One of the terrifying things that can happen to a website owner or manager is seeing all the work on their business website altered or even totally wiped out by website hackers.
You may have been hearing of data breaches and hacks in the news or maybe even been reading about it, and if your business is still a growing business, you may be thinking why anyone would want to hack the website of a “small business” like yours. Hold that thought.
You see, these hackers are not out for big businesses alone; current stats show that small businesses were the victims of 43% of all data breaches and website hacks. It can happen to anyone, even the most experienced website developer. This post will show you how to protect your website and web application, and be on top of security issues before they overtake you.
Understanding Website Security
We know website security can be a little complex, but we’ll help you with this post. First, you need to understand that website security is an ongoing process and never a “set-it-and-forget-it” solution. Rather it is a continuous process where constant assessment is required to reduce the risk of being hacked by cyberattackers. Therefore, it is of utmost importance to take your time to secure your website from hackers using these tips below.
1. Makes Sure Your Software Is Up-To-Date
The update we’re talking about isn’t about posting new content or updating your audience with your latest products or services. This is more about updating the software, security, scripts, and certificate of your website when necessary as a guaranteed way to stop intruders and even malware from taking advantage of your website.
This update involves updating both the server operating system, programming language version, and software such as a CMS or any other which you may be using on your website. When hackers notice loopholes in your software, they are quick to take advantage of it.
Using a Content Management System – CMS – has a lot of benefits mainly because you can extend your website unlimited using various plugins and extensions. However, the more plugins/extensions you use, the more vulnerable your website is. This is primarily because many of these tools are created as open-source software programs, which makes their codes easily accessible.
If you’re using a website built on WordPress, you can always check if you’re up to date when logging into your WordPress dashboard. You can do this by checking for the update icon on the left corner below your website’s name.
If you don’t see it immediately, click or hover on the dashboard link and it will show up.
When in updates, you can see the list to update and do it there. It is also important to note that if you’re using a WordPress managed hosting solution, the company might take care of this for you. For those that know how to set cron jobs or those using Softaculous, you can also set auto-updates.
If you are using shared hosting, most times, the company will handle applying security updates for the operating system, but if you are not, ensure that you take care of this.
Allowing your website software to become outdated is very detrimental to your website security. This is because asides from hackers inserting malicious code, you’ll also have bugs and glitches to worry about.
2. Do Periodic Virus Scans
Regardless of how well you protect your website, sometimes hackers still get it. To catch them quickly, ensure that you do periodic virus scans. Some web hosting companies offer automatic virus scans, which is excellent. If yours doesn’t, run the manual scans yourself.
Beware, though, that not all web hosting companies offer virus scans at all – whether manual or automatic – for free. Many provide it as an add-on paid service. So, check this out before choosing a web hosting provider.
If you have already paid for web hosting before checking this, log onto your cPanel or any hosting management application that you use and search for “virus” to see if you have one.
3. Use A Strong Password:
It’s no news that complex passwords should be used, but not everyone uses complex passwords. It’s always very tempting to use a password that you know you will never forget easily. If you want to ensure your website is secured, then you have to make efforts to figure out a truly secure password.
Below is a list of easy passwords people use:
If you’re using any of the password listed above, it’s time to change it – change it right now. Here are some tips on how to choose your password.
- Combine three unrelated phrases that you can remember.
- Don’t use one password across board, use different passwords and use a password manager to track all your password
- Avoid the use of personal information for your password
- Use a lengthy password
- A randomly generated sequence of characters is a great option.
Another option is to use the suggested password from Google and co. You can use a password manager to remember it, but it will be secure. It’s not enough for you alone to use a strong password; you have to make sure that everyone who has access to your website has a strong password as well; one weak password in your team can make your site vulnerable.
Once you have come up with a strong password, be careful not to share them with anyone, and you should change them regularly – maybe every three months or thereabout.
4. Set Up Two-Factor Authentication
Before hackers can gain access to your website or server, they’ll first need to figure out your password. Though it will take them time – some even years – bots can still crack down any password. Just give them time.
One way to protect yourself even better is to use two-factor authentication. You must do this, both on your server and the admin pages of your website. There are two popular 2FA tools that many people trust – Google authenticator and Duo Security. Either is fine and quite easy to use and set up.
It’s easy to do this if you are using cPanel and most good hosting management tools. Search for 2FA or two-factor authentication, then follow the prompts to connect it to your 2FA app of choice.
For WordPress, you can set up a plugin. Duo has a WordPress plugin. For Google authenticator, there are a bunch of plugins available. Alternatively, you can set up the WordFence plugin – I’ll go into this more in the next point.
Bonus Tip: protect sensitive files with file permissions for each sensitive folder/directory on your website. That way, you wouldn’t easily get unauthorized file uploads from any other login, but that of the admin/any other top-ranking login.
5. For WordPress Websites – Use WordFence
As mentioned above, the WordFence plugin can be used to set up 2FA, but it’s more than 2FA. WordFence can protect WordPress sites in a lot of ways, and I’ll mention a few:
Pick Out Hacker Files:
Sometimes you wouldn’t know if hackers have come into your site unless you go through each file in your server, and if you have lots of files, that’s just a whole lot of work. Plus, even a virus scan doesn’t pick up some of them because they aren’t precisely viruses.
