Web developers Steve Protheroe and Lee Thompson from South Wales Web Solutions, discuss simple steps business owners can take to protect their websites from hackers
As web developers we’re increasingly being asked about website security – and it’s something website owners cannot afford to ignore.
By lunchtime each day, over 66,000 websites will have been hacked worldwide – with the sheer frequency of attacks, the risks are ever present and no business can guarantee to have a bulletproof response.
However, all businesses can avoid making themselves an easy target by taking some basic steps to protect their website.
Why would a hacker care about my small website?
We are fortunate in that we haven’t seen many hacks among our customers, but as web developers will tell you, the first comment from the owner of any hacked website is usually ‘why would they want to hack my site? I’m only a community website/football team/little shop/dog walker.”
Most hackers originate from overseas, they aren’t personal and they don’t care about your website or your business, they see any vulnerable website as a collection of resources that they can steal or exploit, such as:
- It’s backed by a server that they can use to run their own programs
- It’s connected to the internet and likely has a squeaky-clean reputation
- It might include interesting user data
- It probably has traffic coming to it
- It is likely important to you
It therefore doesn’t matter how small or insignificant you believe your website is – all websites are targets and should be protected.
What happens if my website gets hacked?
This is like asking ‘how long is a piece of string’. In some cases, a hacker may change an image or text on your home page and do little else.
However, some hacks can be far more nefarious, stealing customer data, hijacking search engine results, using your web server for cryptomining, the list is endless. Some will lock your data and hold it to ransom, Some hacks can be recovered, but some can’t, and any customer data on your site could be exposed, leaving you at risk of a GDPR fine.
The biggest risk from a website hack is ongoing vulnerability. During the hack, a hacker may have injected code leaving a ‘back door’ for easier access in future.
These are not often obvious and even very experienced web developers may not be able to find these easily – so the best thing to do is to protect your site from being hacked in the first place.
How can I prevent my website getting hacked?
There is no security system in the world that can completely protect your website from being hacked – it comes down to how much time, resources and intellect the hacker is willing to invest in trying to hack your site, and huge corporations, banks and Government organisations are continually updating their systems for this reason.
However, many of the small business websites which get hacked each year are not targeted for their value, status or data – they are chosen purely because they are easy targets. It therefore makes sense to avoid being an easy target.
Here’s the steps most web developers recommend taking as a bare minimum:
1. Have an SSL certificate
The SSL adds extra encryption to your website, making it harder to hack. It also has the handy side-effect of improving your search engine ranking, as Google prefer SSL sites.
2. Choose secure hosting
You can find web hosting online from £1 per month – and can pay up to thousands per month. As with anything else, you get what you pay for.
By choosing a professional web hosting package, your site will be more secure and will also run fast. Ask whether the hosting includes regular backups and ask website designers what help they could offer in the event the site does get hacked.
3. Keep your website up to date
Your website developers will almost certainly have built your site to the latest standards at that time – but technology is evolving and so is hacker knowledge.
Many businesses are shocked to learn that new vulnerabilities in website platforms are being uncovered all the time, because both software and human beings dedicate time and resources looking for a weakness to exploit.
Once found, these weaknesses tend to be rapidly shared among the hacker community, hence software manufacturers tend to respond very quickly by issuing updates.
Your website will therefore need to be kept up to date to respond to these threats – and some hosting providers insist you do this, because your website is hosted on their servers.
This is especially important with WordPress, Joomla and other CMS sites – both the platform and any add-ons are regularly updated to secure any reported security loopholes.
Updates are an essential part of regular website maintenance, but according to WordPress, only 39% of WordPress sites are using the current version – meaning 61% of WordPress sites are vulnerable.
Some web developers will offer to keep your website up to date as part of their premium hosting package – that is certainly a service we offer our clients.
It seems like a cost at the time, but unless you are happy to do the updates yourself, it’s worth spending the extra to protect your website – restoring a hacked site can be far expensive.
Finally, if you have an older website that doesn’t use a CMS, it may be worth getting it reviewed for website security – very old websites often fail Googles tests and don’t perform well for your business in any case, so it’s worth learning how you stand and what the options are.
4. Use secure passwords and watch what you share online
Web professionals are often seen as boring and ‘over-cautious’ when we tell you that your dog’s name or kids birthdays make for an incredibly insecure password – but there’s good reason for our caution.
A quick check on your Facebook profile often delivers surprising details – pet pics, kids pics, addresses, photos of the places you visit, your hobbies etc. It also goes without saying that cliches like letmein, password, mypassword, admin etc. are like leaving your front door open.
Common names and passwords get added to hacker databases which automatically scan your site for vulnerabilities – so avoid them.
A secure password is harder to crack.
A good password should not include names, have a mix of capital and lower case letters, numbers and special characters.
5. Don’t share passwords and remove access when people leave
When people leave an organisation, they usually have to hand back the office key – but more often than not, ex employees can still access the company’s website because nobody thought to change the password.
Get into the habit of changing passwords regularly, both on workplace systems and on your website. Your former staff may well be honest and trustworthy but you don’t know who they know or what pressures could be applied to them. It’s easier to have a leaving process in place, so your security doesn’t rely on an ex-employee’s honesty.
Cybersecurity is a discipline in itself and we can’t hope to cover the many aspects in a short blog post.
However, these five steps are the bare minimum to avoid being an easy target.
Simply being aware of the risk is a good start – and as always, our customers can call us for advice on 01656 773388.