We have all read so many news headlines this year about hackers disrupting online businesses. Some of these sites were victims of cyber-terrorists, including those sponsored by nation-states, looking to deface websites and spread propaganda. Others were targeted by kids looking to prove their skills to their peers. Of course, some hacks are motivated by competitors trying to drive out the competition. Regardless of the reason, the results are the same: lost customers, expensive mitigation, and lost revenues. So, how can you protect your website against online hackers?
Handle Passwords with Care
You can start by making sure none of the applications running on your site are using default passwords. After installing any piece of software or plugin, create a new, strong password, ideally with at least 12 characters (8 character passwords can be hacked by cloud-based tools in a matter of hours). Include upper and lower case letters, numbers, and special characters in your passwords – and try to avoid words that are in the dictionary.
A few other tips regarding passwords:
- It is difficult to memorize a truly strong password so use a password manager program, such as keepass, to store your passwords safely.
- Do not use the same password for all of your online services. If hackers obtain one of your passwords, you want to make sure they can’t use it to access all of your online accounts.
- Always change your password if you share it with a third party vendor or someone helping you set up something on your website.
- Never re-use passwords that you’ve given out in the past.
Use a Secure URL
Next, consider getting an SSL (Secure Socket Layer) certificate for your website to encrypt all data transmitted over the site. This prevents users’ passwords from being submitted in clear text and potentially being exposed to hackers. An SSL certificate can also protect against ”phishing” attacks, where your users might be lured to a phony website that is made to look like yours. These types of scams are getting more and more popular and can be quite effective in tricking users into giving up their passwords.
We recommend SSL with a 2048-bit certificate, using the SHA256 hashing function. Use SSL Labs to review your profile to ensure an A+ rating. See our site as an example.
Keep Software Up to Date
Always keep your software up to date by loading patches and updates as soon as they are available. For example, Microsoft typically releases patches on the second Tuesday of every month. Join mailing lists for information about security patches for all of the software installed on your website, as well as the hardware and operating system if you host your own website. US-CERT.gov is a helpful mailing list for the latest on emerging cyber threats and helpful recommendations.
If you use a hosting company, be sure to understand their security policies and patching schedules and insist that they help to protect your website from hackers. If you use WordPress or other common CMS-type platforms, there are plugins such as WordFence that can add an additional layer of security to your website. These tools can block IP addresses and restrict access for users who attempt incorrect passwords multiple times.
Make sure you, or the programmer who built your website, understands OWASP standards. These standards help programmers design their code to protect against known vulnerabilities such as SQL injection, cross-site scripting, and session management exploits.
Create Backups Often
Always backup your website. At a minimum, a good rule of thumb is to create full backups weekly, followed by daily incremental backups. It’s always a good idea to create a full backup just before deploying new software, just in case something goes wrong and you need to revert to the original version.
Be aware of where your data is stored. Some of your data may not be stored on the same server where your website is located. You might have data stored in a database on a different server, or within a cloud vendors’ database. Investigate what backup methods are being applied to these remote data sources and be sure that you understand how to restore from those backups if the need should arise.
Also, ask your hosting provider if they have protection against DDOS (Distributed Denial Of Service) attacks, which can prevent your customers from reaching your website for hours, and sometimes days. Defense against DDOS attacks can be expensive but is usually included (at least at a basic level) by most hosting companies or managed service providers.
Don’t be afraid to ask for help.
If you follow all of the common-sense suggestions outlined above, you have done more than most website operators to protect yourself from cyber attack. That said, nothing is completely foolproof. We recommend reaching out to your hosting company or a third-party security professional to discuss these security concepts and investigate anything else you might be able to do. For example, ask about ways to run routine malware scans of your server. We recommend weekly scans, if possible. As a last line of defense, if your company can afford it and your business is dependent on your website, consider getting a quote for cybersecurity insurance. If a breach ever did happen, insurance can help protect you.