Is your website critical for the functioning of your business? Then protecting it against hackers should be one of your main priorities. Don’t believe it can happen to you?
Today’s hackers target businesses exactly like yours. That’s because today’s tools have made it easy for them to do so. And that tool is data. In fact, Verizon’s 2019 Data Breach Investigation Report states that small businesses account for 43% of all data breach victims.
You may wonder, what could happen if my website was hacked and my customers’ data was breached?
Quite simply, you may go out of business.
At least that’s what the statistics say. According to the 2016 report by the National Cyber Security Alliance, 60% of businesses go out of business 6 months after they suffer a data breach.
There are many reasons for this: their reputation gets damaged, customers lose trust, the business gets fined, etc.
So how can you avoid or at least reduce the chances of falling victim to a data breach? While there is no fool-proof way (as of yet), there are some effective strategies you can use to minimize your chances of being hacked.
In this article, we’ll share 9 of them.
1. Choose a Reputable Hosting Provider
Your website lives on a server provided by your hosting provider—and that server can also get hacked. Unfortunately, you can’t control how secure your hosting server is.
But what you can control is who you choose as your hosting provider.
Reputable, world-class hosting providers don’t compromise on security but the cheap ones do. So instead of going with a hosting provider based only on the attractive prices they offer, choose one that is used by people and businesses you trust, and one that at least has a good reputation in your country, if not internationally.
2. Make Sure Your Domain Name Isn’t Blacklisted by Google
When Google blacklists a domain, it doesn’t show up in search results, and when people try to access it via Google Chrome (the world’s most popular browser), it shows a warning message to all visitors.
If this happens, you risk losing most of your traffic, which means its game over for your website.
That’s why, before buying a new domain name, always make sure it’s not blacklisted by Google.
To make sure your domain isn’t blacklisted, visit https://ismywebsitepenalized.com/ and type in your domain name or even the domain you’re looking to purchase.
You can also search for your domain name on Google and see if it’s being indexed. If it’s not, your website is penalized.
But what if your domain is working perfectly well and isn’t blacklisted? Here’s a list of things that you should NOT be doing to protect it from being blacklisted in the future:
- Black hat SEO practices like keyword stuffing, link buying, and spamming.
- Not taking immediate action to rid your website of malware and other infections.
- Displaying plagiarized or banned content on your website.
Steer clear of this, and you’ll secure your website from being banned by Google, which as you now know, can cause just as much damage as being hacked.
3. Install a Security Service/Firewall
Your hosting provider can only go so far to protect your website. Think of them as being responsible for keeping your apartment building safe, but you’re the one in charge of locking your door.
You must take protective measures as well—starting with installing a high-quality security service.
There are many benefits to this:
- It scans your website for malware and other forms of malicious code and protects it from being hacked.
- It creates a backup copy of your website. This means that no matter what happens to your website, you can safely restore its content anytime you want.
- It repairs your website if it suffers a cyber attack.
Here are a few examples of security services you can install:
- Wordfence: This is a great security tool for anyone looking to protect their WordPress website.
- ProtectionPower: Proactively monitors your website for vulnerabilities and alerts you in case of any issues. Plus, it serves small businesses and enterprises alike.
- One Hour Site Fix: These guys specialize in malware removal.
4. Update Your CMS’s Default Login Page Settings
Note: These instructions are mainly geared towards WordPress but can be applied to other CMS.
If you use a content management system like WordPress to run your website, you need to protect its login page and make it harder to access.
Today, everybody and their grandma knows that the default URL for a WordPress website’s login page is: yourwebsite.com/wp-admin or yourwebsite.com/wp-login.php.
Instead of using these default URLs, you can instead install the WPS Hide Login plugin to change your login page’s default web address.
The plugin is lightweight, easy-to-use, and free. Open it and scroll down until you see the WPS Hide Login section. Here, simply change the extension of the URL to something that’s more random and harder to guess. This will be your new login URL.
Once done, simply click Save Changes.
But that’s not all.
You should also change your default login username because anyone can easily guess that it is ‘admin’. Just go to Account Settings in your WordPress dashboard and change the username from there.
And last but not least, check if your current WordPress password is strong enough. To do so, visit https://lastpass.com/howsecure.php and enter your password.
If it’s not secure, change it by going to Account Settings in your WordPress dashboard.
5. Deploy Two-Factor Authentication if Multiple People Access Your Website
If multiple users have access to your website, it means hackers can target all of them.
