10 Things You Can Do Today to Keep Your Website Safe and Secure
With the growing amount of data, information, and traffic on the Internet today, it’s imperative for website owners to keep their websites safe and secure.
Some scary statistics can explain the magnitude of the issue:
- In the last eight years, more than 7.1 billion identities have been exposed due to data breaches.
- 43% of cyber attacks are aimed at small businesses.
- 60% of small companies go out of business within six months after a cyberattack.
- 48% of data security breaches are caused by acts of malicious intent (human error or system failure account for the rest).
- 76% of websites scanned by Symantec in 2016 contained vulnerabilities—the same percentage as in 2014 and just two percent less than the 2015 figure.
(Sources: Symantec and Small Biz Trends)
Although your website may currently contain vulnerabilities that leave it at risk for a data breach or a cyberattack, there are a few things you can do today to make it safer. Here are ten of them.
1. Stay Informed
Unfortunately, cyber attackers and hackers are always changing their tactics and perfecting their skills. Hackers are constantly creating new malware and ransomware or learning how to infiltrate systems and websites that were once thought to be secure. Their work never ceases, so neither should yours. That’s why one of the most important (and easiest) things you can do is stay up-to-date with hacking threats as they arise. Subscribe to blogs and get notifications from reputable sources on the newest and most critical threats you need to know about. Digital Guardian compiled this list of security blogs you should be reading.
2. Strengthen Access Control
Admins for your website should always use passwords that can’t be easily guessed when they’re accessing your control panels and dashboards or content management systems. Make sure their passwords are over eight characters in length and that the passwords contain diverse characters (i.e., one number, one capitalized letter, etc.). In addition, make sure their user names aren’t simple and easy to spot like “admin01,” and that they change their passwords regularly.
And consider implementing two-factor authentication for users who log in to your site. Two-factor authentication requires them to enter two pieces of information to access your site such as a password and a PIN, security code or question, etc.
3. Keep Everything Updated
Whether you build a website from scratch or use a state-of-the-art website builder, you need to verify that everything on or connected to your website is updated at all times. It’s easy to ignore automatic updates for the software and systems you access, but hackers scan websites on an ongoing basis to see what sites don’t have the latest updates or bug fixes for their software, plugins, databases, etc.
If you aren’t using certain plugins or software integrations anymore, then delete them from your control panel and website. And always schedule updates for your software and systems on a rolling basis so they’re always running the latest and greatest versions.
4. Pay Attention to Network Security
If you host your website on your own servers, then you must ensure hackers can’t infiltrate your networks on a minute-to-minute basis. In addition to having users frequently update their passwords, you should ensure each device plugged into the network is scanned for malware constantly and that logins expire after a certain length of inactivity.
If your website is hosted through a third-party, you’ll want to ensure they have 24/7 security for their servers. And you’ll want to verify they have ample security plugins and software available as well.
5. Encrypt Sensitive Data with SSL
If your website handles sensitive information such as credit card numbers or social security numbers, then you’ll want to ensure it has an SSL certificate. What does that mean? It means moving from the HTTP (Hyper Text Transfer Protocol) to the HTTPS (Hyper Text Transfer Protocol Secure).
So, instead of your website URL looking like this: “http://mywebsite.com,” it will look like this: “https://mywebsite.com.” This means you’re adding an encryption layer of TLS (Transport Layer Security) or SSL (Secure Sockets Layer) to your HTTP, which will make your users’ and your own data even more secure from hacking attempts.
Here’s more information by WPEngine on how you can obtain an SSL certificate for your site.
6. Prevent SQL Injections and Cross-Site Scripting
An SQL injection is one of the most common ways a hacker can infiltrate a database attached to a website. If you have a web form or URL parameter that allows outside users to supply any information they want, then hackers can insert code into your website forms that allows them to hack into your databases with sensitive customer and company information that are linked to those forms.
To protect against this, establish parameterized queries that prevent hackers from inputting anything they want into the form fields on your website, and remove form auto-fill. Read this detailed post by W3 Schools for more information about what SQL injections are and how you can prevent them from happening.
Cross-Site Scripting (XSS) is like SQL injections except it involves hackers using a web application to send malicious code, generally in the form of a browser side script, to a different end user from a site that’s trusted. Some malicious scripts can even write HTML code on a webpage.
You can prevent this from happening by using a Content Security Policy (CSP) on your website, which allows you to specify and validate which domains your content and scripts should always come from. To learn more about how you can prevent XSS, consult this detailed source provided by the Open Web Application Security Project.
7. Back Up Your Site and Files Regularly
Back up all your files and systems every single day, multiple times throughout the day. Whenever a server you rely on backs up your files and information, it should save it in multiple locations for security (i.e., in cloud-based servers, external hard drives, etc.). Eventually, every hard drive and piece of hardware will fail or malfunction, so be sure you have all your critical website files backed up. Otherwise, you are at risk of losing critical components and files that are currently keeping your website safe and readable.
8. Manage Your Directories and File Permissions
Every website is made up of files and folders that are stored in a server that’s hosting it, inside directories. To keep this information safe, each file and folder should have certain levels of permission that keep them safe and secure. Each file and folder should specify who can read, write, and execute it.
Locate your FTP (File Transfer Protocol) in your control panel to assign permissions. If you use a hosting service, you can always contact them to find this information. Read this WordPress post to learn more about the different file permissions.
9. Install Security Plugins and Web Applications
To ensure your website is secure, install plugins that constantly scan it and warn you about any vulnerabilities, or actively work to keep your files, data, databases, etc. secure. SiteLock, iThemes Security, and Sucuri Security are three popular options.
10. Scan Your Site to See Where It’s Vulnerable
Before you install plugins or do any of the things mentioned above, you should consider scanning your website right now to see where it’s most vulnerable. Below are some free website scanners you can use that will tell you where your website is weak and what you need to update or fix right now to keep it secure and safe.
As you work to keep your website safe and secure, keep this list of ten things you can do nearby, so your website will never be vulnerable again.