By Lars Lofgren
Your website is at risk.
I’m not saying this to try and scare you, but that’s the reality of the world we live in. More than 50,000 websites get hacked each day.
You can’t have the “it won’t happen to me” mentality. I encounter businesses all the time who feel this way. They think hackers have bigger fish to fry and don’t have any reason to target their website. That’s simply not the case. In fact, 43% of cyber crimes are against small businesses.
Roughly 54% of companies worldwide say they have experienced at least one attack within the last year. Just 38% of businesses say they’re prepared to handle cyber attacks.
I don’t have a magic crystal ball or some way to see into the future, but my gut tells me that cyber criminals aren’t going to just wake up one day and decide to stop hacking websites. So you need to take steps to improve your website security.
That’s what inspired me to write this guide. I’ll show you what needs to be done to secure your website today, in 2019.
Common website security threats
There isn’t just one way that websites get attacked. So before we proceed, I want to give you a brief overview of some of the most common threats to your website security. These are the things that you’ll want to avoid and be prepared for when taking security measures.
Usually, we perceive spam as something annoying. We all get spam emails delivered to our inbox or see the occasional spam popup when we’re browsing online.
However, sometimes spam is more malicious. Spam in the form of comments is extremely common on websites. Bots can hammer the comments section of your website with links to another site as an attempt to build backlinks.
While those types of comments are annoying and don’t look good on your website, they aren’t always damaging. But, some of those links might contain malware, which can harm your website visitors if they click on them.
Furthermore, Google’s crawlers can often detect malicious URLs and penalize your website for hosting spam. This will crush your SEO ranking.
Viruses and malware
For those of you who don’t know, malware stands for “malicious software.” So malware and viruses are essentially the same thing. Malware is arguably the biggest threat to your website. As much as 230,000 malware samples are created each day.
According to Statista, these are the most common types of malware used in cyber attacks across the world:
As you can see, malware comes in all different shapes and sizes. That’s why it’s such a big threat to your website.
These types of viruses are often used to access private data or use server resources. Criminals also use malware to make money with ads or affiliate links by hacking your website permissions.
With malware, both you and your website visitors are at risk. Someone visiting your site could click a link that downloads a malicious file onto their computer. It’s your job to keep your website secure and prevent that from happening.
WHOIS domain registration
Buying a domain name is like buying a house. The company that sells the house must know who they’re selling to and be able to contact them. This becomes public record.
The same goes for buying a website. Depending on the country you’re in, you’ll be required to release some information about yourself that’s recorded on WHOIS data. Outside of your personal information, this also contains information about your URL nameservers.
Hackers can use this information to narrow down the location of the server that you’re using. They can use this as a gateway to access your web server.
DDoS attacks deny access to users trying to visit a specific website. Basically, the hacker uses spoof IP addresses to overload servers with traffic. This essentially takes the website offline.
Now the host needs to scramble to get the server back up and running as fast as possible, which leaves the server vulnerable for malware.
Search engine blacklists
Technically, this isn’t a security threat. However, if your website isn’t properly secured, it can impact your SEO rankings.
According to a recent study, 74% of hacked websites were attacked for SEO reasons.
I briefly mentioned this earlier when we were discussing spam comments. If search engines detect malicious content on your website, your SEO ranking will suffer.
If lots of users are reporting your site as spam or unsafe, you could be added to a search engine blacklist. Once you’re on that list, it’s extremely difficult to get off.
How to keep your website safe
Now that you’re familiar with some of the most common security threats, it’s time to prevent them from happening.
You can’t just assume that your website is secure. If you haven’t done anything to beef up the security, it’s probably vulnerable for attacks. These are the steps you need to take to improve your website security in 2019.
Use HTTPS protocol
If your website isn’t currently using HTTPS protocol, it needs to jump to the top of your priority list. This essentially tells your website visitors that they’re interacting with the proper server and nothing else can alter or intercept the content they’re viewing.
Without HTTPS a hacker can change information on the page to gather personal information from your site visitors. For example, they could steal login information and passwords from users.
HTTPS protocol will also improve your search ranking. Google is rewarding websites that use this security measure.
This is comforting to people who visit your website as well. When they visit your site, they’ll see this next to the URL:
It’s secure and trustworthy. Now, compare it to a site that’s not using HTTPS protocol. The URL in the web browser will look like this:
Do you feel safe when you’re browsing on a website and see this? I don’t.
Furthermore, you can improve this security measure even more by combining your HTTPS with an SSL (secure sockets layer) certificate. This is required for ecommerce websites since users are submitting sensitive information like credit card numbers, names, and addresses.
While SSL certificates don’t necessarily prevent an attack or distribution of malware, it encrypts the communication between the server and the user’s web browser. Even if you’re not selling anything on your website, I strongly recommend using HTTPS protocol and adding an SSL certificate to add security.
Update your software
Any software you’re using on your website needs to be kept up to date. You need to update WordPress software, plugins, CMS, and anything else that requires an update.
In addition to fixing bugs or glitches, software updates typically come with security improvements. No software is perfect. Hackers will always be looking for ways to take advantage of their vulnerabilities.
Lots of cyber attacks are automated. Criminals use bots to just scan websites that are vulnerable. So, if you’re not staying up to date on the latest software versions, it will be easy for hackers to identify your site before you can do anything about it.