WordFence makes this easy by scanning through your server/WordPress installation to check for files that don’t belong there and could have been dropped in by a hacker. It will also check the difference in theme and plugin files on your website against those on the plugin official Github repository and WordPress.org
Brute Force Protection and Login Security
When it comes to WordPress security, one thing is well known – the CMS is notorious for brute force attacks. However, WordFence can protect you against it. Also, it has a bunch of login security tools, including the 2FA mentioned earlier.
6. Use HTTPS
HTTPS is vital for website security; it protects you, and when you see it on a website, that shows you that it is safe to provide certain sensitive information on that particular webpage.
What is HTTPS?
HTTPS is an abbreviation for HyperText Transfer Protocol Secure. It is a way to encrypt information that you send between a browser and a web server. This protects your website’s users from “man-in-the-middle” attacks, where someone steals the data being sent to a website, like credit card information or login details.
Simply put, HTTPS ensures that information provided by your website visitors are not intercepted or changed by unauthorized personnel. Originally HTTPS connection was design for sites that contain sensitive information, but the new trend is that more websites with or without confidential information are switching to HTTPS.
HTTPS has become easier to implement, and it’s fast becoming the standard for all sites. If you want to earn the trust of your website visitors and reduce bounce time, now is the time you make your website HTTPS. Imagine this website below:
Why would I want to trust you to secure my money when you can’t even secure your website? And this is even a good example.
Also, it’s now a factor in search engine ranking. This means that without adding HTTPS to your website, it may not be seen on top of Google search even if your SEO game is too notch.
To get HTTPS, you need to install an SSL certificate. Some web hosting providers give it for free. If you don’t have one, you can purchase one.
7: Invest in Periodic Backups.
Technically, you can never be security guaranteed; you’re always going to face the risk of being hacked. However, the worst thing that can happen is that you’ll lose everything on your website. The good news here is that this can be avoided if you backup your website files. It’s one of the safest and ways to protect your site.
You can say it’s your last and best form of defense. You can still have the recent version of your website stored safe and ready to be relaunched. Provided you have created a backup of your website.
Being hacked is never a pleasurable experience; it can be stressful trying to figure out how to get your restore your website. However, when you have a recent backup, recovering is much more comfortable. As often as you update your website, do backups as well.
Also, if there’s a chance that you might forget to do backups, then you’ll have to invest in automatic backups. If you do this, you’ll be buying peace of mind alongside.
8. Get Website Security Tools
When you think you have done all you can, then it’s time to test your website security. The most effective way of doing this is through the use of some website security tools, often referred to as penetration testing.
Many commercial and free products are available to assist you with this penetration testing. They work on a similar basis to scripts hackers in that they test all known exploits and attempt to compromise your website, helping to check your website’s strengths and weaknesses. Here are some of the free tools that you should check out:
- Netsparker: useful for testing SQL injection and XSS
- OpenVAS: suitable for testing known vulnerabilities, currently scans over 25,000. But it can be challenging to set up and requires an OpenVAS server to be installed.
The results from these automated tests can be discouraging, as they often present a considerable number of potential issues. We, however, advise that you focus on the critical issues first. For these tools, each issue they will show you comes with an explanation of the potential vulnerability. You will probably find that some of them aren’t a concern for your website.
9. Check Google Search Console
The goal of some hackers is to index their links on Google through your website to make it look as if their malicious links are coming from your website. They only need to put a few files on your website and probably add a few codes to your .htaccess file on your server, and Google bot wouldn’t know any better.
This will affect you negatively because it can lower your trust score on Google, and your domain can be flagged. Secondly, when someone searches for your domain or brand name on Google, those links can show up as well. Do you know how scary it is to see a pornography link with your brand name when you don’t sell porn? Exactly.
Usually, when people gain access to Google search console as new owners, Google will send an email to you. However, you might not see it on time, and the hacker might take you out quickly as the owner. One way to prevent it is always to be on top of your email alerts.
Another way is to verify your website using more than one method. First, verify through DNS records – don’t worry, Google will direct you on how to do this.
Then, use the URL prefix.
With the URL prefix, try to verify with Google analytics as well. You can also do HTML, but with Google Analytics, they can hardly remove you as the account owner except if they disconnect your website from Google analytics. If you can verify with Google tag manager, do it as well.
Click on this link to learn how to set up Google Tag Manager and use it.
Good website security starts with you; 95% of website hacks are caused by human error or negligence. Another important aspect of this is to ask who built your website? You have to choose a reliable website builder and hosting provider. Your website security and protection from lurking hackers are a critical aspect of ensuring the health and safety of your site in the long run.
Following the tips above gives you a level of insurance; however, you also need to understand that the advice above is by no means exhaustive. For now, though, start with what you have learned here so far.
The best time to start taking action is NOW!!! Don’t procrastinate.