In recent years, the ease with which websites can be created has increased. Because of content management systems (CMS), such as WordPress and Joomla, business owners are now in charge of their own web presence.
Despite the fact that the duty for website security is now in your hands, many website owners are unsure on how to make their websites secure. Customers who use an online credit card payment processor need to be certain that their information is secure. Visitor information is not intended to be shared or sold to third parties without their consent. Users demand a secure online experience, regardless of whether they are dealing with a small business or a large corporation.
According to a 2019 security survey completed by The Harris Poll partnered with Google Registry, which sampled 1002 USA adults between the ages of 16-24 and 1001 adults 25yrs or older and asked them questions about creating websites and online security. Despite the fact that more people are establishing websites, the majority of Americans still have a large knowledge gap when it comes to online security and privacy protection. In fact we can infer many people overestimate their understanding of internet security (Spadafora, 2021).
While 55 percent of respondents assigned themselves an A or B in terms of online safety, over 70 percent were inaccurate in their identification of what a safe URL for a website should look like(Online Security Survey Results – Safe.Page, 2021).
There are a variety of methods for assuring yourself, your staff, and your customers that your website is safe and secure. A guessing game when it comes to website security is no longer necessary. Prepare your website for increased security by taking necessary precautions. Ensure that sensitive information is kept safe from inquisitive eyes.
No approach can ensure that your website will remain “hacker-free” indefinitely. The usage of preventative measures will help to lessen the vulnerability of your site. Website security is a procedure that can be both easy and complex at the same time. Before it is too late, there are at least ten critical actions you can do to strengthen the security of your website before anything goes wrong.
Even in the internet age, business owners must protect their customers’ personal information. Take all essential safeguards and don’t leave a stone unturned in your search for information. You should never assume the best case scenario if you have a website.
How to Improve Your Websites Security Today
1. Make sure your website platform software, such as WordPress or Magento, Your Theme and all plugins are up to date.
Every day, a large number of websites get compromised as a result of not installing the latests patches and updates. Potential hackers and bots are constantly scanning and examining websites for vulnerabilities to exploit. This is often automatic and done at an industrial scale even by beginner level hackers.
The health and security of your website, business and your users are dependent on you doing updates as soon as they come available because security enhancements and vulnerability fixes are frequent. If the software or apps on your site are not up to date, your site is likely not secure. This makes your website an easy to find target using Google Dork queries or other hacker scanning tools.
Take all requests for software and plugin updates very seriously. An option is to use your system to manage updates automatic. Webmasters often worry their website might blowup with automatic updates and this is a risk, but you should be running daily backups on longtime storage which will store at minimum 90 days of backups.
2. Ensure your web hosting and hosting OS is up to date
This one is a little tricky if you are using a managed hosting service, such as shared hosting, because often you will not have direct access to do OS updates. However, you can still use a scanning tool such as builtwith.com to check that the server OS is up to date. If it is not you can put in a support ticket for your web host to fix it or move hosting providers before it is to late.
Another item with your web hosting is to ensure you are running the most recent version of PHP or at least a version that is supported and not vulnerable.
Pro tip: A slow website or slow hosting panel can mean an out of date one
Other notable web hosting security services to look for:
- For shared hosting having a service called cloudlinux + CFS caging can be a huge advantage.
- Check how easy the backup service is to restore, how many backups you can hold, do they hold the backups on the server or offserver? No point having a bunch of backups on the same server that gets ransomware attacked because you will lose the lot.
- Do they have git version control
- Do they have automated backups
- Do they have IP access management
- Do they have Malware scanning
3. Use a SSL Certificate
The best thing you can do for your users is to run a properly installed SSL Security Certificate on your website. If you are not running ecommerce or handling sensitive information a free service like cloudflare.com will be enough. Otherwise you should buy a SSL certificate from a respected supplier, such as Comodo. Often SSL certs are a nightmare to install for newbies and experienced webmasters, so we recommend getting a managed SSL from your web hosting provider.
