You might be wondering:
“My business is new/small/unknown. Why would a hacker pay attention to my website?”
Unfortunately, that’s not how it works. Hackers don’t discriminate, and they’re very creative with their website security attacks, so you need to be on your toes and prepared for anything when it comes to website security. Below, we’re going to look at what you stand to lose by not securing your website as well as 15 things you can do starting today to protect it.
Should You Be Worried About a Security Breach?
Hackers are going to go after anything they can. In some cases, they want your customers’ credit card information. In other cases, they want your company data for extortion. And sometimes they want to wreak havoc for the sake of doing so. Regardless of what the end goal is, a website security breach is going to do severe damage to your business. Stolen data, for instance, is the most apparent monetary cost. According to an IBM and Ponemon Institute report, the average cost of a data breach ends up being about $150 per record lost:
What’s more, the longer a website breach has gone undetected (which the report says is about 279 days), the more records hackers can steal. And while the removal and cleanup of the website corruption will help stave off any further damage, you can expect to incur costs for years afterward:
Now, it’s not just money you stand to lose when your website gets hacked. For instance: You’ll lose time:
- Having to repair a website that’s gone down, been defaced, or infected.
- Reaching out to affected parties (e.g. employees, customers, partners), issuing apologies, and trying to restore trust in your company.
You’ll lose business:
- From customers who were impacted and no longer trust you.
- From sales that should’ve taken place during that time. They failed to do so because your site was down or infected.
- From prospects who encountered your compromised site (personally or in the news) and decided it wasn’t worth it to return.
You could lose your good standing in Google: This doesn’t always happen — it depends on the severity and length of the infection — but you can get blacklisted from Google and lose up to 95% of your search traffic as a result.
15 Website Security Strategies
This is going to seem like a lot of work (which it is), but it’s going to pay off in the long run when you’re spared the anguish of dealing with a website breach. Let’s get started:
1. Get a Secure Web Hosting Plan
When laying the foundation of your website security strategy, it’s crucial to start with a web hosting service and plan that prioritizes security. By protecting your site at the server level, you’ll be better able to fend off attacks against your website, and you’ll be safer from other websites infecting your own (which can happen with cheap, shared hosting plans).
2. Add an SSL Certificate to Your Site
An SSL certificate is a type of encryption that turns an HTTP:// website into one served over HTTPS://. Google looks at sites to see if they have one installed when it determines its ranking, so keep that in mind if you’re concerned about SEO. When installed, visitors can view the certificate and level of security, like this:
Getting an SSL certificate is pretty easy, as most web hosting companies offer them and will take care of installing them on your server. However, if that’s not the case, you can get a free one from Let’s Encrypt. You’ll need your developer to help you set it up, though. It’s important to mention once again that an SSL certificate will help your website gain rankings in search engines while improving your website’s search engine optimization efforts.
3. Enforce Strong Passwords
- Enforce Strong Passwords
It doesn’t matter if it’s just you or a team of people who access your website. Anyone who has login access should adhere to strict password protocols. That means the password should:
- Be original and not used for anything else.
- Not be an actual word you’d find in the dictionary.
- Have 10 to 14 characters.
- Include a mix of characters, with at least one capital letter, lower-case letter, symbol, and number.
Some content management systems help you and your users automatically set strong passwords, like WordPress:
If that’s not an option, password management tools like LastPass enable users to instantly generate secure passwords too:
4. Implement 2FA or MFA
According to SiteLock, this is how frequently a website is attacked:
Given enough time, persistent hackers and their bots will find a way to break in if you don’t implement security protocols at the login screen. For this, you can enforce limits on how many times someone can retry their login. You’ll also want to use two-factor (2FA) or multi-factor authentication (MFA). All these means is adding an extra means of verification like:
- Text or email verification
- reCAPTCHA
- Google Authenticator
- DUO
5. Set Restrictions on User Access
If one of your user’s access becomes compromised, there’s another way to keep hackers from doing damage. To do this, you’ll have to be extra cautious about what you give each user access to in the backend of your site. If you block them from being able to edit database files, for instance, you’d also reduce the likelihood that hackers could do so through their login as well.
