Security and Your Website
How to make sure your website is secure
A great many websites get attacked or hacked every day, and a large proportion of those are against small business websites! This only goes to show that it’s not just the bigger organizations and companies that become targets; small businesses are targets too, and sometimes through ignorance that they just think they’re too small to be noticed, and some because they just don’t have adequate security safeguards in place.
Here we’ll outline a few things that small businesses can do to secure their online presence from cyber-crime.
Website Security Threats: An Overview
Websites get attacked in many different ways, so here’s a brief overview of the most common security threats.
Spam
Ever been contacted by a foreign entrepreneur, asking you to claim money on their behalf> That’s a typical spam gig. Easy to spot and harmless; most of us simply ignore this kind of junk nowadays.
But sometimes, spam can be more insidious. One common tactic is for a hacker to find your unshielded website or blog, then setup bots to flood your comments with links to their site, attempting to create backlinks to boost their own web presence. This can be very harmful to your own website presence because Google’s own bots can detect these malicious links on your site and demote it – or even black list it – in their listings. Additionally, the hacker’s links may contain phishing links or other malware, which in turn will demote your rankings even further.
They also make your site look really trashy, often driving away regular visitors, thus potentially losing you business.
Whatever the case, you’ll find your SEO rankings sinking like the Titanic if you don’t take steps to mitigate this behaviour.
Viruses and Malware
Malware and viruses come in lots of varieties, and such can be a massive threat to your website.
Viruses and malicious software tend to be used to access your private data, or to utilize your own website hosting to run services on behalf of a hacker. You site can be hacked, have monetized ads placed upon it, or be replaced with a completely different site of the hackers making. Hackers can install malware into your web server and/or computer in a variety of ways, such as phishing emails, URL redirects, and directly hacking an unprotected site.
The single biggest thing here is not to click on anything in an email or message that looks unfamiliar or weird. Educate your staff and clients on the importance of online and email security. Remember that both you and your customers are at risk from anyone who finds a way to exploit your website. You could find that your clients are coming after you because they’ve lost money through something that they clicked on in your website, which ultimately is the business owners responsibility to keep secure.
Distributed Denial of Service (DDoS) attacks
DDoS attacks block access to users trying to visit a specific website. Using spoof servers and IP addresses, the hacker overload a particular server or website with a massive amount of random traffic, tying all the resources of the server, crashing your website.
Hackers use this technique for various purposes. Once your server is offline, it becomes vulnerable since it’s security systems are down, and the cyber criminal can plant all manner of malware on it, ready to infect an unwitting public. For this reason, web service providers offer additional protection, such as cloud security, which can block security loop holes until the website or server is back up and running. Hackers in the employ of rival companies can also use this technique to crash the web services of their competition, making them look unprofessional.
WHOIS Domain Registration Database
When you buy a domain name for your website, you’ll be required to release information about yourself. This information is recorded and is available publicly on the WHOIS data database. This database contains personal information, your domain, URL, name servers, and other web-related info that hackers can use to search for websites and servers that may have vulnerabilities.
Of course, being publicly available, there’s not much you can do about this, but it does reinforce the case that you do need to keep you website and web server secure.
Search Engine Blacklists
As mentioned above, having your site hacked can hit your Google positioning and diminish your SEO substantially. And if internet users report your site as ‘spammy’ or malicious, it could be added to a search engine blacklist, which is an extremely difficult corner to get out of.
The best way is to avoid being reported in the first place. Create a clean, safe site for your website users, make sure both your website and your web server and/or hosting package is secure, and always use a reputable internet service provider, such as Hostpapa.ca.
Keeping your website safe
You can’t just assume that your website is secure. It may be hosted on a supposedly secure host, with a professional ‘small business’ hosting package with a ‘all-in-one’ security add-on pack, but if you haven’t taken steps to configure your cloud-based firewall beyond the basics, or set up spam protection, or install a WordPress security plugin, then your website is probably vulnerable to some kind of attack. The Internet moves quickly, and even if you have done all of these, you still need to keep everything up-to-date, and under continuous review.
It’s complex, but what are the most important steps to take to improve your security?
Use HTTPS instead of HTTP
One of the top priorities on your security list should be making sure that your website loads using HTTPS (Hyper Text Transport Protocol Secure), rather than the unsecure HTTP (Hyper Text Transport Protocol).
HTTPS tells your website visitors that they’re loading the actual website that they want from the correct server that it’s hosted on, and not a hijacked or hacked version. Without using HTTPS, a hacker could potentially edit info and data on your website or page, in order to allow the hacker to harvest personal data from your website viewers, such as passwords or credit card information.
Your website visitors will also feel much safer, knowing that your site is loading over a secure channel, as they will see icons similar to this in their web browser address bar:
You can improve your security by using an SSL (secure sockets layer) certificate. These encrypt the communications between the server and the web browser viewing the website, adding an additional layer of security to keep your website safe.
