Cyber Security is not a luxury anymore. A leak in your website security may cause your business to go down in a blink of an eye. All your hard work, trusted customers, popularity, branding, and data may be flushed away.
You need to protect your website from hackers who may steal, damage, or use your data. You also need to protect your visitors from being hacked through your website.
Before digging into the tips, we want to throw out a question on you, Is your “Small” business website safe enough?
Actually, the latest security reports state that Small and Midsize Businesses (SMBs) are more targeted by hackers. In October 2018, GoDaddy published a report about small business website security at which they stated that 58% of malware attack victims are small businesses.
In this article, we give you the most important tips to improve your website security and protect it from hackers.
10 Tips to Improve Your Website Security
1. Check your updates
Why should you update?
In the software world, there is nothing called “The Final Version” (unless the company is closed or the developers are dead). But why would they come out with a new version of their app, plugin, theme, etc.?
Because “Perfect is an illusion.” None of the developed work is perfect or entirely secured. It’s regularly tested and reviewed for improvement.
You aren’t only updating because of the new cool features, but also for the new patches released with the latest version to fix vulnerabilities discovered in the previous one. Developers are doing great finding the flaws in their job. Accordingly, you should remove plugins or themes that their developers are not updating anymore because hackers will target it by studying the vulnerabilities in it.
As you can see in WordPress latest release, they strongly encourage users to update their websites immediately. They also mention the bugs found in previous versions. Hackers read this release too. If you don’t update, you are going on with a website that holds known vulnerabilities.
What happens if you don’t update?
You are 85% more exposed to be targeted by hackers automated pots which scan the WWW intensively to find websites with un-updated software.
What should you update?
- Your server’s OS.
- The CMS theme or forum your website is built with.
- Any plugins, add-ons, extensions on your website.
Extra advice!
It’s suggested to backup your website before updating it as new versions may lead to errors or flaws into your website.
How to update your website?
- WordPress notifies you for available updates.
- If you are not following up, install a plugin to notify you about updates.
- Remove unneeded or un-updated themes/plugins from your website.
2. Get a website security certificate (SSL)
What is SSL? What is TLS?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols used to secure the communication between the server and the client. It encrypts sensitive data like credit cards info, usernames, passwords, and other private data sent over the internet. You can know whether or not a website is using an HTTPS protocol from its URL address as shown below.
Why do you need an SSL Certificate?
- Encrypt your information (your login pages and any data between the server and the browser).
- Authentication.
- Avoid Phishing and Man-In-The_Middle attacks.
- Required for PCI compliance.
- Browsers are penalizing HTTP sites.
3. Set up a firewall
Firewalls are tools that protect your network from unwanted traffic. They’re like a barrier between your network and the internet, so only wanted traffics can pass in, and other unwanted or untrusted traffics are blocked.
They’re mainly used to protect you from DDOS attacks, but they can also be used to prevent SQL injections and Cross-Site Scripting (XSS).
Some security experts such as Roger A. Grimes argue that:
Firewalls are no longer effective against modern attacks, but the latest generation offers both client-side and network protection.
By “latest generation” he means Next-Generation Firewall (NGFW), which offers more security features such as web and URL filtering and malware detection.
The argument about firewalls may confuse non-technicals, but in any case, it’s prefered in most cases.
4. Create strong passwords
Don’t you think passwords like “123456789” are voluntaries on a silver platter? If the hacker controls your website through your own account due to such weak passwords, how would you feel about it?
Why didn’t I take some more time to create a stronger PW!
One of the most important and old tips each website tells you when creating a new account is to Create a Strong Password.
How to create and remember a strong password?
Make it long, complex, and don’t reuse your password on different channels. You can use a password manager, so you don’t reuse your passwords and keep them random without forgetting them. Password Managers are tools that create and remember your passwords.
5. Test your website for vulnerabilities
You need to regularly test your website for vulnerabilities to batch it before hackers find it. Penetration Testing is a traditional test in the security world which is applied on websites, servers, and networks. Its purpose is to find any weakness in your system and perform an attack through it. That way you would know the problem and guide your developers to fix it.
Another helpful thing is having a Vulnerability Scanning Tool which can give you peace of mind. It’s an automated tool that digs into your website and analysis each file searching for known vulnerabilities.
The difference between these two is:
Penetration Testing | Vulnerability Scanning Tool |
Discovers or attacks unknown weaknesses. | Identify or report known vulnerabilities. |
Performed by an experienced person and some tools are also used. | Performed by automated tools. |
More time & cost. | Less time & cost. |
Conducted once a year or each two years. | Conducted frequently after each change in the system and recommended quarterly. |
May find zero-day exploits. | Can’t find zero-day exploits. |
6. Prevent file upload vulnerabilities
When you allow users to upload whichever they want to your website, that’s not nice of you. A hacker may upload a script as a file. That script will be executed to access your database, machine, and network. Once an upload vulnerability is exploited, the hacker may have full access to your machine.
Some technical steps should be taken to prevent file upload vulnerabilities which can be done by your security man.
7. Backup your Website
Your backup is your shelter in the worstcase scenario. Having a backup is just like saving your game level when you’re down, with some (or plenty) of points lost. A backup recovers your files and data if your website is infected or an update damages it.
It’s recommended by experts to have more than one backup. One off-site backup is a must. You can also have a backup on your local machine or an external drive. Your host may be offering backup services.
8. Change the default CMS settings
Default settings at WordPress, Joomla, Magento or any other CMS may be a huge vulnerability for hackers. Things like “Admin” as can easily be guessed and used by hackers. That’s why you should take some time to change these settings.
9. Carefully choose your host
Be careful when choosing where your website will live. Are you (personally) okay with a home surrounded by suspicious people, with a street famous for robbery accidents? Obviously not.
Choose a host with high security and be careful of shared hosting where you may be hacked through your neighbors or blacklisted with them.
10. Follow the Principle of Least Privilege (POLP)
Everybody and everything in your website must only access things that are necessary to perform its process. Whether it’s your users, programs, applications, they should have the minimum privilege to do their functions correctly, so that the opportunities to use these modules as a voluntary to hack the system are minimized as well.
Conclusion
Due to Information Security: Principles and Practices book, the first IS Principle of Success is that:
” There Is No Such Thing As Absolute Security “
It’s all about reducing the risk. The tips mentioned in this article will “improve” your website security, but they won’t totally protect it. But with regular scanning and updating, the percentage of being safe is much higher.