One of the absolute worst feelings you can feel as a business owner is the sinking in your gut that comes from trying to log into your Facebook page, only to find the page vandalized. A million thoughts clamor for attention. What damage did the intruder do? Was any customer information compromised? Did you have any sort of backup to restore your page? How long has it been like this? Some hackers just do damage and disappear; others insert insidious backdoors to return later, when you think you’re safe. How can you protect your Facebook page and make sure this nightmare scenario never happens?
Use a Long, Strong Password
Facebook requires a login, which is easy to forget when you log in from the same computer every day, with the remember me box checked, so you never see the login screen. Unfortunately, even if you never see it, that password is the only thing keeping other users out of your account. You need to make sure your password is both long and strong.
Long: Try to come up with a password that caps out the character limit for Facebook passwords, which is 21. Longer passwords are harder to brute force or otherwise crack manually.
Strong: Avoid dictionary words. Avoid dictionary words with letter substitutions, such as 0 in place of o. Brute force password crackers use dictionaries with common letter substitutions and can crack a word much more quickly than a string of random characters. Use both upper and lower case letters. Use numbers. Use at least two special symbols, such as $ or &.
Change Passwords Regularly
It’s not enough to have a single strong password. Remember, we live in a time of database leaks and security holes, from the hackings of sites like Sony or the rampant bug of Heartbleed. You never know when a database that contains your information may be compromised.
To help prevent hackers from using old information to crack your account, change your password regularly and never repeat passwords. It’s a good idea to change your passwords once every 3-6 months. Additionally, if a site you use is compromised, change any similar passwords.
Use a Unique Password
This was mentioned above, but bears repeating; don’t use the same password on multiple sites. Yes, it’s hard to remember the dozens of passwords you would need for the accounts you have scattered throughout the Internet. It’s even more complicated when you’re changing your passwords regularly. The solution to this problem is to use a password manager. There are a number of good password managers available; which you choose is up to your personal preferences. LastPass, Dashlane, Roboform and Keeper are all good options.
Of course, you need to be even more careful with safeguarding your master password when you use a password manager. If that is compromised, you essentially lose your entire digital keyring. Whenever possible, use two-factor authentication. Most good password managers enable it by default, including those mentioned above.
Use a Display Name Different From your Username
Facebook pages have one benefit over other sites; the name users see when you post isn’t necessarily the name you use to log in. This gives you an additional layer of security; instead of just guessing your password, a hacker has to guess your username as well. This can be as difficult or as easy as you make it. As a general consideration, try to use a completely distinct login name, not something easily found on other sites as a username, or easily guessed as part of matched set of logins.
HTTPS is the secure way of browsing the web and automatically encrypts your traffic, whenever the site accepts it. Facebook has an active security certificate, meaning you’re free to use HTTPS with any interaction on the site. To use HTTPS, simply add the S to the HTTP in your url. To automate the process, use one of the many browser extensions that apply HTTPS, such as HTTPS Everywhere.
Practice Chat and Email Safety
One of the best benefits of social media is the ability for users to contact you at the drop of a hat. This means you’re likely to be wading through a huge daily influx of communications, mostly unsolicited. It’s easy to see a message claiming to be from a Facebook admin and start second-guessing yourself.
Facebook – and every other site – will actively warn you that they will never contact you asking for your account information. Think about it; they control the infrastructure. They don’t need your information to get into your account, unless they intentionally encrypt all accounts. Even then, there’s no reason they would need to see things from your internal perspective. They have their own tools and methods to solve any issue that comes up.
Never give your password or login name out to anyone, via chat, email or any other communication. Furthermore, always check to make sure you’re actually on the Facebook site before you log in. Phishing sites are designed to look just like the Facebook login page, and some will even forward your credentials and log you in normally, leaving you completely unaware that you gave your information to a middleman.
Audit Plugins and Apps
This one is a little less applicable to Facebook business pages than to personal pages or to non-Facebook sites, but it’s still a good practice. Any time you use an app or plugin, make sure it’s been updated recently. The longer it’s been since an app was updated, the longer hackers have had to compromise it. It’s not guaranteed that an old app is compromised; far from it, but it’s better to be safe than sorry. Remove old apps when you’re done with them, whenever possible.
Use Text Message Notifications
Facebook, deep in the settings menu, allows you to check a box that enables text message notifications. You enter your phone number and, if your account is ever logged into from a location outside of your typical IP range, the site will send you a warning message. If you’re a frequent traveler this could get annoying, but the vast majority of Facebook page owners are not in that situation. Enable this notification; it could save you hours or days of hassle.
Limit Who Has Access
Yes, you’re busy. Yes, you can delegate your social media management to an intern or a small team. You should, if you do delegate, limit the number of people who ever have access to your account.
Even better: use Facebook Page Roles. Page Roles are special accounts you can add to the administration team of your Page. Essentially, you get to keep sole control of your admin account. It is the only account that can manage page roles and page settings. Any other account you add can be set to a limited scope. The roles are:
- Analyst: The most limited, only able to see who posted as the page and view page insights.
- Advertiser: Able to access everything above, and can also create ads.
- Moderator: Able to access everything above, and can send messages as the page, as well as respond to or delete comments and posts on the page feed.
- Editor: Same capabilities as the moderator, but can also create and delete page posts, or edit them. Can also add apps.
Make use of limited page roles to keep security throughout your page, even with a social media team.
Keep Your Computer Clean
All the security in the world won’t help if you computer is infected with a virus that snoops on your traffic and logs your keystrokes. You could have the strongest password ever created, but if you type it out to a virus, it’s there in plain text for a hacker to see. Make sure your computer – and your business network, when applicable – is free of viruses and is running updated security software.