Experts predicted that in 2019, business websites would fall prey to ransomware attacks at the rate of one site every 14 seconds.
In 2018, the damage to websites attacked by cyber criminal exceeded 5 billion dollars.
Every year, these attacks grow in size, and before you know it, it could be your website that is affected.
Why You Need To Keep Your Website Secure
Every website is potentially vulnerable to these attacks.
You need to keep yours safe. An unsecured site can be compromised. Your customer’s data might be stolen. This can lead to lost revenue, costly website coding repairs, and many other problems.
You can protect your website from hackers. We’ll start off with a few basic descriptions of the types of attacks that you might encounter. This is followed by the eleven tips to secure your website.
Potential Web Attacks/What To Prepare For
Whaling / Spear-Phishing
Phishing attacks are used to get people to give away their personal information, such as a social security number or bank account pin number. These attacks aim at broad audiences in hopes of fooling as many people as they can. Typically, phishing is done by email.
For example, a hacker sends out an email that looks like it comes from a bank, causing the recipient to click on the link in panic. That link takes the person to their standard looking banking site. But it is a site only designed to look like the real one. Someone who falls for one of these tricks and fills out the form on that site accidentally gives away their information.
Spear-phishing is similar, but it targets one specific person, not a lot of people in general. Hackers choose a particular target and then try to get them to give away their sensitive information.
Whaling is similar to spear-phishing. Only, in this case, a critical executive, at a company is targeted. That person is called a “whale” due to their influence and power. Hackers try to lure in whales, hoping to gain high-level access to company websites and bank accounts.
Ransomware hits everyone from the average computer-user to those who operate websites.
These attacks consist of a hacker taking control of a computer and refusing to allow the user to access even the most basic commands. Server-side ransomware works similarly, except the hacker, gains control of a website server. Access to every website on that server is lost until the hackers are overridden or have their demands met.
IoT stands for Internet of Things. The term refers to the large number of devices that connect to the internet, such as smartphones and tablets that link to the internet and access sites.
The main IoT vulnerabilities are privacy issues, unreliable mobile interfaces, and inadequate mobile security. All of these stem from websites that don’t have the right protective measures installed or those that aren’t optimized for mobile devices. Hackers can take advantage of these issues and use them to gain access to your website.
Securing Your Website, The First Steps
Protecting your website from being hacked can be achieved in a simple 11 step process.
1. Use Secure Passwords
The best website security starts with a secure password. The backend (the developer side) of every website is password protected. Although it’s tempting to use an easy to remember password; don’t.
Instead, pick something that is extremely secure and tough for anyone but you to figure out. A good rule of thumb for passwords is to include a mix of capital letters, punctuation, and numbers, or use a strong password created by a password manager. Never use something that is easy to guess. This goes for everyone in your organization.
2. Be Careful When Opening Emails
Many phishing attacks appear in emails. Hackers also send viruses via email. Every one of your employees (including you) needs to be careful when opening emails from people you don’t know, especially if those emails have an attachment. Spam guards aren’t infallible. A hacker can compromise website security with a virus, wreaking havoc on your website.
Even attachments that are scanned and declared to be “clean” can still contain harmful viruses. Train your employees to use security precautions when opening emails with attachments.
3. Install Software Updates
Manufacturers keep operating systems and software running efficiently with regular updates. It can be tempting to push those updates aside to save time. After all, many of them require a complete system restart and some installation time which eats into productivity. This is a dangerous practice, as those updates contain crucial new security patches. You need to install these updates as they are available to keep your entire system secure.
4. Use a Secure Website Hosting Service
Your web hosting service plays a vital role in the security of every website under their jurisdiction. Choose yours wisely.
Before you build or move your site to a host, ask them about their security platform. The best hosts work with or hires experts in the internet security field. They understand the importance that their customer’s websites aren’t vulnerable to attack.
Make sure they include a backup option. You could lose valuable information due to a hacker. It is easier to rebuild your site from a backup than it is from scratch.
Managed options are also available, such as Security as a Service (Saas).
5. An SSL Certificate Keeps Information Protected
The letters in “https” stand for Hypertext Transfer Protocol Secure. Any webpage that uses this protocol is secure. Those pages exist on a specific server and are protected. Any page that contains a login or asks for payment information needs to be on this secure system. With that said, it is possible to set up your entire website using https.
Google has started marking sites in the Chrome browser as unsecured that do not use SSL Certificates or encrypt data.
6. Secure Folder Permissions
Websites consist of folders and files that contain every piece of information necessary to make your site work properly. All of these live on your web server. Without the right privacy protections and security measures, anyone with the right skills can get in and see this information.
Prevent this from happening by assigning security permissions to those files and folders. Go to your website’s file manager and change the file attributes.
In the section for “numeric values” set the permissions to these options:
- 644 for individual files
- 755 for files and directories
7. Run Regular Website Security Checks
A good security check can identify any potential issues with your website. Use a web monitoring service to automate this. You need to run a test on your site’s programming every week (at minimum). Monitoring services have programs that make this easy to do.
Once you receive the report, pay close attention to the findings. These are all of the vulnerabilities on your site. The report should contain details on them. It may even classify them according to threat level. Start with the most harmful and then fix these issues.
8. Update Website Platforms And Scripts
If you use WordPress, ensure that you are running the most updated version. If you are not, then update your version by clicking on the button on the upper left side of the screen. It is imperative to keep a WordPress site current to avoid any potential threats.
For people who don’t use WordPress, check your web hosts’ dashboard for updates. Many of them will let you know which version of their software you’re running and keep you informed of any security patches.
You also need to check your plugins and tools.
Most WordPress plugins are created by third-party companies (or individuals.) Although they are safe, for the most part, you are relying on those third parties to keep their security parameters up to date. Set aside time to check for plugin updates at least once a week, and keep an eye out for anything that may seem strange, such as a plugin that ceases to work correctly. This could be a sign that it’s compromised.
9. Install Security Plugins
There are several options here, depending on what type of website you run. For those based on WordPress, there are specific WordPress security plugins that provide additional protection. Examples include Bulletproof Security and iThemes Security. If your site is not on WordPress, protect it with a program like SiteLock.
Security plugins prevent hackers from infiltrating your site. Even the most up to date hosting platforms have some vulnerability. These plugins ensure that no one can take advantage of them.
SiteLock monitors your site continually looking for malware and viruses. It also closes those vulnerable loopholes, providing additional security updates.
10. Watch Out For XSS Attacks
XSS is cross-site scripting. An XSS attack is when a hacker inserts malicious code into your website, which can change its information or even steal user information. How do they get in? It’s as simple as adding some code in a blog comment.
11. Beware of SQL Injection
SQL stands for Structured Query Language. It’s a type of code that manages and allows people to search for information in databases.
Here’s an example of an SQL Attack: if you have a search form on your website, people can enter terms to look for specific new information. Now imagine that someone got into your database files and inserted a code designed to mess them up.
That code can delete information and make it tough for the website to find what it needs to run. Hackers get in through URL parameters and web form fields and wreak havoc. Keep this from happening by setting up parameterized queries and make sure to create secure forms.
Now You Know How To Secure a Website from Hackers
Hopefully, now you understand the importance of creating a secure website. You also understand the eleven necessary steps to follow to prevent hackers from gaining access to its code and elements.
Leaving your website vulnerable to hackers can destroy your livelihood, especially if you run a web-based business. All that it takes is one lapse, and years of years client information can be compromised. This makes your company look bad and creates negative press attention. You’ll lose customers, many of whom may not come back.
Don’t allow this scenario to happen. Instead, focus on website security using the tips presented here.