If you own a website, there is absolutely nothing more terrifying than some intruder gaining full access to precious data on your site. And unfortunately, website security is a real concern – tens of thousands of websites get hacked every day.
That’s not even funny.
What’s more, you’d think that hackers only tackle the big fish and leave the small fry alone, but that’s not the case. In December of last year, a cyber security stat report found that over 40% of all cyber attacks were done against small businesses!
In other words, knowing how to secure a website is an absolute obligation for any site owner, no matter big or small. Besides, having a secure website should come with the turf of having a site at all–don’t let all your blood, sweat, and tears be in vain!
Wrapping your head around website security can be a bit tricky with all the strange tidbits and unusual language involved. We get that… which is exactly why we’ve got your back!
Dive into this article for an in-depth spiel on how to make your website secure. For a more brief whiff of what website security is and how to secure your website, check out our YouTube video below!
What is website security?
To make it bite-sized, website security is any measure taken to protect your site from a cyber attack or any other form of exploitation.
Furthermore, it’s not a one-time deal where you push a button and get the thing and forget about it. Sure, there are some parts of website security that look as simple as installing a plugin, but that’s just a piece of the big picture.
Real website security is a part of managing a site and requires ongoing attention to detail. You need to stay up to date with what’s going on and keep a keen eye on your site at all times.
What does website security protect me from?
There are quite a few ways for your site to fall victim to an attack. Sometimes it can even be hard to tell that your site got hacked in the first place, but if you pay close enough attention the strange patterns will show themselves.
That being said, some plans of attack are more common than others for cyber attackers. Website security remedies all attack avenues, but you should know the most popular ones to look out for.
We’ll break the different kinds of attacks into two categories just to make things easier – threats against your site itself and threats against your visitors:
Popular threats against your website
- DDoS (Distributed Denial of Service) – This is a vicious non-invasive internet attack that overwhelms your site or server with internet traffic causing drastically slower speeds or a complete site crash.
Basically, hackers use fudged IP addresses to get this done and never actually need to get into your website – they’ve just got to crack the exoskeleton.
These kinds of attacks have become more popular in the last few years, so it’s crucial to prepare for them. Even the slightest amount of traffic increase to a vulnerable or resource-intensive endpoint on your site could pack a heavy punch.
- Malware – Short for (and literally) any kind of malicious software that gets forcefully added onto your site. Think of this as being what people usually call a “virus”. It can have a number of not-so-friendly functions.
It can also cause your site to be blacklisted from search engines, resulting in little or no traffic.
Two of the more heinous forms of malware are known as SQL injections and XSS, which we’ll get more into later.
- Ransomware – A situation where an attacker threatens to publish or withhold the data on your site unless a ransom is paid.
It usually involves the attacker to first take complete control of a computer, freezing all operations until demands are met.
Server-side ransomware is another form of the same attack where control over an entire server which is responsible for several (if not all computers) is held at ransom.
- Defacement – When the data on your website is replaced with BS content by cybercriminals. It’s usually what happens when hooligans are just being hooligans, but these hooligans can be a real headache.
One form of defacement is known as a gibberish hack, where an attacker auto-loads a bunch of nonsense pages filled with keywords and other gibberish. The aim is to get the pages Google ranked so they can be clicked on before taking you to some sketchy site.
An even scarier version of this attack can be called a cloaked-keyword hack. It’s just like the one we mentioned above except the fake pages will look a lot like your site’s original pages, except the words will have been altered.
Popular threats against your visitors
- Phishing – The new term for swindling, here’s when scammers hack your site and pretend to be a part of your business in hopes of gaining sensitive data from your clients.
It’s an attack aimed at a broad audience, the goal being to coax as many people into coughing over sensitive information as possible. Usually, it’s performed via email, but not always.
Spear-phishing and whaling are derivatives of the same offense where only a few people or just one person gets targeted.
