How to Secure Your Website: 10 Ways for 2023
As a website owner, you know the importance of securing your online presence. Not only does it protect sensitive customer data and prevent costly downtime, but it also preserves your company's reputation. Companies have woven the internet into almost every aspect of their operations, with the average data breach costing $4.35 million. In 2022, nearly 60% of small businesses that experienced a cyber-attack shut down within six months. Don't let your business become a statistic - take preventative measures to secure your website today.
What is website security?
As a website owner, you know the importance of protecting your site from cyber threats like hacking and malware. But do you have the necessary security measures in place?
Website security involves a range of technical and organizational measures, including firewalls, antivirus software, secure passwords, and protocols for handling sensitive data. These measures are essential for maintaining your website's integrity and users' trust.
Ignoring website security can have serious consequences, including data breaches, loss of sensitive information, and damage to your reputation and finances.
With the ease of Open Source Content Management Systems (CMS) such as WordPress, everybody can be a webmaster and get online quickly. While Open Source CMSes provide frequent security updates, using third-party plugins or themes can lead to vulnerabilities that hackers can easily exploit. In 2021, roughly one-third of all websites with a detected credit card skimmer used WordPress.
With over 30,000 site hacker attacks daily, small business websites are especially vulnerable. Google alerts almost 4 million users weekly to hacked sites through its safe browsing initiative. Your site will be blocklisted by Google and lose up to 98% of its traffic.
It is essential to prioritize cybersecurity and educate yourself and your employees about best practices for protecting sensitive information online. Take preventative measures to secure your website and protect your business from potential threats.
Why Websites Get Hacked
Small business owners often think they won't be hacked because their sites are local or their traffic is negligible. However, most hacking attempts rely on automation. Automated attacks involve finding and exploiting a vulnerability across the entire web. Your site's size or popularity isn't a factor, only the security flaw. Hackers are looking to:
- Trick site visitors into installing fake browser updates
- Redirect users to illegitimate sites
- Spread malware and viruses
- Steal data stored on the site
- Trick bots and crawlers (SEO Spam).
- Defacement or hacktivism
- Steal credit card data
Read on to find our list of steps to avoid a hacked website.
1) Sign-up for Google Search Console
Google Search Console (GSC) is a free tool that allows you to monitor, maintain, and improve your website's presence in Google search results. GSC can help prevent hacks by alerting you to any security issues or malware detected on your site. If GSC detects malware or hacked content, it will email you to help you identify and fix it.
While it is not explicitly designed to prevent hacks or other cybersecurity threats, it can provide valuable insights and alerts to help website owners identify and address potential site issues. Using GSC to monitor your site and address potential problems, you can take proactive steps to prevent hacks and other security threats.
2) Install an SSL certificate.
An SSL (Secure Sockets Layer) certificate establishes a secure, encrypted connection between a website and a user's web browser. It's the lock you see in your browser bar when browsing websites.
The SSL certificate helps protect your customers' sensitive payment information. Since 2014, SSL has also given an SEO boost to Google. Currently, 95% of Google's traffic is encrypted.
To install an SSL certificate, you can:
a) Purchase an SSL Certificate
You can quickly get an SSL certificate from your web host, domain registrar, or certificate authority (CA). This process involves generating a certificate signing request and verifying your website's identity. Once the SSL certificate is installed, users can access your website using the secure HTTPS protocol, which will help protect your customers' sensitive data.
b) Use the free Let's Encrypt
You'll need to install the Let's Encrypt software on your web server to request, renew, and revoke SSL/TLS certificates. You can also find a host that supports Let's Encrypt for an easier installation process.
Don't forget to use Google Search Console's HTTPS report to verify that your SSL is installed correctly on every page.
3) Keep your website up to date
Ensuring that your website is regularly updated with the latest plugin, theme, and core CMS patches is the best way to protect your website from compromise. Outdated software can leave your website vulnerable to viruses and cyber-attacks, and many of these hacks are automated, with bots constantly searching for vulnerabilities to exploit. It's not enough to update your website just monthly or weekly, as it's likely that a bot will discover and take advantage of a vulnerability before you have a chance to patch it.
Enabling auto-updates is a good idea. You should keep a backup of your website if anything goes wrong during the update process.
4) Manage plugins and extensions
Here are some tips for keeping your website secure by carefully considering the plugins and themes you install:
- Check when the extension was last updated. It's important to use plugins and themes that are regularly maintained and updated to ensure that they are secure.
- Read reviews and check the developers' credentials. This can help you gauge the quality and reliability of the plugin or theme and ensure that you're not adding vulnerable add-ons to your site.
- Be cautious of free plugins and themes. While free options can be tempting, they may not be as well-maintained or secure as paid options.
- Use reputable sources for your plugins and themes. Look for trusted sources such as the official WordPress plugin repository or reputable theme developers.
Using too many plugins and add-ons on your website can increase the risk of security vulnerabilities and impair your site's performance. Carefully consider which plugins you use, and only install those essential to your website's function. Paid plugins are often safer, as the developer is more likely to continue maintaining the plugin over time.
