64% of small businesses have a website and it’s considered almost essential for any modern business. In many cases the companies are almost exclusively online and make their money through e-commerce, ads and selling services to their viewers. For most businesses having their website hacked would be a huge inconvenience and severely hurt their revenue. With the amount of hacks increasing each year, it’s more important than ever that people have a solid understanding of how to secure their websites. Here I’ve created a list of 12 website security tips for making sure your business is resilient to being hacked.
Use strong passwords and change them regularly: 81% of data breaches are caused by compromised, weak or reused passwords. Attempting to guess or crack user passwords is one of the first things people will try, so it’s important to protect against this. An easy way to do this is to use password generators, many browsers come with password generators that automatically ask you if you want to create a secure password. Some people object to this because they think if someone takes their laptop they can get into their accounts. In most cases you need to be more concerned about people you don’t know trying to hack your website but there is a way to get the best of both worlds. Combine that secure password with 2 factor authentication. This is when a code is sent to your email/phone everytime you want to login. This way not only will a hacker have to guess your password but they will need access to your email/phone. Also, if you’re worried about someone you know like a spouse or sibling using your computer they will not be able to login using the autofill password option because they won’t have access to the code sent to your phone. Additionally, you should change your password at least every 6 months, especially if your website is some type of business.
Google Chrome default password generator
2. Use Website Backups: You can create a regular schedule for creating backups of your website. This way if something goes wrong and something is deleted or lost, the loss will be mitigated because you only lose information between your last backup and present day. How you backup your information depends on what platform you use (wordpress, squarespace, wix etc). If you use wordpress for example you can look into easy cpanel backup or vaultpress, which allow for automated backups on a regular schedule. For other platforms it may be harder to find reliable plugins but they do exist and depending on your needs you may find it suitable to do manual backups of your content. For example if you have a blog you can write your articles in google docs before copying it over to your website and now you have a copy of each article you have ever posted and any related pictures.
3. Limit Contributors Permissions: In security this is known as using a least permissive model. This simply means that you want to limit the permissions that users have on your website to the absolute minimum required for them to do their tasks. For example everyone doesn’t need to be an administrator, you can use other roles like editor, author, contributor etc and set users permissions according to what they need. By limiting the permissions people have you reduce the chance of someone doing something negative to your website on purpose or accidentally.
4. Secure online checkouts: If your website accepts online payments you should use AVS (address verification system) and take CVV (credit card verification value) when accepting any credit card payments. These features help to prevent fraudulent payments from going through by requesting additional information and saves you a lot of time and revenue.
5. Update all plugins: It’s important to update all of your plugins on a regular basis. It’s common for security vulnerabilities to be found in popular plugins. Once a vulnerability is found and disclosed the vendor usually releases an update that addresses that particular issue. If you go months or years without updating that plugin your website will remain vulnerable for extended periods of time and that will often result in someone hacking your website. Hackers use computer bots (controlled machines) that scan the internet 24/7 for websites that are running outdated versions of known vulnerable plugins. It’s estimated that a cyberattack happens every 39 seconds, so it’s not a matter of if your website will be found just when. That’s why it’s important to set up a schedule where you check for software updates of your plugins and turn on update notifications where possible so you are aware of the updates as soon as they become available.
6. Use anti-malware solutions: Malware can be introduced to a website in multiple ways. Sometimes hackers are able to inject code into your website through input forms or you can accidentally introduce malware into your website when copying and pasting custom code to give your website a unique feature. Either way it’s good to invest in anti-malware solutions that can detect malicious code in your website. Some anti-malware software providers you can look at are quttera, sucuri and astra security.
7. Consider DDos protection: DDos stands for distributed denial of service and it’s an attack where hackers make your website unavailable to users on the internet by flooding it with data requests. By overloading the website’s ability to handle requests, it makes your site inaccessible to users. Some web host providers have ddos protection by default but you want to ensure you are protected because DDos attacks happen to both small and well known brands.
8. XSS scripting attacks: Cross-site scripting is a type of injection attack where a hacker inserts malicious code into a webpage that will be viewed by other users. This way whenever another user goes to the infected webpage the code will automatically execute. To prevent this you need to make sure that all input forms on your website sanitize their inputs, which simply means it filters out unwanted commands instead of running the code. You also need to ensure that the html code on your website is secure, you can do this through manual code reviews but for most people it’s easier to use automated tools that scan your website.
9. SQL Injection: SQL injection inserts SQL queries into input forms in order to steal data from your database. This can include credit card numbers, customer addresses, phone numbers etc. The defence for SQL is similar to XSS where you need to ensure that you’re filtering the information entered in the input forms correctly. Here you can find some tips for stopping an SQL injection.
10. Use security scanning tools: There are many plugins and tools that will automatically scan your website and reveal potential security risks. These applications make it much easier to decide where you should focus your time and what you should be concerned about. For example, if you are on wordpress you have wordpress security scan, WPscan and sucurisitcheck.
11. Hide your web host provider and version: By displaying this information you make it easier for attackers to exploit known vulnerabilities associated with that web provider or that specific version of the software (if you’re running wordpress). To hide the WordPress version, you can copy and paste this line of code into the functions.php file of your active theme.
In general you should always hide the software name and version of anything running on your website.
12. Be careful with file uploads: Allowing people to upload files is a big security risk. Even if it has innocent intent, by allowing people to upload files there is the potential they will be able to upload and execute malicious code on the web server hosting your website. For example even if you only allow someone to upload jpg files to change their profile picture, if not done correctly hackers can easily get around that by renaming a file to be image.php.jpg and upload a php file to the server.
If you do choose to enable that functionality, make sure to do your research on how to secure it. Some things you can to do include restricting the type of files you can upload, changing permissions of the uploaded files to ensure that no files can execute post upload, changing the directory that the files are uploaded to so that it cannot be easily guessed (for example securitymadesimple.org/uploads is too obvious) and if possible making it so regular users cannot access the directory holding the uploaded files even with the URL.