- SEO spam – Also called spamdexing, this uses a website’s authority to promote fake information like weird links or offensive comments.
Much like the cloaked-keyword hack, it involves inserting keywords into a healthy site to make it rank for something totally different, to the benefit of the predators of course.
It’s an unkind attack on your site’s integrity, to say the least, but it also threatens the welfare of your potential or returning clients who may find their important information in the hands of attackers.
That’s a broad insight into potential threats against your website but is by no means an exhaustible list. For all things considered and not considered, take the right actions to make sure your site stays secure.
Hackers are usually looking for a way to leech money off of your website. Any PII, or personally identifiable information that has data that can identify a specific person, is at high risk of attack.
How do I make my website secure? Top 10 Tips
Did you know that 95% of all cyber security breaches are accredited to human error!? Crazy right? That’s an insanely high percentage, and a statistic that gives way to a thoughtful consideration:
If most breaches are the fault of human error, that means that assertive action can be taken to prevent most breaches too. That’s what security, and more specifically, website security is all about.
Here are the best steps for how to make a website secure:
- Install cybersecurity plugins
Most people build their websites on CMS (content management systems) like WordPress for a number of reasons. Fortunately, most of these platforms offer a boatload of useful tools and plugins you can use to protect your site. Some of them are even free!
These plugins and extensions are built to target security vulnerabilities for the platform on which they’re offered, so it’s a no-brainer to take advantage of them.
Among the best WordPress plugins (even those outside of the website security field) is a free plugin called iThemes Security. It offers a ton of cool security features like malware scans and admin URL masking. Totally worth the gander for any WordPress website owner.
Do note that iThemes will only work if you have an SSL Certificate for your website, which you’ll absolutely need if you’re looking to forge out a top-ranking site. More on SSLs in the next tip.
If you aren’t using WordPress for your site or want an additional layer of security, you can always go for a program like SiteLock to secure your website. It’s a much clutch investment to make for any business owner who relies on their website to keep things afloat.
- Use HTTPS / SSL Certificate
Have you ever tried accessing a website but Google won’t allow you to proceed, warning that the site may not be safe to access? Well, that’s usually the result of a missing SSL Certificate. By now, it’s essential to have an SSL Certificate if you have a website.
SSL Certificates encrypt and protect all data that passes between your site and visitors, like login information and payment credentials. They mark your site as an “HTTPS” instead of just “HTTP”. A closed lock symbol will also accompany any SSL-protected website url.
Search engines have thus created a strong bias against websites without this certificate, even if they don’t collect sensitive information (and for good reason).
If you want search engines along with general passersby to trust your brand, it’s imperative that you install an SSL Certificate on your website.
- Hide backend login screen
Access to your website’s login screen makes for easy pickings for hackers looking to sabotage your business. One great prevention technique is simply to hide your backend login screen, making it more difficult for baddies to reach.
If you’re using iThemes and working with a WordPress site, it’s relatively easy to get this done. Log in to your WP, find the security tab in the sidebar, and open it up. On the iThemes page, you’ll see a security feature called “Hide Backend”. Open that up too.
Oh, and be sure to make sure you’re looking at all of the security features offered by iThemes before searching (you can find the filter at the top right of the page).
In “Hide Backend” you’ll be able to change the Login Slug, or address bar keyword, that triggers your admin login page to load. The default for all WordPress sites for the Login Slug is “wp-admin”, so making this slug unique is a surefire way to hide your personal data.
- Brute force
By default, websites on WordPress and several other site-building platforms don’t limit the number of login attempts from users. One could attempt to log in one thousand times until they got it right. This method is known as the brute force method (since that’s what it is).
To prevent these voracious attempts against your site, you can always place an IP address blacklist, or login attempt limit for your website in the security settings.
You can also choose the number of login attempt failures before any certain IP address gets permanently banned from accessing your site (known as the ban threshold).
