It’s no longer breaking news. It happens everyday. I personally have never had one of my sites nor my clients’ sites hacked. But I try to stay on top the latest technologies and methods of hacking into SQL based websites and try to prevent anything from happening.
However there is a very fine line between being annoying and being prepared. What are you willing to sacrifice? I usually have to sit down on a regular basis and explain to my clients
“Would you rather have your website hacked and defaced and possibly blacklisted by Google or use your convenient password name1232?”
Or something to that effect.
So I think I’ve decided to begin enabling 2-factor authentication for all my sites & client sites (likely Google authentication or Duo-Security). Or at the very least, I’ll start with accounts that contain administrative roles. But in the hacking community all you need is a low level login to get you started…
So I will eventually get everyone switched over to 2-factor. If a client says they do not want the 2-factor, then I’m going to start having them sign a waiver that they understand the risks. I realize that 2-factor authentication isn’t an end-all-be-all, but it’s a start.