With eCommerce websites, SSL is mandatory since your dealing with private info such as credit cards, but even if you’re not selling online, using HTTPS protocol with an SSL certificate is good practice, and many web hosting providers, such as Hostpapa.ca provide some kind of SSL for free with many of their packages.
Since Google recognizes and promotes using this secure transport protocol, using HTTPS will also improve your search ranking.
Keep your website software up-to-date
Website software needs updating as often as your computer does; sometimes even more so! Always make sure you have the most recent version of WordPress, DotNetNuke, Joomla, or whatever CMS you’re using, and your modules, plugins, CMS, and theme too.
Why keep everything up-to-date? Well hackers use bots to scan for vulnerable websites. And older software can have weak points that make it easy for hackers to exploit your site. And you may not know anything about it until it’s too late.
If you’re unsure about how to manage this aspect, contact us and we can advise and assist you.
Choose a website hosting plan with security
We always advise that you use a recognized and recommended service provider with good reviews, so do your homework. Doing so will ensure that you’re using the most secure hardware and software to host and safeguard your website. But even with the best hosts, there are some things to watch out for:
Shared hosting for instance. Shared hosting is where the service provider hosts a range of websites on virtual servers, all located on the same physical server. This makes it cheap, but not necessarily the best choice, since if one of the other sites on the server gets hacked, the cyber-criminal could potentially hack the rest of the sites on the same server much more easily than if they were located on different physical servers.
Cloud or VPS (Virtual Private Servers) are similar to shared hosting, but much more secure and still have a reasonable price port, so those types of plans would be a better option.
Change your password regularly
Not surprisingly, the best hackers can crack passwords really quickly, sometimes within minutes. That’s why you need to change your password regularly. You can use password manager software to help manage and secure your passwords, but however you manage it, change your passwords at least every 6 months at least, if not more.
You should also enable two-factor authentication on your host, website, and any associated services. In fact its mandatory with credit card processing services such as Stripe. 2-factor authentication requires that you confirm a login on a separate device such as your phone, thus adding an additional layer of security.
Secure your desktop or laptop computer
Desktop computers are typically infected by viruses and malware when phishing emails are opened or malicious sites are accessed. This can open up your private information for hackers to steal, which is why you need good antivirus software on your computer. If your own PC is insecure, when you login to your website, sensitive data can be immediately accessed by a criminal in order for them to utilize your website for nefarious purposes without you knowing.
And if you’re a business owner or IT manager, make sure that your staff are adequately trained and aware of what they should and shouldn’t open on their work computers.
Monitor your security
Its difficult to block every attack online, but there are tools and resources available that allow you to monitor your website. You can run audits that will give you a cross-section of your website, give you security info, and highlight vulnerabilities. This in turn means that you can take steps to prevent an attack before it happens, or be alerted when an attack is in progress so you can stop it and fix any damage.
There are a great many security plugins available for WordPress, and for other CMS users there are also a range of endpoint and cloud security software available to help protect and monitor your site.
User Security: Limit access
Many security issues arise due to human error – someone didn’t lock a PC before they left, or used an application they shouldn’t have – and one of the best ways to prevent this is to limit user access. Users should only have the permissions they need to do their job, and if someone is not meant to be a website admin, don’t give them the roles to do so. It’s as simple as that!
Having multiple users accessing your systems can lead to a lack of responsibility, and therefore potential security issues. Therefore, every user should have their own login credentials; you’ll find your staff much more accountable with this in place.
Backup your website
This is a no-brainer; always back up your site. Backup before you run an update, after you run an update, and at least every week, if not every night. Most hosting services come preloaded with some kind of backup solution, or have it as an add-on. And CMS software like WordPress has multiple options for backup plugins; we recommend and use Updraft.
Change default settings
Hackers use automated bots to find vulnerable sites, and one kind of vulnerability is a site with default settings. So when you’ve installed your website software, whatever it may be, make sure you change some of the defaults:
- Comments settings
- User registration role settings
- Information visibility
- File permissions
Restricting file uploads
In many cases, your website will need to have forms or functionality where users can upload their own files to your website. And as it’s more-than-possible for one of these users to be using a computer that may be infected with some kind of malware, this functionality should always be treated as if it was a potential threat.
You can help mitigate this risk by either restricting file types (in your CMS settings you’ll be able to customize the ‘allowed file types for uploading’ settings, so that only recognized, legitimate file types can be uploaded by users) or you can use third-party software or plugins to create a secure file upload system with virus protection and security.
Website Security: In Conclusion
Security of your website should be one of your top priorities as everyone is at risk, and even if you do take every measure, you could still be affected in some way, so you need to be vigilant. By employing all the tools available, you may not be able to make your web site totally secure, but you can make it difficult to crack; hackers are often looking for a quick result, and if there’s some security, it can be a deterrent. When you setup your web server or hosting, and build your website, make sure you put at least some of these ideas into place, and if you’re unsure, hire the services of someone who does know something about online security.
Recent Comments