Good website security starts with your own personal security. If a hacker can control your workstation, the hacker controls your website. As cybercriminals increasingly target humans, you need to guard your phone and your email, or your website could fall into the wrong hands.
Keeping your website secure is vital for keeping users’ trust. It can also keep your website off of blacklists, so you stay in business. We compiled a list of basic tips for keeping your website secure. While preventing all hacker attacks may be impossible, these tips can cut your website’s risks by more than 90%.
- Keep website software updated.
The most important thing you can do to keep your website secure is to keep the software up to date. The bad guys scan the entire Internet looking for unpatched software. When hackers look at your website, you do not want to be an easy target. Vendors find new bugs all the time. Keep up to date to keep the gremlins out of your site.
- Use secure passwords.
Insecure passwords are one of the most common vulnerabilities. You can keep your passwords secure by using long, complex passwords with a mix of letters, numbers, and symbols. Your passwords should not be based on anything related to your person. You do not want let a lucky thief into your database just for knowing the name of your dog.
IMPORTANT: To keep hackers from amplifying their efforts from breaking into one website, you should use a different password on every site.
- Scan your website with a vulnerability scanner.
Did you know you can download professional tools like the ones hackers use? Scan your own website for security holes before the hackers do. Don’t use tools from hacker sites; hacker tools are full of malware. Look for security scanners published by reputable providers. Be prepared to see a massive list of vulnerabilities; not all are especially concerning, but make sure you fix any which can let people break into your site or steal your data.
- Keep regular backups.
If your website is hacked, the surest way remove all malware which might have been left behind by the hacker is to 1. Wipe everything. 2. Restore your website from a backup. Backups should not be stored on the same server as the website. All backed up data should be stored on disconnected external drives or in the cloud.
- Disable error reporting.
When mistakes happen on your website, error messages can give hackers critical information to launch an attack. Disable error reporting on a live site. In development, error reporting is beneficial, but disable error reporting on a live site. Instead, have errors written to your server logs. You will track the information you need to fix problems on your website while keeping the bad guys in the dark.
- Give users only necessary privileges.
If you keep a blog, you do not want to give a guest blogger administrative access. Even the most trusted parties should not have extra privileges. If a trusted user falls victim to a hack, the hacker could use the trusted user’s excess privileges to cause you problems. Also, accounts which no one is using should be removed or disabled.
- Review default settings.
Many web applications have insecure default settings. You should remove any installation scripts as well. It can be helpful to change the locations where programs store administrative files. You should disable features you do not need. Make all settings as restrictive as possible to prevent some of the most common attacks.
- Consider malware protection.
Strongly consider installing a security suite or use a web application to scan your website for malware. Search engines will be looking for malware. Malware protection software can find it faster. You want to find any before Google takes you off of the search listings.
- Do not install unnecessary or insecure software.
Modern web packages contain many extensions. Adding software to your website makes staying up to date more complicated. Any extra software, plugins, or extensions makes your site more likely to have security holes by simple probabilities. Do not install software or plugins you do not need; remove unnecessary packages.
- Consider a web application firewall
You can protect your website from a smattering of attacks with a web application firewall. Most can stop common XSS and SQL injection attacks, not to mention cross-site forgery. Cloud solutions can block DDoS while keeping hackers from learning your IP address.
- Use reputable hosting.
Your web hosting provider should have a good reputation. Don’t use cheap fly-by-night hosting providers. Would you rather save a few dollars every month or keep your website secure? A few features to look for include:
- 24-hour security staff
- Strong password security policies
- Daily backups
- Proactive scanning
- Malware protection
- Up-to-date software
- General liability insurance
Do Not Put Off Protecting Your Website
Hackers crawl the web regularly, looking for vulnerable hosts. If you do not want them to hijack your web server, steal your data, or embarrass your business, you are well advised to take proactive steps to keep them out of your website.
It is easy to shrug off the risks. The naive say, “It will never happen to me,” but when hackers loot your website, you will wish you had followed these essential tips. Don’t be an easy target. Stay secure, and protect your business.