How journalists with few resources can protect their websites

by Jorge Luis Sierra
Oct 30, 2018 in Digital Journalism

Adversaries of independent journalists are now using an electronic arsenal to attack news websites. Those adversaries can include agents of authoritarian governments, corrupt private companies or even criminal organizations. Their common interest is to silence independent voices and suppress any attempt to expose cases of corruption, negligence or human rights violations.

Those cyberattacks are costly — sometimes unaffordably so — for small online newsrooms that lack the resources to contract a cybersecurity firm or hire information security consultants. Without technical support, independent news websites are very vulnerable to these attacks.

It is difficult to protect your news website with a minimum of technical expertise. Unfortunately not many journalists know what to do when their website is attacked. Developers, computer engineers and hackers tend to be most familiar with security tech jargon, not journalists. It would be terrific if journalism universities across the board committed to adding cybersecurity as a subject in their academic curriculums, but for now, we have to accept the reality that we are not prepared to face cyberattacks.

If you’re a low-budget independent news site with few resources, you need to learn how to set up security parameters yourself or find technologists who can work pro-bono. The good news is that there are more than a few pro bono cybersecurity specialists willing to help journalists in distress, and newsrooms can take advantage of their offers to help:

  • You can request help from the Information Safety and Capacity Project, a nonprofit organization based in Washington, D.C. that provides technical assistance to online news publications. Newsrooms that publish in Arabic, Russian, Spanish or English can apply for information security training sessions.  
  • You can also request help from a new organization called Security Without Borders, a collective of hackers and cybersecurity specialists who donate their time to help journalists and human rights activists in need of better online security.
  • Several years ago, Canadian nonprofit launched the Deflect platform, which aims to help news and human rights websites resolve Distributed Denial of Service Attacks (DDoS). These attacks overwhelm website servers with requests for access until the website collapses and becomes inaccessible. Signing up for Deflect is free, with services offered in multiple languages including Spanish, Arabic, Persian and Russian. Deflect also offers free hosting and security certificates for websites built with WordPress.
  • You can also request help from Google's parent company, Alphabet, via its Project Shield, which aims to protect news websites and journalists from DDoS attacks.  The support is free for those who work in independent media and includes real-time analytics and security certificate support. You can sign up multiple websites in a single account.

In addition to support from those organizations, journalists should also learn the basics in terms of what steps should be taken to prevent cyberattacks. You probably aren’t going to become a developer overnight, but it’s worth making an effort to learn the basics and thus be better prepared to request technical help when facing a DDoS attack. Some basic cybersecurity measures for media websites include the following:

  • Host your website on a dedicated server instead of a shared server. This will protect you from hackers who can use vulnerabilities on one website to attack another site hosted on the same server.
  • Get a security certificate and a unique IP address (you can get those for free with Deflect or Alphabet's Shield Project). Security certificates encrypt the information that transit between your users’ browsers and your server, while a unique IP address gives your website increased stability.
  • Install web application firewalls on all computers in your newsroom. Use a strong antivirus for each device.
  • Use strong passwords — you can use tools like this one to generate them.
  • Update every piece of software your website uses.
  • If you built your website with WordPress, make sure you hide your login page from site visitors. Other key steps for secure WordPress sites include the following: eliminating the metatag generator, customizing your login address and removing any information from your site about what WordPress version you’re using.
  • It’s good practice to only use short URLs on your site content. Hackers tend to use long URLs to gain access to the website files directory, which can then allow them to deface the homepage, destroy information or inject code.
  • Avoid keeping website files public, particularly files like readme.html, readme.txt, wp-config.php, wp-includes and .htaccess. With this simple step, you can prevent many common website attacks.
  • Set up a daily backup of your website. If a cyberattack is successful and infects your website's database, you can upload a clean copy while you counterattack the infection.
  • Do not use insecure WiFi to access your website.

Jorge Luis Sierra is an award-winning Mexican investigative reporter and editor and an expert in digital security. Learn more about his work as an ICFJ Knight Fellow here.

Main image CC-licensed by Flickr via Nathan Meijer.