You can test your SSL at SSL Shopper website.
Once you have your SSL installed you should lock your website to only communicate with users via https. You can set your website to only be accessible via a few different methods: .htaccess, hosting panel, plugin/extension and in some instances through your DNS (cloudflare).
Note: You should make sure all resources are loading under https as well and that you don’t have errors. The easiest place to check this is in your browser url / search input. You should see a green or closed padlock and get no warnings when it loads.
What is an SSL Certificate?
SSL stands for Secure Sockets Layer and, in short, it’s the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information).
It does this by making sure that any data transferred between users and sites, or between two systems remain impossible to read. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This information could be anything sensitive or personal which can include credit card numbers and other financial information, names and addresses.
TLS (Transport Layer Security) is just an updated, more secure, version of SSL. We still refer to our security certificates as SSL because it is a more commonly used term, but when you are buying SSL from DigiCertyou are actually buying the most up to date TLS certificates with the option of ECC, RSA or DSA encryption.
HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar. (What is SSL, TLS and HTTPS? | DigiCert, 2021)
4. Use Complex Passwords and Unique Usernames
Editor note: Let me first say, you should be using a password manager, such as lastpass. As it is not only important to have a complex password it is very important to not be using the same password on multiple websites. Why? because your whole password protection system will then only be as strong as the weakest website you used the same password on. Additionally, once a hacker gains access to one of your accounts it makes it easier for them to discover other services you use, gain more information on you for social engineering hacks. Don’t be foolish enough to believe that this or that system is safe from hacking as they can all be hacked and that includes your bank and Google too.
The minimum you should be doing is using a random password generator, which includes: symbols, numbers and capitals. I personally use 12 plus characters and sometimes a lot more. The more complex it is the longer it will take to hack.
Things to never use: words, names, birth dates, company names. If you are doing things like [email protected], company2020, name1976 it’ll take a hacker minutes to hack you using what are called rainbow tables. Likely you have already been hacked and your details posted to hacker websites.
Therefore, the rule is always use a complex user name (turn off email logins for your website), and always use unique passwords.
- It is a good idea to change your passwords regularly a good password manager will make this much easier for you. You should also change or upgrade the way your website is hashing and salting your password and any users.
- Never give anyone root access, and if you absolutely have to be sure to change the password afterwards.
- Always delete unused admin accounts, user accounts
- Do not share admin user account. Always create a new account with the appropriate access, password and remove as soon as it is not needed.
Note: Never leave unencrypted passwords in files on your computer. A postit note on your screen is more secure and that sucks. If you must write it down store it somewhere secure like a safe or safety deposit box and ideally you use Openpgp to encrypt it first.
5. Best practice for web hosting / Domain accounts and servers
This is another aspect often overlooked. You should be taking every precaution with your passwords (We are aware user names are often assigned). Again a password manager is ideal for this. It is an ideal service to store critical server details on.
Domain names, be careful who you buy these from. Many small hosting and web design companies close within a year or two, often leaving their customers details and assets (domain name) stranded. Nothing wrong with using a smaller provider, but ask them what is the process to recover my domain if you disappear?
It is very important your name, address, phone and an email (one you can access without the need for email hosting of the domain in question) is listed as the registrant on the domain. You can check through a tool like viewdns.info or go to auda for .com.au domains to lookup the whois public data. You can also check who is the registrant via your domain hosting provider. Do not trust your web developer (yes i’m singling them out, because they are often the ones who cause the issue) to always be there for you, check it and make sure they update and give you controlling access to it. Yes, I know it’s a pain, but most host providers now give developer access so it is not such a pain in the butt for them.
Ensure your domain is locked! so it can’t be sneaked away. Don’t know how this still happens, but it does.
Pro tip: Setup your DNS with a different provider. Why, if you have issues with your domain host, such as a DDOS attack, you will still be able to access your DNS and change it to point to a different web/email host in the event you need to move hosts. Amazing how often this has to be done. Our favourite DNS host is Cloudflare.
