Now that you've completed your website, it's time to secure your website before you launch it to the world!
With the world increasingly connected and dependent on the internet for daily activities, cyberattacks are also becoming more frequent and malicious. From healthcare data breaches in Singapore to cyberattacks on membership database in the Philippines, hackers do not discriminate their targets. As long as there are vulnerabilities in your system, the dangers of succumbing to a cyberattack will always remain.
As a small business owner, you've worked hard on building your website and have gone through lengths to ensure that everything is working properly. That’s why, in the same way you safeguard your identification and credit cards, you need to make sure your small business website is secure.
Definition of website security
What do we mean when we say “secure?” For these purposes, let’s go with what Google Developers reference when they speak about a secure website:
- Authentication: Your users are communicating with the intended website
- Data integrity: Your data cannot be modified or corrupted during transfer -- intentionally or otherwise -- without being detected.
- Encryption: While users are browning, no third parties can track their activities across multiple pages or steal information.
Without proper website security is like leaving the front door of your site open to attackers! With a secure website, you can prevent loss of revenue, your customers’ data being stolen, and other disruptions to your business.
In this guide, we will go through how website is hacked, as well as tips to ensure website security.
How do websites get hacked and how does a hacked website look like?
Before we deep dive into ways to secure your website, let's take a look at the reasons why websites fall victim to hackers. Nowadays, hacks are becoming more sophisticated, hence there isn't a sure tell-tale sign of a hacked website. In fact, some aftermaths of a hack website are not obvious at all! Here is a quick summary of the various methods of website hacking:
Ransomware
According to McAfee, ransomware is a type of malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly paralyze an entire organization.
In short, when your data falls into the hands of hackers, these hackers will threaten to block your access to your own data, or worse, publish it for the world to see unless you pay them a ransom sum.
Phishing
Phishing is a form of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an hacker / scammer pretends to be a part of your business and dupes victims into opening an email, instant message, or text message from you. Once victims open up these messages, they are often led to click on malicious links. These links can either lead to malware installation, freezing of the system as part of a ransomware attack or revealing of sensitive information.
In phishing, your customers as end-users are most often the victims of these attacks. This means that your company and brand might lose credibility and trust in the long run.
To learn more about how you can prevent phishing on your website, check out this article: https://www.godaddy.com/resources/asia/skills/what-is-url-phishing/
Distributed Denial of service (DDoS)
DDoS stands for distributed denial-of-service. DDoS attacks are attempts to make online services unavailable by overwhelming them with traffic. The most common targets for DDoS attacks are large companies, like banks and media outlets. However, it has become more common over the past few years for smaller businesses to find themselves asking how to stop a DDoS attack.
In a DDoS, hackers would usually overload a website, often through bots, in an attempt to crash your website's server.
Other types of website hacks
There are many other ways that hackers can deploy to cause your website to crash or compromise your data. Malicious codes or viruses can exist in many forms, where hackers will find ways to insert these into your website. When this happens, your website might become inaccessible, completely crash or worse still, the data from your website might be made visible to these hackers. Hardware might also be affected.
Keyword hacks are also commonly used by hackers to mask content. Such examples are gibberish hack, cloaked keywords hack and Japanese keywords hack.
Ways to secure your website
Now that we've understood the different methods of how your website can potentially be hacked, let's take a look at how you can secure your website! Here is a quick list of easy steps to improve your site's security.
- Install an SSL certificate on your website and use HTTPS protocol
- Use secure passwords and change these regularly
- Keep your software and plugins up to date
- Consider a security or backup plan
1. Install an SSL certificate on your website and use HTTPS protocol
Have you ever noticed the lock image on the left hand side of your browser bar, before the website domain? This icon indicates that the URL address begins with “HTTPS.” These letters stand for Hypertext Transfer Protocol Secure.
Hover over the lock symbol, and depending on your browser, it will read something along these lines: “Connection is secure. Your information (passwords or credit card numbers etc) is private when it is sent to this site.”
HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL (Secure Sockets Layer) certificate. At the minimum, to secure your website and have consumers trust your brand, you’ll need to invest in an SSL certificate.
SSL encrypts information to prevent hackers from impersonating you or stealing visitors' information.
Besides securing your website, having an SSL certificate in crucial for your website to rank well on Google search results. This ensure that your website is discoverable.
In fact, security is an important aspect of search engine optimization (SEO). HTTPS protocol will improve your search ranking, as Google rewards websites that use this security measure, an initiative starting in 2014. The initiative, called "HTTPS everywhere" encourages all website owners to switch from HTTP to HTTPS to keep everyone safe on the web. Websites without a proper security certificate would usually rank poorly on Google, and users who enter a website without SSL security will receive a warning before they click through to it. Therefore, having SSL certificates definitely help to boost SEO in the long run.
If you are running e-Commerce sites that collect payments or any form of visitor data, having an SSL certificate is crucial to help protect your site data. Without it, your website's data is unprotected and vulnerable to hackers.
How to obtain an SSL certificate for my website?
