7 Tips on how to Keep Your Website Security high and protect it from Hackers
You might think that because you are operating a small business and appealing primarily to a local audience, your website has nothing to offer for intrepid hackers. Unfortunately, this couldn not be further from the truth.
Data from the Symantec Internet Security Threat Report reveals that up to 43% of cyber attacks target small businesses, with most of these threats being perpetrated via web-based attacks.
To make matters worse, when cyber criminals infiltrate these websites their focus often isn’t on data. Instead, hackers will use small business servers to distribute high volumes of spam, or to upload fake websites that can spread malicious files to other networks.
So, what should your business do to counter this growing threat? You can go a long way toward protecting your website from cyber-attacks by adhering to cyber security best practices.
1. Work with a Secure Web Host
There are hundreds of web hosting providers on the Internet, each offering competitive features and services. Sorting through all these options can be overwhelming, especially for someone without a relevant expertise. While review sites and web forums should give you some idea about web hosting reliability and quality, there are a few key characteristics that any secure web hosting provider should have by default:
- Online backup services that can restore your lost or stolen data without any compromise. Before making your choice on web hosting, it’s best to enquire the provider about what data exactly gets backed up, where it is stored, and for how long it is being retained
- Distributed Denial-of-Service attacks (DDoS) are a common technique hackers use to shut down websites. Assailants will cause your Internet service to shut down (denial of service)by generating numerous requests to access your web page using multiple computers and connections. A good hosting provider should have filters in place that help distinguish real requests from fake ones, protecting your website from flood attacks.
- Regular web traffic to and from your website is insecure and becomes obvious to any hackers wishing to eavesdrop. SSL certificates remove this vulnerability by encrypting private data exchange bewteen you and your customers. Sensitive personal data such as credit card details, physical addresses or full names only show up as a scrambled text.
2. Use Security Plugins
There are several methods hackers may employ to infiltrate and disrupt your website. Content management systems such as WordPress offer a variety of security plugins that can counter these attacks.
Best-in-class security plugins offer the following capabilities:
- They scan your files, databases, posts and comments for any malicious files or code, alerting you when files have been changed so you can repair or remove infected ones as needed.
- They will lock out users attempting to “brute force” their way into your website with the help of automated scripts that enter thousands of passwords into your system. These scripts will lock out users after too many login failures, and they will also prevent WordPress from giving users vital login information.
- They can recognize known vulnerabilities on your website and stop them immediately.
- They will limit the number of access requests from specific IP addresses to prevent your website resources from being overwhelmed in case of attack.
3. Improve Overall Network Protection Level
You should change your passwords periodically. This widely known fact is really obvious, but often times neglected. Create complex passwords by combining numbers, letters and symbols into a phrase you can remember easily. There are ways to create complex looking passwords that are easy to remember. For example: “2 H0t pi33a$” uses a combination of characters in the sentence “two hot pizzas”.
Having different password for your email and bank account is a must, turning security into a training regimen for your memory. For storing and easily recalling multiple passwords, consider using a password manager tool. We can help you pick the one that best suits your type and size of business - simply get in touch with us.
Login credentials to your website should be expired after a certain period of inactivity. Make sure that your own administrator account is not labeled “Admin” because this will make it exceedingly easy for hackers to guess your username, and move to cracking your password. Delete this generic account as soon as possible and make a new administrator account instead.
4. Regularly update Software
Any good content management system will regularly release patches and updates to shore up vulnerabilities in their software. Make sure you regularly install these updates so that you have the latest version running on your website.
Hackers are constantly scanning websites looking for vulnerabilities to exploit so delaying a vital update can exponentially increase your chances of being targeted. Especially vulnerable are small businesses, where financial information is centralized in a way where a potential breach can, in effect, shut down the whole business. The most common tool hackers use in this case is phishing — usually targeting the person responsible for managing finances and business transactions. A good helper tool for building a modern and secure website is Slickplan.
5. Start using Two-Factor Authentication
Also called multi-step verification, this mechanism adds an extra layer of protection to your website’s sign-in process; creating a more rigorous standard for identity verification. The second factor of authentication will usually come into play after you have entered your usual username and password. The next login prompt comes from applications like Google Authenticator, which will ask you to enter a secondary password on your phone (sent by text or using the Authenticator app).
The secondary step does not have to be another password. It can be a pin code that is updated every minute, or even a secret question used to verify your identity. While two-factor authentication is usually linked to a physical device, it can also be based on biological information such as fingerprints or voice recognition. The best practice is to use factors of identification that best match your work style and schedule. In some cases, the time or location of the login is used for successful verification.
This step makes it much harder for hackers to infiltrate your website, reducing the risk of fraud and data theft.
6. Mobile Security
Employees sometimes use devices provided from the company but it’s not uncommon to see people using their personal smart phones for work. This type of cross-over opens several possibilities for hackers to break the integrity of your network security.
Protecting your personal phone, even if you don’t use it for business is a must - hackers can use a break point in a personal device as a steppingstone for reaching sensitive corporate data. Always keep your device updated and install applications only from trusted vendors. Never send Personally Identifiable Information (PII) in a text message, email or similar. Performing data backups is highly recommended, and a strong lock screen password is essential.
Be aware that the chances of your data being compromised by either hacking, phishing or malware are just as big as the ones where you make a mistake by accident – criminals love to take advantage of unforced human faults. Human error has always been a big factor in cyber security and must be regarded with the importance it really deserves. With AI becoming better each day, the inferior ability of people to avoid mistakes becomes even more obvious.
This is a type of malware that relates to data the same way people relate to kidnapping. An example of ransomware is when your data is stolen by perpetrators and locked via encryption. The data kidnappers hope that you need it back so much that you are willing to pay money for it, and in some cases will even leave the encrypted files on your server.
There are two basic ways this type of theft can occur: one is taking advantage of unforced human error we mentioned above, usually backed up by a tint of social engineering, while the other ignores people factor and focuses solely on software vulnerabilities. Usually, best result come from a combined methods using whatever part of security is neglected, and thus vulnerable to breach. Ransomware is used by manipulators that are not only tech savvy but also have background in human psychology. To protect yorusef from these, you need to always stay vigilant on both fronts.
Need Help with Your Website Security?
CodeCoda has developed a range of tailored solutions for the security concerns of all types of organizations. Contact us today for a website security audit and specific recommendations for keeping your site safe.