14 Ways To Keep Your Website Safe
Have a security threat model or cyber security risk assessment
Your web developer or project manager should assess the security needs of your website.
If your website is complex or you are wanting an application or software, then your developer will need to do a security threat model. Which is a task that looks at cyber security risks then uses that understanding to protect systems in a risk based way.
Security should be proportionate to the needs of the specific website. The investment in security should match the security threat model.
Choose a capable host and web developer
Data loss or out-of-commission websites can turn away potential customers. Partnering with an effective hosting provider can keep your site online and secure, which is critical to any business.
A good relationship with your hosting provider and web developer is a must.
It is important to have experienced and supportive tech support. Make sure they are available if your website experiences an outage. This means being available 24hours a day, 365 days a year.
Whilst phone service is great, ensure that they have online support. Online conversations helpful because you can keep a log copy and accountability of the hosting providers promises and delivery.
A good hosting plan will offer instant access to all server logs within the past 24 hours on the server. This data includes server errors and user access records along with a host of additional data, and can be used to pinpoint security issues.
Back up your website
Backups are the quickest way to restore a hacked website. Data backups are a standard for every hosting provider; how often your site is backed up depends on the hosting plan and your needs.
You can also take your own backup of the website and store it on a remote or portable hard drive. Although this may be seen as overkill, it does allow the website owner the ability to move the website rapidly to a new hosting platform if the current host is compromised.
Some tips for managing your own back ups:
- Firstly, the back ups have to be off site. If the backups are stored on the same server as your website then they are just as vulnerable to attacks.
- Secondly, your backups should be automatic. Transferring the backup to a remote server or to a portable hard drive is then a very easy task. Use a backup solution that can be scheduled to meet your website needs.
- To finish, have reliable recovery. Having the backup to your website is just half of the solution. Being able to use the backup to restore the website is just as important. Make sure that the backups are not corrupted and can be restored at multiple points in time just in case your website is compromised and it takes a bit of time for you to notice.
Get an SSL Certificate
You may have noticed that some websites have http in the URL while others have https. The extra “s” stands for secure and indicates that it has an SSL and the website is secure.
SSL is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browser remain private.
SSL safeguards your data and enables secure sessions once the certificate is installed on the web server. Users can see whether or not a website is secure by looking at the browser tab: if there’s padlock, a word “secure” marked in green, and of course – HTTPS, then you’re safe!
Your hosting provider can include an SSL in your hosting plan.
Dive deeper: What is SSL and why do I need it
Don’t go live with defaults
By default, your WordPress site’s login URL is domain.com/wp-admin. Hackers know this and can use it to easily get access to your site and cause mayhem.
To protect yourself from these attacks, you should rename your admin folder (instructions can be found via the link below).
Adopt the principle of least privilege
Anyone with access to your website should have limited access privileges that are essential to that user’s work – and nothing more.
For example, if someone wants to write a guest blog post for you, make sure their account does not have full administrator privileges. They should only be able to create new posts and edit their own posts because there is no need for them to be able to change website settings.
Granting privileges to specific roles will guide what that individual can and cannot do. In a perfect system, a role will stop anyone who tries to perform an action beyond what it’s designed for. This approach can preserve your business’ online presence and prohibit devastating setbacks.
Once you have separate accounts for every user, you log user activity and keep an eye on when and where they normally access the website. This way, if a user logs in at an odd hour or from a suspicious location, you can investigate – then confirm and act if the account has been compromised.
Enforce a strong password policy
A study was made in 2019 that stated that on the web, there is an attack about every 39 seconds. Using secure usernames and passwords will decrease the likelihood of those attacks.
A strategy that hackers use to crack a password is brute-force. This means that the hacker will use software to run through every password combination until it gets a match.
To protect against brute force, passwords should be complex. It should be 10 characters long and containing uppercase letters, lowercase letters, numerals and special characters.
Consider using two-factor authentication, which asks users to log in by using a two-step user identification method. The first one is the username and password and the second step requires you to identify that you are who you say you are by obtaining authentication credentials by using a separate device or app.
Consider restricting the amount of login attempts
We also recommend you restrict the amount of login attempts made by users. A maximum of 5 password guesses per minute and a maximum of 2 password resets per account, should suffice. This allows for the case when someone forgets their password. It will also halt brute-force attacks.
The number of guesses per IP address could be a greater number. This is because shared offices might use the same IP address and have multiple users trying to log in on your website. If you notice a high volume of login attempts from the same IP address frequently, you might need to investigate and/or make the executive decision to block that IP. We suggest 20 guesses per minute and a maximum of 5 password resets.
You might also like to research password management tools that will randomly generate your passwords for you, and store them safely.
Keep software up to date
Software updates help keep hackers out.
Hackers aggressively target security flaws in popular web software, apps, plugins and programs. As such, all of these need to be updated frequently to patch any identified security weaknesses.
Much like with changing the oil in your car, computers and the software they use need regular updates to ensure they continue to run safely. Keeping your software updated will repair any identified security flaws and fix or remove computer bugs. In-fact most software updates are created due to a security breach that has been identified and fixed.