We know what you’re thinking: “What if I forget the password to my own site!?” No worries. Most (if not all) website security plugins and software let you program in biased configurations for the admin user specifically.
In other words, so long as you add your personal IP address(es) to the Authorized Host List for your website, you’ll never be permanently banned!
- Backup Your Data
Even with all the precautions in the world, there’s always the possibility that somehow your data can get compromised or destroyed. That’s why it’s absolutely essential to backup your data as a preemptive measure in website security matters.
Anyway, wouldn’t it just feel better to have a safety net under you if shit hits the fan?
In case you don’t know, a backup is simply an exact copy of all your website’s files, folders, parameters, permission, content, media… everything. This copy gets stored somewhere else and becomes your “backup” data in case shit hits the fan.
One phenomenal plugin to backup data on WordPress is called Updraft. You can install it for free from your WordPress dashboard. They’re a clutch safeguarding tool to have on deck since they let you perform both on-demand backups and scheduled backups too (say, once a week).
For site owners who aren’t on WordPress, you can always purchase a backup service like CodeGuard to do the same work for you.
Most importantly, always looks for these key features when considering which backup service to choose how to backup a website:
- The service allows for off-site backups, so you can store your stuff in a place unreachable by hackers
- Redundant backups are available, which basically means that a backup of your backup gets stored on another server
- Like we mentioned before, automated backups save the day and will take the mental load off of worrying about your data remaining secure in its latest evolutionary form
For the real ins and outs on how to back up a WordPress site, check out our full-breadth article on the subject.
- Keep your stuff updated
Fun fact: The leading cause of all website infections is due to vulnerabilities in the extensible components of CMSs. In other words, if your Content Management System uses plugins that aren’t up to date, they become target risks of an attack on your website.
These plugins and extensions are usually open-source software, so their code is pretty easily accessible by, well, everyone – good, bad, and ugly!
Most website builders actually handle software updates for you, but platforms like WordPress don’t, so you need to stay on top of your game all the time. The good news is, you can pretty easily set automatic updates in your settings, but still keep a close eye on things.
Moreover, quality actually counts in this department. If you’re going to invest in a plugin for your site, make sure it’s well-built and that the code isn’t full of holes that can be easily cracked by black hats. Those are usually the well-vetted and fairly priced plugins.
Pro tip: a quick way to check if your WordPress site is up to date is by clicking on the update icon at the top left of your dashboard, close to your website’s name.
- Use strong passwords
This is old news, but it’s always worth reiterating. A strong password is perhaps the starting point for how to make your website secure. Never ever make a password that’s easy going and easy to remember – you should make a password that’s extremely difficult to remember!
Unfortunately, the most common password is still 123456 (we’re slapping our foreheads too). This is the antagonist of all our password goals here. A strong password is long, contains a mixture of numbers, cases, and characters, and isn’t connected to you personally.
Password generators and managers are dead-shot tools for getting a sturdy password that won’t crack under pressure.
And that doesn’t just go for you alone. Everyone in your team should use a password just as strong as what we’re discussing to avoid data leaks, which might leave your site vulnerable to intruders.
Some advanced steps for how to make your website secure
All the above steps are relatively easy to chew and should be obligatory to any website owner who wants to build a secure website (honestly). The following tips are a bit more heady and technical, but worth following along to get that extra burly website security armor on your back!
Don’t worry – we’ll do our best to make this stuff easy to understand (keep in your pocket?)
- Lookout for SQL injections
A more popular form of attack for hackers, SQL injections are a technique used to inject treacherous malware code into your SQL statements. They encode input commands for a return on sensitive data and secretly slip them into different parts of your website.
In other words, if you have vulnerabilities in any part of your site that allows users to contribute information (URL parameters, search boxes, etc.), a baddie can get you with an SQLi!
And this information is powerful – it can allow attackers to bypass security codes, modify customer data, steal intellectual property, and more. This technique can even be used to discover admin credentials and essentially gain complete control over all sites and databases!
