give users access to a directory of files such as readme.html, readme.txt, wp-config.pho, wp-includes and .htaccess. You do not need access to those files on a regular basis. It is very important to block access to them and close the doors to professional or amateur hackers.

•          Backup your website database everyday. In the event of a successful cyber attack, it would be of great help to have a clean copy of your database to increase the chances of getting rid of the infection.

The tips mentioned are easy steps you can take to protect your website. Most of them are about prevention and mention free and open source software available online.

If your threat level is higher than normal and you face immediate threats from repressive governments, corrupt officials and private companies, you may need to test your own website against the ten most common cyber attacks as a precaution.

Penetration testing may be an expensive service, but you can receive help from projects that offer pro-bono pen testing, or charge a very low rate. Organizations offering low cost or pro-bono pen testing are the Information Safety and Capacity Project and Security Without Borders. As an ICFJ Knight Fellow, I have also started to offer the same service through the Salama Project.

Additionally, if you want to be more rigorous about information security, you may need to protect not only your website, but also the way your media organization manages information. A good way to get a strong level of security at your organization is to be in compliance with international standards. When you get to this level, you will hear about the ISO27000. It is a process that protects not only devices and technology, but also human practices and the information management process.

Other guides in the series include:

Note from the editor: This story was originally published by the Knight Center’s blog Journalism in the Americas, the predecessor of LatAm Journalism Review.