When choosing a school website provider, it’s easy to focus on what you can see, like a beautiful design or an easy-to-use interface. But it’s often what you can’t see that will make or break the success of your website.
Your website’s hosting and infrastructure impacts the speed, reliability, uptime and most importantly, the security of your website. There has been a major spike in school website hacks since the beginning of the Covid-19 pandemic — highlighting just how vulnerable school websites can be. From small schools and colleges to massive districts and universities, there have been hundreds of successful cyber attacks since the beginning of the pandemic.
The goal of this blog isn’t to scare you — but to keep you on your toes because the Internet can be a scary place. Let’s start with what schools should be thinking about — and then we’ll dive into what you can do about it!
5 Common Types of School Website Hacks
From phishing to malware, there are nearly a dozen types of common website hacks that can occur. These cyber attacks can cost a school or district thousands — and sometimes even millions — of dollars, compromise personal data, and even cause a school or district to shut down for an extended period — as was the case for Rialto Public Schools back in 2020.
The five most common website hacks that affect school websites are:
- DDoS Attack
- Phishing
- Malware and Ransomware
- Brute Force Attack
- Non-Targeted Website Attacks
1. DDoS Attacks
DDoS attacks — known as “distributed denial of service" attacks, occur when attackers send more requests to a webpage than the server can cope with, which overwhelms the servers and causes them to crash.
2. Phishing
This type of cybercrime consists of a hacker sending emails that seem legitimate to individuals within an organization to obtain personal information, such as passwords and credit card numbers. This kind of attack can result in your website and community’s personal data becoming compromised by someone simply clicking a link or opening a program received by a hacker. In one case at San Felipe Del Rio Consolidated Independent School District in Texas, a fraudulent email was received from someone claiming to be a representative of the financial institution that the school made bi-annual bond payments to. The phishing tactic worked, and in February 2020 district officials mistakenly wired more than $2 million dollars to the hacker’s account.
3. Malware and Ransomware
“Malware” is an umbrella term for all the different types of malicious software used by cybercriminals. Most malware is installed without the infected person ever realizing it by simply clicking on a hyperlink or opening a program. The most common type of malware used against schools is Ransomware. One source noted that from Aug. 14 to Sept. 12, 2021, educational organizations were the target of over 5.8 million malware attacks. Another source noted that “Schools are now the most popular targets of ransomware attacks, according to the FBI.”
Even the most sophisticated software is not immune to a malware or ransomware attack. Finalsite fell victim to ransomware in early 2022 that we were able to contain quickly, ensuring no data was compromised in the process.
Read More: Lessons Learned from a Global Ransomware Attack
4. Brute Force Attack
Predictable login credentials are often the subject of a brute force attack. This hacking technique is executed by using different password hacking tools to crack the login of users to gain access to their account.” This hack is so common and simple that schools and districts are often targeted by students within the community.
5. Non-Targeted Website Attacks
These website hacks are incredibly common in open source software. In this hacking method, the hacker “targets vulnerabilities that exist in a CMS, plugin or template.” On Wordpress sites in particular, the plugins and widgets that can be added to your website are developed and edited by complete strangers — putting your site at risk. It’s why headlines like “WordPress Reset PRO bug lets hackers wipe WordPress sites” and “A million WordPress sites are at risk due to plugin vulnerability” are all too common.
How to Protect Your Website’s Data
With cybercrime and attacks on the rise, it’s not a matter of “if” but “when” your systems might be the next target. Before cyber criminals attack your school or district, be prepared with solid security measures. Protecting the integrity of your community’s data requires a two-pronged approach:
- Choose the right platform
- Train and educate employees
1. Choose the Right Platform
Without the right platform in place, your website and its data could be inherently more vulnerable. Here are the top three considerations for choosing a website provider:
Hosting and Location
How and where your school’s website is hosted plays a key role in the security of your website against hackers. When choosing a website provider, ask how and where your website will be hosted, and whether or not it is encrypted. You’ll also want to check the SLA (Service Level Agreement) for expected uptime. The closer to 100% you can get, the better.
Since we're hired to think and worry about this all the time, at Finalsite, all websites are hosted using Google Cloud Hosting. Google hosting is fully encrypted and up-to-date on all certifications and compliance requirements. Since moving to Google hosting, the Finalsite Platform has an uptime of 99.999%.
Where your website is hosted matters too. Make sure the country your website is being hosted in has data protection policies which will give you recourse if something happens with your website. In addition to protection laws, website location impacts website performance. More on this, next.
Content Delivery Network (CDN)
Location is an important consideration for security reasons, but it also drives how quickly information gets transmitted. Ideally, your website should be hosted close to where your majority of constituents are. This will help with website load times and downloading files.