There are tons of different kinds of SQLi attacks, and what’s worse is that they’re notoriously challenging to detect. These attacks leave no traces on the server, but instead, utilize real queries on your website’s database.
This is all to say that it’s definitely best to take careful precautions against SQLi attacks. The best way to do that is by actively monitoring your database and it’s queries.
Parameterized Queries are a great first step to protect yourself against these attacks. This basically adds strict enough parameters to your query so that there’s no room for malware to find its way in.
Aside from that, keep all of your third-party components and software up to speed. For extra security, you can always install a specialized SQL firewall for your website.
- Use CSP
Since these attacks force the victim’s browser to execute the secretly placed code upon loading, an attack on a top-level admin could lead to a complete site takeover.
The remedy for XSS is something known as Content Security Policy or CSP. CSP essentially lets you choose which domains a browser should justify as a valid source of executable script when on your page.
The browser then protects you by redirecting you away from malware or bad script that might harm one of your visitors.
To utilize CSP, you’ve got to incorporate a special header to your webpage that lets the browser know the special rule for your page (i.e. which domains are okay and which aren’t). Learn more about how to create such a header here.
For both XSS and SQLi attacks, the goal is to construct a website with as tight a fit as possible so that there’s no room for anything toxic to slip in.
- Secure user access
Sometimes it’s not your website itself that falls under attack, but instead, your site users – basically yourself and your team (if you’ve got multiple users/admins that is)
Remember how we said earlier to make sure everyone on board your ship uses a tight password? Each unguarded entry point into your site creates a potential pathway for an attack.
But what about guarding the entry points themselves? Well, that gets accomplished by limiting user access
Take,+ for example, someone wants to write a blog post for your website, requiring them to gain access to some site privileges. That’s totally cool – but make sure they’re only gaining the privileges they need to perform the task!
If one of your team members requires more hardcore admin privileges, grant them for as long as they’re needed and rescind them wherever they become obsolete.
That’s why it’s important to create separate accounts for every user on your site; if multiple users share the same account, it's nearly impossible to monitor the users individually and hold them accountable for their actions.
How to secure file permissions
The next part of restricting user access is about securing file permissions. It gets a little technical here, but hang in there!
Your website is essentially a collection of files and folders stored somewhere on the internet. These files have a number of functions/information which make your website work. Among them are a set of user-given permissions to read, write, and execute data.
These three permissions are all represented by a number:
- Read (4) – to view the contents of the file
- Write (2) – to change the contents of the file
- Execute (1) – to run the program file or script
- No permission (0)
Also, the permissions are denominated by a three-digit code, each containing a number between 0-7 (i.e. 427, 666). The first number in the code gives permissions to the admin, the second gives permissions to group users, and the last gives permissions to internet users.
To combine permissions, simply add the numbers together (“7” being the highest number of a permission).
Just like with the aforementioned user access restrictions, allot permissions when needed only. Be sure to default your site with permissions that permit as little wiggle room for slip-ups as possible.
Pro tip: Keep track of all IP addresses which access your site, as well as all activity that goes through your site. This will help with any forensic investigations in the long run.
How much does website security cost?
The cost of website security will vary depending on the size of your business, the type of data that you collect, what products you offer, and of course, what services you use.
Quality website security can cost as little as a few hundred bucks a year, to a few thousand per year. Take some time out to figure out where your vulnerabilities lie and what your budget can allow before investing in security.
There are also a bunch of hosting platforms that offer A1 security for small businesses, so depending on your groove, maybe you’ll end up spending very little. Plus, most of the tips we provide here are totally free to instate.
Here’s the bottom line: website security is an absolute necessity as a site owner, and the price of your business’ safety far outweighs the threats of being compromised.If you’ve jumped the gun with this article (because your research game is heavy) and have yet to actually acquire a site of your own, learn how to design a website here!