You can also check the CVE Details website to see if any of your plugins or extensions have potential vulnerabilities and consider replacing any that are no longer being maintained. Also, join your CMS security team's mailing list to keep your website safe and secure.
Just like your CMS, these add-ons require regular maintenance and upkeep.
5) Use robust passwords
Using strong, unique passwords is essential in protecting your website and online accounts. Hackers often use automated tools to guess passwords, so it's important to use passwords that are difficult to guess or crack.
Here's some tips for creating secure passwords:
- Use upper and lower case letters, numbers, and symbols.
- Longer passwords are more secure. Create a password at least 8 characters long.
- Avoid easily guessable words or information, such as your name, or common words like "password." Use LastPass to generate random passwords.
- Don't use the same password for multiple accounts. If a hacker gains access to one account, they may try to use the same password to access your other accounts.
- Consider using a password manager to help create and manage strong, unique passwords for all your accounts.
- Install a CMS plugin that ensures all users require a strong password.
- Enforce two-factor Authentication (2FA): 2FA adds an extra layer of security beyond just your username and password by requiring you to enter a code from a device (such as your phone) when logging in.
Following these tips and using robust passwords can help protect your website and online accounts from unauthorized access.
6) Add HSTS to your site
HSTS stands for HTTP Strict Transport Security and forces the browser to always use secure connections (HTTPS) and protects your website against man-in-the-middle attacks. When a website has HSTS enabled, the browser will automatically use HTTPS for all requests to the website, even if the user tries to access the site using the insecure protocol HTTP.
- Check if you have HSTS installed
- Update your web server to serve HSTS headers. Google "your web host + install HSTS" for instructions.
- Verify your HSTS Header via Google Chrome Devtools
7) Secure your administrator
All websites are under constant 24/7 brute-force attacks. You can strengthen your site's security by password-protecting your entire CMS admin directory to add another layer of password protection. It's a simple step that shouldn't take more than 5 minutes.
For WordPress, yourdomain.com/wp-admin is the admin dashboard URL. wp-admin is the folder you want to protect. Google "your web host + password protect directories" for a guide. Here's a cPanel guide, a standard server management platform on many web hosts.
The .htaccess file is a powerful configuration file you can use to override the default settings on your web server to tighten your site's security and improve performance. Changing your .htaccess file is technical, and not all settings work on every site, but here's a handy guide. You can use the 7G Firewall .htaccess rules to protect your server against automated attacks, evil bots, spam, and other threats. If in doubt, work with an expert.
Web Application Firewalls (WAF) plugins and extensions block suspicious traffic, monitor PHP files for changes, and tighten security. Search for your CMS + WAF to find recommendations.
8) Set up automatic backups
A backup is essentially a copy of your website data and is essential in case of an attack. Creating routine backups ensures that it can be restored quickly or rolled back after making updates. Without a backup, you risk losing all data and settings. You can create backups with a tool, rely on your hosting provider, or do it manually. Remember, you'll also need to copy the database when creating a backup.
When choosing a web host, ensure they make automatic daily backups and check how many days they keep their backups. For WordPress or Joomla CMSes, you can install either the free or paid edition of Akeeba Backup to create, manage and restore complete backups.
9) Monitor your website
Regularly scanning can ensure you detect any issues or threats before they cause severe damage to your brand reputation.
UptimeRobot checks your website every 5 minutes and emails you if your site goes down. Their paid plan also includes SSL monitoring and checks every minute.
VirusTotal is a free service that analyzes your site to detect breaches, malware, and other malicious content. It also checks if your URL/domain is listed on a blocklisting site.
Sucuri security checker will check your site for known malware, viruses, blocklisting status, website errors, out-of-date software, and malicious code.
10) Enable different access levels
As a business owner, it's crucial to have a system to manage the contributions and actions of different personnel on your website. That's where Access Control Levels (ACL) come in, as they control what users can see and do. For example, some CMSes allow all backend users to install whatever extensions they want. By restricting access to certain areas of the site and assigning different privilege levels, you can prevent errors and protect your website from potential crashes.
One effective way to manage updates and content publishing is to use separate logins for employees. This allows you to assign different privilege levels, with business owners and higher-ups having the highest level of control. Also keep track of IP addresses, logins, and activity history to maintain the integrity of your online presence and prevent any potential setbacks. By implementing these measures, you can ensure that your website runs smoothly and effectively.
As a website owner, it's crucial to prioritize security to protect your site from potential threats. This starts with choosing a reliable web hosting provider, making smart decisions about how you run your site, and taking the time to create secure passwords. By following these best practices, you can improve the security of your website and ensure its long-term success. Remember, good website security starts with you – so be sure to put in the effort to make it a top priority.
*The opinions reflected in this article are the sole opinions of the author and do not reflect any official positions or claims by Acer Inc.
About Robert Stark: Robert is a Taiwan-based writer and digital marketer at iamrobert design. He has a passion for helping people simplify their lives through tech.