If your website provider cannot host close to you, they should provide a CDN (Content Delivery Network) which will help serve content to people who are not close geographically. A CDN is a geographically distributed group of servers which work together to provide fast delivery of Internet content.
Your website’s CDN plays an integral role in your website’s speed and security. Finalsite websites use the Cloudflare CDN, which puts your website on a global, secure network within the cloud. This adds an extra bubble of protection from people on the Internet. Think of it like a fence or even a moat surrounding your house — it’s going to require a lot more work to “break in” so cybercriminals will look elsewhere. This worldwide CDN protects your website from DDoS, botnet and other attacks.
Support and Website Access
The weekly headlines about more Wordpress sites hacked should frighten you. While open source websites are often an affordable solution — they come at the unmatched cost of your community’s private information. With Wordpress and other open source solutions, non-targeted website attacks are common as developers across the globe can easily gain access to your website’s code — and therefore, the vital data of your community.
With your website provider, you want to be sure that the only people who have access to your website’s source code are those with your website’s best interest in mind. If something does go wrong, having a responsive support team can make all the difference. You want a support team that can respond quickly, resolve the issue, and fix it in-house.
2. Train and educate employees
Educate Employees
It’s easy to think “a hack could never happen at our school” — but this kind of mindset can put your entire community at risk. Educate your community — especially those responsible for your school’s website and other web services— on protocols for safe passwords, and how to spot suspicious emails.
A recent survey of teachers discovered less than half of teachers have received additional security training during the pandemic, and half of the respondents have not received any cybersecurity training.
For passwords, consider providing the following guidelines:
- Avoid using any variation of the word ‘password’ (like p@$$worD1)
- Avoid using any variation of the school name, mascot, colors, etc
- Avoid using the same password for all accounts
- Avoid using a password “keychain” to store confidential information on a work computer
- Require using a combination of letters, numbers, symbols and mixed cases for your website login, hosting (cpanel) and domain registrar
Lock Down Admin Access to a Trusted Few
Is your website managed completely in-house? Is it updated regularly? Do you know the people who are accessing it? Restricting access to your website and website code to a select few admins can help you identify how and when data breaches occurred faster — especially in the case of phishing, malware, and brute force attacks.
For individuals using the Finalsite Platform, you have complete control over who has access to your website with tiered admin access — ensuring the “keys to the kingdom” stay in hands you trust.
Auditing Your Website’s Vulnerability
Managing your school or district’s website is already a lot to work — and you shouldn’t have to lose sleep wondering “is my website safe?” Much of your website protection sits in the hands of your website and hosting provider.
If you’re worried about the security of your school’s website, set up a call with your current website provider about:
- Hosting location and CDN
- How and where is your website hosted?
- Do you use a CDN?
- Is the CDN encrypted?
- Two-factor authentication
- Do website admins use two-factor authentication to login?
- Do website admins use two-factor authentication to login?
- Admin rights
- How do I control who can access my website?
- How do I know who has access to my website?
- Do you have best practices for setting passwords?
- Modules, widgets, add-ons
- Outside of school staff, who has access to the source code of the modules, widgets, add-ons, etc. that our website uses?
- Outside of school staff, who has access to the source code of the modules, widgets, add-ons, etc. that our website uses?
- Penetration testing
- Do you or your website provider conduct frequent penetration tests on your system to pinpoint holes in your system?
Key Takeaway
School and district websites are increasingly a target for cybercriminals — and in 2020 it cost them over $6 billion. As cybercriminals get smarter and schools share more information online, it’s imperative to make smart investments in your website hosting and infrastructure, and to know what to do should you find your school website under attack
Further reading:
- Is The Information On Your School's Website Safe? 6 Questions To Ask Your Website Provider Right Now
- The 9 Biggest Problems Schools Face When They Choose Open Source
- Lessons Learned from a Global Ransomware Attack
ABOUT THE AUTHOR
Mia is a creative and passionate school marketing thought-leader. Since joining the Finalsite team in 2013, Mia has produced hundreds of pieces of content with one goal in mind: helping private, public, and international schools improve their online presence. In her current role as director of demand generation, Mia focuses on full-funnel inbound marketing strategies. She's also a co-host on The School Marketing Show, a frequent blogger, e-book author, Expert Course consultant and webinar host. She loves putting storytelling at the heart of all communications — and before joining the Finalsite team, Mia was a TV and radio broadcaster, wedding cinematographer, and author for various online magazines. She is an army wife, mom, and rookie photographer currently living in southern Georgia.