Choose a safe web hosting plan
In theory, if your web hosting provider has security on its servers, you’ll benefit from those same levels of protection. However, that’s not always the case.
Going with a shared hosting plan might be appealing because of the price, but it’s not the most secure choice you can make. As the name implies, you’re sharing servers with other websites if you choose this type of hosting plan.
If one of those other sites gets attacked, a hacker can gain access to the server that you’re using as well. I’m not trying to steer you away from a shared hosting plan, but if you want to boost your website security, you’ll be better off with another option.
Check out my list of the best web hosting services, which can help guide you in the right direction.
Change your password
Change your password! I can’t stress this enough.
All too often I speak to people who have the same password for everything they own, and it’s something they’ve been using since they were in college ten years ago.
Here’s the problem. Let’s say you’re a foodie. So you have an account with a popular restaurant review website that requires your email address and password to write reviews. If that platform gets compromised, hackers have access to your username and password. If they find out you own a certain website, they can try that same password and login to your administrative settings.
Shockingly, 25% of passwords can be hacked in just three seconds.
The information from this graph was obtained using an open source software called John the Ripper. Anyone can use this tool to crack passwords.
If software like this can figure out 53% of passwords in just two hours, I can promise you that the best hackers are cracking passwords even faster.
That’s why you need to constantly update your password. You can use a password manager like 1Password to help you generate long passwords with special characters that are nearly impossible to solve.
Furthermore, you should pick a web host that’s using two-factor authentication. This will add an extra layer of security for password protection. If your web host doesn’t offer this, there are other ways for you to enable it on your own using apps or third parties.
Secure your personal computer
Don’t allow your own devices to threaten your website.
There is malware out there injects malicious files into websites by stealing FTP logins. It’s easier for a hacker to accomplish this if they target your personal computer as a gateway into your website. So make sure your computer has antivirus software. Surprised that antivirus software is still a thing — it’s especially important if you use a PC or are downloading files online. You might unintentionally install malware onto your machine without knowing it.
The last thing you want is to be careless while you’re browsing online and have that mistake end up hurting your own website. Scan your machine on a regular basis.
Use tools to monitor your security
You can’t manually prevent attacks on your website. Instead, look for online tools and resources that will monitor your site’s security for you. I highly recommend looking at my guide on the best WordPress security plugins.
The plugins on this list add a firewall to your website while simultaneously fighting malware, spam, and other threats in real time. You can run security audits that will highlight your vulnerabilities so you can take preventative measures to stop an attack before it happens.
Limit user access
Don’t blame yourself, but 95% of cyber security attacks are the result of human error.
The best way to prevent this is to limit the number of humans who can make an error. Not every employee of your business should have access to your website.
If you’re hiring an outside consultant, designer, or guest blogger, don’t automatically give those people access to change settings on your website. Implement the principle of least privilege, also known as the principle of least authority or minimal privilege.
Let’s say you assign a project to someone that requires a certain level of access to your website. By applying this principle, you only give them access for the time it takes them to complete the task. Once complete, the person goes back to their regular access abilities.
Make sure each user has their own login credentials. If multiple people are sharing a username and password, it doesn’t give them any accountability. Your team is much more likely to be careful with sensitive information if an error or change can be traced back to them.
Backup your website
When it comes to securing your website, you should always prepare for the worst. Obviously, you never want to be in a situation where your website is compromised. But in the event that something goes wrong, your life will be much easier if your content is completely backed up.
So try using a backup plugin, like BackupBuddy, to make sure you don’t lose anything on your website as the result of an attack.
BackupBuddy is one of the five best WordPress backup plugins that I reviewed for this year. So check out the full list to see which option is best for your situation.
Some of these backup plugins also come with built-in security measures as well, which can help you prevent an attack.
Adjust your default CMS settings
As I said before, so many attacks these days are automated. Hackers program bots to find sites with default settings. This way they can target a wider range of websites and gain access using the same type of malware or virus. Don’t make it so easy on them.
Once you install your CMS, make sure you change some of the default settings:
- Comments settings
- User controls
- Visibility of information
- File permissions
These are all examples of some of the settings that you can change quickly and right away.
Restrict file uploads
Letting website visitors upload files to your website can be risky. That’s because any file could potentially contain a script that exploits vulnerabilities on your website when it’s executed on the server.
In some instances, the nature of your website might require file uploads. For example, you may want users to add photos of your products when they’re writing a review. In this case, you should still treat all uploads as a potential threat.
You could also set it up so that any files that get uploaded are stored in a folder or database in another location. You can create a script that will fetch those files from a private and remote location to deliver them to a browser.
This will require some coding and is a bit complex to set up, so I won’t go into too much detail on this right now. The simple solution is to avoid file uploads altogether, or at least restrict the types of files that can be uploaded to your site.
Website security needs to be one of your top priorities.
If you haven’t taken any steps to secure your website, you’re currently at risk while you’re reading this.
It’s nearly impossible for any website to be 100% safe and secure — hackers are always going to find new ways to attack websites and steal information. But you can make this difficult on them by taking the security measures that I’ve outlined above.
At the end of the day, if cyber criminals are having a tough time hacking a website, they’ll just move on to other sites that haven’t implemented the website security tactics that we talked about. You don’t want your website on that list.