Fortunately, many web hosting packages come with a free SSL certificate. You can also purchase an SSL certificate they can be purchased at a nominal cost. GoDaddy, for example, offers a range of tools including integrated SSL, firewall and 24/7 monitoring.
As a small business owner, pick a reputable website builder that provides you with ease of building websites and includes SSL for free. Otherwise, when you are sourcing for your web server, most web hosting providers will also include SSL in their hosting plans.
While there are also free options you can consider, you will need to pay if you want more security for your website.
We've prepared an SSL comprehensive guide to help you learn more about SSL certificates and the options that you have for your website.
Use secure passwords and change these regularly
Do you use the same password for everything from your social media to email accounts to credit card information? Though this makes it easier to remember your password, it puts you at a risk for security.
- Create a unique password for each account you have. These should be randomized passwords. Avoid combinations that include personal information that can be easily found online -- i.e. birthdays, name or your address. You can store the password offline or on a separate device.
- You should also change your password regularly, and use a new one each time. As annoying as it might be, enforcing basic password requirements will protect your account in the long run. Good passwords should include a minimum of eight characters, an uppercase letter, symbol and number --
- To minimize the pain, consider using a password manager, especially if you are running a business website. Not only are a majority of them free, but they’re convenient and safe to use. Check out this list from Wired, highlighting 5 of the best password managers to secure your digital life.
Another layer of protection you can consider is to enable two-step verification on all your website logins. This allows for an additional layer of verification using your mobile device or other external devices. That way, hackers won't be able to do much even if they obtain your password.
Last, on a regular basis, you review your log-ins to check if there is any unusual entry. If there are, change your password, which forces other devices that are logged in to log out and require all new log-ins to re-enter the password.
Keep your software and plugins up to date
Just like with your computer and mobile, you often have to run regular website software updates to keep things running. The same applies for your website.
If you are using third-party software on your website, or any additional plugins you’ve downloaded, make sure you check your web hosts’ dashboard on a daily basis for updates. Ensure that the software you have is the latest version as that is the best way to prevent bugs.
Make it a habit to schedule regular or auto updates of your website and the installed plug-ins. Additionally, you should also keep your antivirus software up to date.
“By now, we all know that ignoring theme, plugin, and WordPress core updates can create severe security issues, compatibility issues, and accrue technical debt. Website owners also miss out on great new features and capabilities of their software when updates are ignored,” writes tech expert Ryan Sullivan of SiteCare.
Use security software or security plugins
Securing your website would also mean that you have a plan in place to constantly detect potential threats and attack attempts. To do that, you can install anti-malware softwares for your website.
There are free plans available by major security software companies. You can also pay for a good anti-malware software, depending on the levels of protection that you need for your website and your budget. Most good anti-malware would conduct regular web scanning, malware detection and removal, ensure PCI compliance and DDoS protection.
Instead of getting such softwares separately, a good hosting provider supports your website with comprehensive security tools. Some include anti malware as part of their hosting plan, while others provide free SSL, hack and DDoS protection etc.
If you’re looking for more protection, consider proactively purchasing a plan that uses website scanners to detect malware and other vulnerabilities.
Website security plans often come with a Web Application Firewall (WAF), which can intercept incoming data and identify potential security threats like SQL injections and DDoS attacks: A SQL Injection attack occurs when a hacker enters malicious code onto a site, while a distributed denial-of-service (DDoS) attack is a malicious attempt to overwhelm a site by sending it a flood of traffic, causing the server or network to become overwhelmed, resulting in a denial of service to normal traffic.
A good quality website builder or hosting provider should look after your site’s security for you. Hosting providers often include anti-malware software as part of their plans.
Have a backup plan: back up your website regularly
Sometimes, as much as we try to protect our website through the use of preventative methods above, there is still a possibility that hacks can happen.
In the event that your website security is compromised, you’ll want to ensure that you backup everything. How often should you backup your website? This is similar to how often you backup certain apps on your phone. The answer depends on how often you update the content on your site. If you publish a daily blog for example, then backing up at least monthly is ideal.
If you’re running an e-commerce site that involves less content and more maintenance of uploading of images and product shots, consider saving these images in a separate folder.
GoDaddy’s Website Backup plan ensures that every file, folder and database on your site is always safe, protected and available. Website Backup works with any hosting provider. Should a crash occur, you can quickly restore any lost or damaged files to your site via instant cloud backup.
You can also do simple post backups. On some content management systems, there is an export feature that exports your posts and pages into a downloadable file. This can be a more manual way to ensure you have a copy of your data.
A secure website will guarantee you peace of mind and ensure that hackers cannot view or steal your personal information. Take these steps so that you can focus on running your business.
Securing your website starts with you
As a website owner, there are probably many aspects of maintaining a web presence that you need to worry about. From user experience to secure payments, an online presence requires constant maintenance.
Website security is a key aspect that you need to ensure that you have it for your website. The good news? There are many plug and play solutions you can deploy, especially if your website is relatively small.
If you are ready to get started, hop on to our website to explore your options.