To protect your website further, you can add Two-Factor Authentication (2FA). With it, users will not only require a password but a shortcode as well (which is sent to either their phone number or email). They will have to enter this in addition to their password.
This means that if a password gets into the hands of hackers, they still won’t be able to access your website as they’ll require an additional 2FA code (this changes every single time the user tries to log-in).
Now that that’s clear, here’s how you can add 2FA to your website:
1. Via cPanel or Your Hosting Provider:
Today, the majority of hosting providers offer cPanel to their customers to manage their website’s server.
You can, therefore, login to your cPanel account and enable 2FA from there. If you don’t know how to do this, you can contact your hosting provider for support.
2. Via Plugins and Extensions:
If you use a CMS like WordPress, Drupal, or Joomla!, you can install an easy-to-use extension that will enable 2FA for you. This is easier than doing it via cPanel.
6. Install an SSL Certificate
Your website is not a boxed-in container. It’s a two-way communication channel where information is exchanged between you and your site’s visitors.
For example, in an eCommerce store, the user gives the website their email address, home address, credit card details, and more. In exchange, the store gives them a tracking number for their package, and maybe a history of what the customer has bought.
Hackers —surprise, surprise—can steal information from both the website and customers, without even accessing o your website’s backend.
So, to protect this flow of information between your website and its users, you can deploy an SSL certificate. It encrypts (codifies) all the data going in and out of your website.
But first, check if you’ve already got one.
Open your website in your web browser and look for a green padlock icon next to the address bar. If you see this, and ‘https://’ before your website URL, it means you’ve already got an SSL certificate in place.
If you can’t see a green padlock and only ‘http://’ before your website, you can contact your hosting provider for an SSL certificate, who may even install it on your behalf.
Note: If you have a subdomain that’s connected to your main website, you should ask your hosting provider for a wildcard SSL certificate.
For example, store.yourwebsite.com and blog.yourwebsite.com are subdomains of yourwebsite.com. To encrypt all three of them, you’ll need just one wildcard SSL certificate.
7. Use Themes, Plugins, and Services from Reputable Sources
Every day, hackers release nearly one million malware threats. And here’s the real kick in the teeth—according to CNN, “…hackers actually relied on incredibly old computer bugs that companies just haven’t gotten around to fixing yet.”
This means that old themes, services, or plugins on your website, that haven’t been updated since 2016, provide an easy way for hackers to gain access to your website.
Always make sure every single piece of software attached to your website is updated to the latest version. In addition, make sure to remove software that hasn’t been updated in a long time.
And finally, only use services, themes, and plugins from reputable developers, even if it’s a bit more expensive. Price should never come in the way of security.
8. Back up Your Website Regularly
Even the most secure building in the world can be broken into. Your website is no exception. There are just too many digital nooks and crannies that can give hackers a way into your website.
If you want to see a live counter of how many websites have been hacked at this very second, check this out.
This really puts things into perspective—no website is 100% unbreakable.
Even after employing advanced security measures, you should still back up your site every single day so that even if it gets hacked, its content doesn’t get lost forever.
There are three basic ways you can back up your website:
- Use a plugin/extension: If you’re using a CMS, you’ll be able to find a plugin/extension which can easily store your website in the cloud.
- Via your hosting provider: Many hosting providers offer a backup service, which includes backing up your website to a secure server. You’ll have to ask your hosting provider if they offer such a service or visit their website to find out.
- Using a 3rd party service: If you’d rather use an independent service to back up your site’s data, you can use Drop My Site. This service will automatically back up your website after regular intervals and give you the ability to restore data in one click.
By backing up your website’s data, you ensure that even if your website gets compromised, its data doesn’t fall out of your hands. After all, you can get a new website but not the data.
Step 9: Update Your Core CMS
Last but not least, make sure you’re using the most up-to-date version of your CMS. The latest versions usually include new security patches and bug fixes, which ensure hackers cannot exploit them.
A great way to stay in the know of when a new version of your CMS is due to be released is to subscribe to the social media profiles or the blog of the company that develops the CMS.
This is the easiest way to find out when you should check for a new CMS update.
These 9 tips will make your website infinitely more secure than it was before. But of course, this isn’t all you can do.
In the never-ending battle to protect your website, you can learn more about the latest bugs, hacks, and security developments by following popular web security blogs.
What measures are you taking to keep your website secure?