As i have said before don’t just give up root access to anyone who asks for it. Basically, once another person has had root access you can never full trust that service again! So always question what access they need and restrict their access, either by offering SFTP or FTP access only to certain folders. Better yet, setup a separate development server with git access only.
Pro tip: Learn GIT version control I can’t tell you how many times it has saved my butt
Pro tip: Learn how to backup and migrate your own website, extremely good skill to have for a owner operator or small team
6. Set and control user access
When you are a business owner you need to assume the worst of everyone sadly. You should only give access when you have a plan on how you will revoke it.
Again, a password manager can be a useful tool. You can share access via a password manager without giving the staff member or user direct access to the password. You can then revoke the access at anytime. This adds another layer of control above and beyond users accounts and stops casual password sharing, which we all know happens.
As mentioned above, don’t just hand out admin or root access to anyone who asks for it. In some instances you are handing over your whole business to this person. Assign the least access to a new user account, this will give you the most control and create a record if something goes wrong. That way the dev team won’t be blaming the SEO or content team for copying over something or deleting something… yeah we’ve all been their with these arguments and there is no winner as it all costs you the owner money and time.
Pro tip: Version control, learn it, have your team learn it!
7. Install a security plugin / malware scanner
For wordpress this is a must! Install it, but don’t just install it you have to configure it all. There are plenty of easy to use guides out there. Don’t be afraid to ask for help or better yet pay for it, your hosting provider can offer advice or may proved the service. Whatever, you pay up front now to secure your website and hosting will be less than <1% of what you’ll pay if something goes wrong… there maybe some instances where you can’t recover. There has been more than 1 business that hasn’t gone completely tits up due to a hack.
8. For the love of god back up your website!
Back up your website! don’t just rely on local backups either, take a copy and store it offline as well.
Daily backups are great, but if you rarely make changes you are better off backing up less often and storing more backups overtime. I’d recommend 90-365 days of backup, with every major update or change getting an extra backup. In some instances live or 15 minute backups maybe needed, adjust it to what you need because it is expensive.
Ideally, you have a short interval backup that is easy and quick to restore that is local. Then you’ll have some off server backups that are a longer interval with more copies that maybe a little slower, but gives you a better restored copy. Then you’ll have cold storage options and offline highly secure options that are less frequent, have high fidelity and a backup of last resort in case of a massive breach, such as a mass system ransomware where you can’t track the first breach. You may have years of these backups.
Just do it! even if you pay the ransom you can not be sure the system will restore and this has happened to plenty of business, government agencies before.
10. Know you own system
As an owner, manager, directory it is your duty to know your own system and the processes around it to keep it secure. Don’t leave it up to bob or jane in I.C.T to do it. Learn what is required and make sure it is done. This is the one time where you can be free to micro manage the hell out of it.
Pay for a penetration test and security audit to be done by a proper security team and read it and act on their recommendations.
11. Regular assess your security
This should be a regular item that gets assessed and acted on. However, I recommend when ever there is any down time that you do those extra backups, you check the backups are working and test your restore process.
- Check you have processes for restoring user access that is tight!
- make sure employees are using password managers
Online security is a holistic process that continues and never stops.
Spadafora, A., 2021. Americans overestimate their understanding of internet security | TechRadar. [online] Techradar.com. Available at: <https://www.techradar.com/news/americans-overestimate-their-understanding-of-internet-security> [Accessed 5 July 2021].
Safe.Page. 2021. Online Security Survey Results – Safe.Page. [online] Available at: <https://safe.page/survey/> [Accessed 5 July 2021].
Websecurity.digicert.com. 2021. What is SSL, TLS and HTTPS? | DigiCert. [online] Available at: <https://www.websecurity.digicert.com/en/au/security-topics/what-is-ssl-tls-https> [Accessed 5 July 2021].