How to Enhance Your Website Security and Mitigate Threats

How to Enhance Your Website Security and Mitigate Threats

Cybercrime is the greatest threat to every company in the world.

–IBM’s chairman, president, and CEO, Ginni Rometty

And if you ask any organization that’s experienced a hack in the past to vouch for this statement, they won’t hesitate to explain the profound impact a cyberattack or data breach can have. It doesn’t matter if you’re a small business, startup, or public company on the stock exchange, it can wreck your company and deplete your resources.

While a thorough cybersecurity strategy accounts for every aspect of an organization’s digital presence and network connectivity, it often begins with an airtight website – one that deflects attacks, protects data, and safeguards the brand.

In this article, we’re going to show you some of the top steps you can take to finally secure your website once and for all. And in doing so, you can protect your business and sleep a little sounder at night.

The Lowdown on Website Hacking and Cybersecurity

Lowdown on Website Hacking and Cybersecurity

Before we roll up our sleeves and get to work securing your website, let’s get clear on specifically why you need to invest in greater website security.

Yes, some executive over at IBM says it’s important, but why specifically do you need to pay attention to website security?

Well, here are a few specific data points as curated by WebARX and Sucuri:

  • There is an attack on the web every 39 seconds, with non-secure usernames and passwords are often the entry point.
  • Hackers steal an astonishing 75 records every second, which speaks to the size of the average attack.
  • According to 7 out of 10 black hat hackers, traditional antivirus security and firewall products are irrelevant and/or obsolete.
  • Hackers create an astonishing 300,00 new pieces of malware every single day.
  • Somewhere around 30,000 websites are hacked each day.
  • 87 percent of all websites have some type of mid-level weakness.
  • More people worry about being the victim of a cyber attack (71 percent) than people who worry about being the victim of an assault (24 percent).
  • 73 percent of companies are not ready for a cyber attack.

What exactly makes websites so vulnerable to these attacks?

  • 62 percent of websites have an SEO spam infection. (Database spam is the most common type.)
  • 47 percent of all infected websites have one or more backdoor – a vulnerability that allows attackers to maintain access to the site after the initial infection.
  • 56 percent of all CMS applications are no longer updated at the time of infection.
  • 46 percent of web applications have some sort of critical vulnerability that could potentially expose websites to hackers.

Hopefully these data points give you a clearer idea of just how important website security is. And, if you’re like most business owners or entrepreneurs, it’s probably opened your eyes to the possibility that your website might not be as secure as you think.

7 Tips to Finally Secure Your Website

It can be sobering to realize that your website may be vulnerable to an attack. But we’re not just going to leave you here to feel anxious and stressed.

We want to provide you with some tangible suggestions you can use to reshape your website security strategy and prepare for the future.

Let’s dive in:

1. Keep Your CMS Updated

Keep Your CMS Updated

This is one of the most basic tips in this article, but it’s also something that thousands of businesses overlook.

If you want to keep your website secure, it starts with keeping all software up to date. This applies to both your CMS and the server operating system. But in all likelihood, it’s the CMS portion that you have to be most cognizant of.

Whether it’s WordPress or some other CMS, you should be meticulous with your updates. While they can be a pain – and it’s possible that certain glitches and issues occur – updating helps you fully protect your website by ensuring you’re using the latest version.

If you aren’t careful, getting too far behind on version updates can leave you exposed. Past versions eventually get left in the dust. And as hackers become more familiar with the loopholes, it’s very easy for them to attack and compromise a website that’s still using an older version.

The time to update is the day a new update comes out. The next best time is now. Don’t delay in making this important change.

2. Be Wary of SQL Injections

SQL injection attacks are one of the most common hacks attackers use to access or manipulate a website. These incidents occur when a hacker utilizes a web form and/or URL parameter to tap into your database and then manipulate information.

If you’re using a standard Transact SQL, you could easily (and unknowingly) insert rogue code into a query. This could change tables, delete adata, or compromise information.

Prevent the risk of SQL injections by using parameterized queries. Almost all web languages – and certainly the popular ones – have features like this.

3. Keep Your Lips Sealed

Error messages play an important role in letting your website users know when something has gone wrong. They also help you understand where your website has flaws or issues, so that they can be resolved sooner rather than later. However, it’s important that you aren’t too descriptive with your error messaging.

If you give away too much information in your error messages, you could unknowingly provide hackers with the information they need to take advantage of website vulnerabilities. Provide minimal information and then keep detailed errors in your own server logs.

4. Improve Your Passwords

Improve Your Passwords

One of the absolute worst things that can happen to your website is to have the admin account on your CMS hacked. Unfortunately, this occurs quite frequently. And the number one method of hacking into a CMS is guessing the password.

The first thing a hacker is going to do is use one of the six most common passwords to see if you’re one of the suckers who uses: “admin,” “123456,” “666666,” “111111,” “12345678,” or “qwerty.” Please don’t use one of these!