Keeping on top of updates will save you a lot of stress and time in the future when hackers decide they want to take advantage of any new vulnerability on your site.
Dive deeper: Cyber Tip – Update Your Software Promptly
Use security plugins
Keep it simple.
Which is more secure, the house with 20 doors or the house with 1 door? The answer in obviously 1 door. The more complex a system becomes, the harder it is to secure.
Unnecessary complexity is a security liability. To reduce this risk, keep your website as simple as possible. Every plugin you install on your website increases your “attack surface”. The more code you are running, the higher the odds of a security vulnerability.
Every plugin you add to your site also represents another developer you are relying on to keep you safe. That includes writing secure code, responding quickly to vulnerability reports and keeping your best interests in mind. It is also important to have only one theme downloaded and activated on your site.
Choose trustworthy plugins.
22% of WordPress sites are hacked because of a security issue within a plugin. Choose plugins that are frequently updated, at least within the past two months, and are operating on the latest version of WordPress. To make sure security is addressed, examine the plugin’s change log for details on the changes made to each new version.
Other indicators of a secure plugin are a high download count and good reviews. Also check out what support they offer. Good support means that you can ask any question and get a helpful answer, quickly. If the developer has a strong reputation and puts out good products, chances are that any plugin from them will be good.
This also follows through to applications on your mobile devices. One you have discerned the legitimacy of the application, be vigilant in checking application permissions. Any permissions that are not required for the application to work properly, should be turned off as they could be questionable spyware.
Update plugins regularly
Your website will likely have plugins, apps, and software that will also require maintenance and updates. At least once a week, your website should be scanned for updates. This could be time consuming if you have a complex site.
A good web host or developer will take on these updates for you or can help you assist you in the process.
Attackers continue to target old plugins with known vulnerabilities in an ongoing malware campaign targeting WordPress websites.
Never use nulled themes
A nulled wordpress theme is a pirated theme. They are also called “checked themes” or “hacked themes”. They are themes that someone hacks or even gets legally and shares them with others without the seller’s permission.
They are a sure-fire way of getting malware or malicious code on your website. If you want to learn the process of removing viruses from your website – download a nulled theme!
It is common for beginners to download free themes without knowing they are nulled. They find websites that offer free premium themes – but in reality, there is no such thing as free premium themes unless the developer offers them on their site.
Some nulled themes may be safe but unless you have the knowledge and time to dig through all the code, you have no idea what else is lurking for you in the nulled extension. At Rock Solid Marketing, we never use nulled themes, not only because of the safety issue but for ethical reasons. Nulled themes deprive the developer of funds and are offensive to the web development industry.
It is much better to download themes from the authors website or from the official WordPress themes repository. There are also legitimate sites such as template monster.
Disable features, programs and software you don’t use
Many people install plugins, programs and services, decide not to use them, then forget about uninstalling them. Regularly checking for updates should bring these to your attention.
Remember every program and service or plug in on your site is a security vulnerability that could put your site in danger.
The less you have installed the more secure your website will be.
Audit and disable features on your website you are not benefiting from. For example: disable commenting on your website if you are not getting value from that service.
This should also be followed through to compute software. Malware is known to jump from an infected user’s computer through text editors and FTP clients. If a security attack gets into your computer, it not only affects your machine, but the hackers can get full access to websites when webmasters are logged into their admin interfaces.
If you aren’t sure of the purpose of a specific application, do some research to decide whether you need it or not.
If you don’t intend to use it, remove it.
Pro tip: Keep your file structure organized to keep track of changes and make it easier to delete old files.
Understand the risks of public wifi
Public wifi allows users to use the internet in a public place, such as a library, coffee shop or airport. The problem with this scenario is that you can never be sure the security on these devices is 100% airtight.
Steps you can take to stay safer on a public shared wifi include:
- Disable file sharing
- Use a VPN ( a service that allows you to connect to the Internet via an encrypted tunnel to ensure your online privacy and protect your sensitive data.)
- Only visit sites using HTTPS
- Log out of accounts when done using them
On a public wifi you should never:
- Allow your Wi-Fi to auto-connect to networks
- Log into any account via an app that contains sensitive information. Go to the website instead and verify it uses HTTPS before logging in
- Leave your Wi-Fi or Bluetooth on if you are not using them
- Access websites that hold your sensitive information, such as such as financial or healthcare accounts
- Log onto a network that isn’t password protected
Dive deeper: How to Avoid Public WiFi Security Risks
Every website is vulnerable to cyber attack. It is the responsibility of every website owner to take the necessary precautions to reduce the likelihood of an attack.
Always be proactive when it comes to protecting your company’s and customer’s data. It is a good idea to have web safety policies in place and teach your employees to be safe online. One single cyber attack could ruin your reputation and even your business, so it’s okay to be slightly paranoid when it comes to protecting against cyber attacks as it is the security of your business that is at stake.
Whether your site takes online payments or personal information, the data visitors enter into your site must land in the right hands.
If your website is targeted by hackers, the best response is to stay calm, reset your passwords, and run a scan to detect any malware. You should also contact your web host if you need help with any issues.