6. Use High-quality Software
Many times, we use design themes and software extensions to enhance our websites. They’re indispensable tools in this day and age. However, like any software, they’re prone to have bugs and vulnerabilities — which not only compromise the software but any website using it. So, you have to be very careful about which themes or plugins you integrate with your site. For starters, keep them to a minimum. SiteLock found that the most plugins you use, the higher the chance of attack and infection:
And only use ones that are well-reviewed and that you know the developer takes good care of. You can find this out by looking at support requests and seeing if and how they respond to users that experience problems (they should be doing this and in a timely fashion, too).
7. Keep Software Updated
Another sign that you’ve chosen a high-quality theme or extension is that the developer keeps it updated at least once a month. This allows them to patch up bugs the second they’re discovered, which helps keep your site protected. Depending on the content management system (CMS) you use, those updates might get pushed through automatically. If not, it’s up to you (or your developer) to keep an eye on them and implement them immediately. It’s also essential to keep your CMS updated. The most recent Sucuri security report found that, of the infected sites they checked, 56% of them had outdated software:
8. Use a Secure Payment Processor
If your website accepts payments, fees, or donations from visitors, then protecting your payment processing is a must. An extended validation SSL certificate (which you can get from Web Hosting Canada, for instance) is useful for this. You’ll also have to make sure the payment processor you use is PCI compliant and has strict security protocols in place on their side of things. Authorize.net, Stripe, and PayPal will be your best bets in terms of security.
9. Secure Your Forms
Even though contact forms don’t usually accept information that’s as sensitive as payment forms, that doesn’t mean you shouldn’t protect them. That’s because hackers can also use forms to inject malicious scripts into your website. When building a contact form or installing a plugin to do so, make sure it’s properly secured.
10. Implement a Firewall
A firewall is a must-have security tool. You’ll need one server-side (so make sure your web hosting company uses one) as well as one for your website. Security companies like Sucuri offer firewalls that work really well. For instance, these are the kinds of attacks they fought off in 2019:
If you’re using a security plugin on your site, it may come with a firewall if you don’t want to buy one.
11. Protect Against Spam
Spam can appear in many places on your website:
- Blog comments
- Product reviews
- Contact form responses
- Your website content (as embedded links)
The last one is particularly scary because SEO spam (which is what it’s called) was found on 62% of compromised websites in 2019 by Sucuri. And because they look like intentionally placed links, users trust them more than messages that are clearly spamming in a comment feed. An SSL certificate, firewall, and anti-spam-ware are needed to keep this kind of infection out.
12. Protect Against Malware
There are many types of malware. According to Sucuri, these were the most prominent malware attacks in 2019:
A lot of the website security strategies above will help keep this kind of malware off of your site. However, it’s vital to implement anti-malware tools at every level:
- Server (which your web host is responsible for)
- Website (which you can do with a security plugin, SSL certificate, and so on)
- Devices (which you’ll get from antivirus software installed on your devices like McAfee and Norton)
13. Capture Backups of Your Site
This isn’t necessarily a security protocol, but it’s an essential part of a website’s security strategy. If your website is taken offline, defaced, or otherwise infected, you could spend time manually cleaning things up or rebuilding it. But why? By capturing backups of your website regularly, you can instantly roll back your site to a point in time when it was uncompromised.
14. Set Up Security Monitoring
Security measures like the ones above are going to allow you to proactively protect your site. Another way to be proactive and stay on top of the situation is to monitor your website 24/7 for suspicious activity and breaches. You can use a security plugin to help with this. Get a security monitoring upgrade from your web host, or sign up for an all-in-one security service like the ones Sucuri and SiteLock offer.
15. Have a Plan in Place
Like I said before, hackers can get mighty creative when it comes to finding a way into your website. While the strategies above reduce the chances that will happen, there’s no 100% guarantee. If something does happen, you want to be prepared. As IBM and Ponemon found, an incident response team and website continuity plan can save you a ton of time, money, and trouble:
So, find someone you trust to handle website security:
- Setup
- Monitoring
- Cleanup
- Reputation restoration
- SEO repair
- And more
Wrap-Up
The fact of the matter is: You should be worried about website security breaches. However, with the right strategies in place, you’ll reduce the likelihood of it happening in the first place and improve your chances of getting through one. Although our specialty is in web design and SEO, we understand how important website security is in the scheme of things.