In order to develop a strong and secure password, there are a few simple tips you should follow:

  • The longer your password is, the better. It should be a minimum of 10 characters (and more like 20+ if you want top-notch security so you can scale).
  • Don’t use common words or phrases. Instead, use a random combination of characters.
  • When choosing your password, make sure to include at least one number, letter, and symbol.
  • A mixture of uppercase and lowercase letters will make your password harder to crack.
  • Change your password frequently and never use the same password on multiple websites.
  • Afraid you won’t remember your password? Use a phrase and take the first letter from each word to form the password. Take lyrics from a song, for example. If it’s “Shot through the heart and you’re to blame, darling you give love a bad name.” Taking each first letter, that gives you “stthaytbdyglabn.” And then maybe you want to capitalize the first letter, add on 1986 (the year the song was released), followed by an exclamation point. That gives you “stthaytbdyglabn1986!” Now that’s a password!

Whatever you do, don’t give anyone access to your admin account. If you need to add someone to the website’s backend in order to carry out administrative details, give them their own account and limit the functions they’re able to perform. As soon as they’re no longer needed, remove the account.

5. Minimize Plugins and Extensions

Minimize Plugins and Extensions

Website plugins are one of the factors that makes WordPress such an attractive option. They allow website owners to customize their sites, improve functionality, and offer more value and versatility to users. There are plugins for everything, including SEO, opt-in forms, ecommerce features, and even gimmicks and games.

Having said all of that, there are also some problem switch plugins. Primarily, they pose a security risk when they aren’t regularly updated.

With each plugin you have on your website, you’re basically creating another entrypoint for a hacker. And if you fail to update plugins, you run the risk of leaving your website vulnerable to an attack.

Remember the data point mentioned at the start of this article, which says 46 percent of web applications have some sort of critical vulnerability that could potentially expose websites to hackers.

We’re not telling you to avoid using plugins – they can be great – but be mindful of which ones you’re using and always delete ones that you no longer use.

6. Use HTTPS

If you’re unfamiliar with the term, HTTPS is basically a protocol that’s used to provide security over the web. It stands for Hypertext Transfer Protocol Secure and used for communication across networks. In essence, HTTPS makes sure that anyone talking to the server has a confidential point of connection and that nobody else is able to change or intercept the content in transit.

While not every website technically needs HTTPS, it’s pretty much the standard these days and is worth the upgrade. If you have anything that your users want to be private, then you absolutely need it. This includes any website that accepts credit card transactions, records user data, and/or has confidential information stored.

HTTPS used to be kind of expensive and tricky to get set up, but this is no longer the case. You can find free and automated certificates online.

As a side note, Google actually takes HTTPS into account as part of its algorithm. They’ll give you a boost in the rankings if you upgrade to HTTPS.

7. Choose the Right Host

Choose the Right Host

Any reputable website host is going to offer you some website security features baked into their service package. And while you should never be 100 percent reliant on these basic security features, there’s something to be said for taking different aspects of it into account.

In order to understand website security in relation to hosting, you have to understand the different types of hosting and what makes them unique. There are four general types:

  • Shared hosting is one of the more popular options – namely because it’s the cheapest. But the reason it’s cheap is also the reason it has security issues: shared resources. As the name indicates, websites with a shared host operate on the same hosting environment and share resources with one another. Yes, your website is technically separated and compartmentalized from the other sites, but you’re all on the same server. This can create issues.
  • Managed hosting is a dedicated hosting service where your website is on a dedicated server. Many larger websites use this and it has a much stronger security foundation. However, the level of security really depends on the company hosting your site and managing the server.
  • Cloud hosting is, in many respects, much like managed hosting (except it’s on the cloud). You pay for cloud computing power or digital storage based on how much you use it plus a fee for automation. It’s generally considered to be very secure, but whoever is managing the hosting needs to be experienced in order to maximize your level of security.
  • Virtual private servers are basically a fully custom solution. The entire hosting environment must be built from scratch and self-managed. (Or you need to hire someone to do it.) This can be a very secure option, granted you have the right security skills and knowledge in place. If you don’t, it could be the worst and least secure option.

At the end of the day, security is not a website host’s main focus. So while there are some website hosts with strong security, most have their fair share of vulnerabilities. Thus it’s up to you to secure your own website.

Develop a Strong Site From the Ground Up

Want to keep your website secure? It all starts from the ground up.

At Dev.co, we never just design a website. We engage in meticulous design conceptualization that accounts for a secure backend. And, ultimately, this all leads to a beautiful and aesthetically pleasing front-end. We’re also more than just an outsourced development team, we are an extension of your internal dev team.

Want to learn more about how we can work together on your next web design or development project? Contact us today and we’d be happy to discuss it in greater detail!

 

Ryan is the VP of Operations for DEV.co. He brings over a decade of experience in managing custom website and software development projects for clients small and large, managing internal and external teams on meeting and exceeding client expectations--delivering projects on-time and within budget requirements. Ryan is based in El Paso, Texas.
Connect with Ryan on Linkedin.
Ryan Nead