How would you rate your website security? Chances are it could be better. A report published by firm Whitehat Security revealed that 86% of all websites had at least one serious vulnerability. Lack of website security is a serious concern, and not even larger organizations are immune. On Guy Fawkes Day of 2011, a holiday with special meaning to hackers, the Capital One website was hacked along with some Israeli government websites. In 2012 a hacker group claimed responsibility for hacking and crashing the GoDaddy website.
With websites growing more and more complex, and with more and more people using the web than ever, it’s important to know how to protect yourself from online attacks.
Backup Your Files
Every webmaster should own a backup copy of his or her website files. Should something happen to make your site inaccessible, you don’t want to have to rebuild everything from scratch. Or worse, you don’t want to lose all of your valuable data. Use a service like Carbonite or Mozy to back up both your website files and your database files. Set your settings so that they automatically back up each night.
At Bluehost, we perform complimentary backups of your entire account data on a monthly, weekly, and even daily basis. Learn more about how to access and restore those automatic backups here: http://bluho.st/nYi7H.
Encrypt Login Pages
Needless to say, if a hacker were to get their hands on your password, they could wreak a lot of havoc. Use SSL encryption on your login pages (the encryption that makes https:// appear at the beginning of a URL). Not doing so can give hackers easy access to login credentials. SSL encrypts information entered on a page so that it’s meaningless to any third party who might intercept it. You should also send email via SSL encryption if you send sensitive information via email.
Limit Sharing of Login Credentials
The more you share your login credentials, even with coworkers and associates, the more likely they are to fall into the wrong hands. Avoid sharing this information if you can. Instead, assign a separate account to everyone who must access the website regularly. If you downgrade or take away anyone’s permissions, say after they leave the company, deactivate that account or change the password right away.
Use a Strong Password
Hackers are always coming up with more and more sophisticated ways of hacking password-protected accounts. Protect yourself by using a strong password. You might assume that the more complex the password the better, but length actually trumps complexity. You should also use words that have no obvious correlation or association with your website. For best results, use a combination of random words, numbers, and symbols in your passwords.
Connect With a Secure Network
Avoid connecting to the internet via networks that are either unsecured or have unknown security settings. This means that updating your website from the library or the nearest Starbucks isn’t a good idea. If you absolutely must access your website from an unsecured network, use a secured website proxy. Then at least your connection will be from a proxy on a secure network.
There’s a reason for those pop ups that announce an available update. When a company releases software, they often aren’t aware of every single thing that can possibly go wrong with it. So if they discover a vulnerability or malfunction in the software, they release a patch or update to fix it. Don’t put off downloading updates for your web server, antivirus, firewall, WordPress, and other software. Known software vulnerabilities are easy for experienced hackers to exploit.
Use a Secure Host
Your website can only be as secure as your web server is. Make sure your host runs suPHP, which is a tool that allows PHP scripts to run only with the owner’s permission. Your web server should also have round the clock active server monitoring, and perform nightly server backups.
Know What You’re Linking To
Have you ever clicked on a link to what you thought was a trusted website, only to be presented with a spammy page full of porn and Viagra ads? Now imagine having such a link on your website. Spammers can use open redirects to hijack web traffic to the spammer’s website using an innocent-looking link. You can check to see if your site is being abused by typing “site:yourdomain.com” in a Google search (replace yourdomain.com with your actual domain). Look to see if anything suspicious comes up.
Website scanners like SiteLock and Securi Sitecheck will scan your website for malware and other suspicious pieces of code. If you suspect that your website has been infected with malware, you’ll want to scan it right away. You should also scan your website at least once a month to make sure that everything is in tip top shape.
Keep Your Permissions Tight
Most webmasters don’t need to change their file permissions from the default settings, but might need to in order to update or install something. Just don’t forget to change them back to the original setting when you’re done.
An important aspect of website security is simply being aware of what’s going on with your site. Scan log files every now and then for any suspicious pieces of code. Avoid installing sketchy looking WordPress plugins. Basically, keep your eyes and ears open.
The internet can be a dangerous place, but your website doesn’t have to be a casualty. The problem isn’t in the complexity of web security, but in webmasters failing to educate themselves on how to protect their websites. Taking even just a few of these precautions will lessen your chances of an attack, so take the security of your website into your own hands. After all, the old saying is true: An ounce of prevention is worth a pound of cure.