The recent DDOS scare that affected a large number of websites brought to light how important it is to put whatever precautions we can into place to keep our websites secure. Anyone that owns a website right now should be thinking about security, but for those for whom your website is your business, you need to treat it as a priority.
That’s doubly true if you accept payment through your website. Whenever someone provides you with their credit card information, they’re putting trust in you and your brand. If a hacker gets access to that information because you didn’t take the necessary steps to make your website secure, then you betray that trust.
Cyber security is complicated stuff and you may not be able to ward off every threat – hackers are often savvy and always working to outsmart every new security update. Nonetheless, you can vastly reduce the risk of having your website be the next to be victimized by taking a few key precautions.
1. Keep all your software up to date.
The first step is one of the easiest, but one that makes a big difference. A lot of software updates are designed specifically to reduce security vulnerabilities. Software designers and cyber security experts are in a constant battle with hackers to thwart every new effort they come up with.
Most of those software updates you seem to get constant reminders for are part of that battle. Even if it feels like an annoyance, don’t dilly-dally on completing those updates. Regularly check for updates to your plug-ins, your CMS, your ecommerce software, and any other software related to how your website runs. Taking this simple step will immediately reduce your vulnerability.
2. Use secure passwords and update frequently.
A surprising number of people still use basic passwords like “password” or “123456.” Don’t be one of those people.
Make sure the password you use to access your website has a mix of numbers, letters, and special characters. Also avoid using something an acquaintance could guess at in your password – your kid’s name or year of birth is too easy for someone to figure out. Get creative, make sure you use something different for your website than you use for your other logins, and make sure anyone else in the company that has access to the website does the same.
And then do it all over again in six months. Set a reminder on your calendar so you remember to update your password with some frequency.
With HostGator’s Password Generator tool, simply click and drag Snappy’s head to generate a new password. Creating a secure password has never been so fun!
3. Backup regularly.
In the case that anything does happen, you don’t want to be stuck building your website over again from scratch. Make sure you back it up regularly, just like you do your own computer (you do backup your computer regularly, right?).
If you use HostGator for your web hosting, then setting up automatic backups for your website is as easy as adding CodeGuard to your subscription. It not only makes backing up completely effortless since everything is automated, but restoring your site if the need ever arises is a simple process as well.
4. Invest in a malware detector.
Malware’s extremely common, and not just on the website’s you’d expect. Hackers have an interest in infecting any website that people are likely to visit. That means your website could be felled by malware, or (arguably) worse, it could be the means by which malware infects your customers’ computers.
Your best move to avoid both scenarios is a strong malware detector. Anti-malware programs can spot malware fast and help you get rid of it before it has the chance to do much damage. They’re relatively inexpensive when you consider the risks malware poses, and they’re not all that difficult to implement. Your web hosting platform might even offer one (like HostGator does), which makes adding it to your web hosting plan and activating it especially easy to do.
5. Be careful about your permissions.
How many people have access to your website? Most businesses, even many on the smaller side, need to provide at least a couple of people with the means to access the website to make changes. Medium-sized and larger businesses will often have far more people accessing the website on a regular basis.
The more people you have in there making changes to the website, the more vulnerabilities you have. Chances are, not every person using your website needs the same level of access. By using your permissions wisely, you can limit the potential damage a thoughtless or malicious act by one of your employees or contractors can have.
6. Set up SSL.
If you have an ecommerce websites, purchasing an SSL certificate is not optional. Your customers need to know that your website is secure before they hand over sensitive information. An SSL certificate is the way you provide them that security.
An SSL certificate isn’t terribly expensive and ensures your websites shows a green HTTPS in the browser bar, which is what consumers look for to see that a website can be trusted. It adds an extra level of protection to ensure the details customers share with you are properly encrypted and can’t be easily snatched up by cyber thieves.
7. Use AVS and CVV.
When you add an address verification system (AVS) and credit card verification value (CVV) field for all credit card checkouts, fraud attempts are far less likely to slip through. You have a chance to check the information a customer provides against the information their credit card company knows so people that have stolen credit card numbers alone won’t get past your confirmation process.
8. Reduce XSS vulnerabilities.
This step gets really technical and you may want to consult with your webmaster or a cyber security consultant rather than try to handle this one on your own. XSS (cross site scripting) vulnerabilities are weaknesses in the code you write that allow hackers to add code to your website that infects your visitors’ devices.
To reduce XSS vulnerabilities, you need to validate and sanitize your data as described at the link above. You may also be able to insert this string onto your webpages to reduce your vulnerability:
echo htmlentities($string, ENT_QUOTES | ENT_HTML5, ‘UTF-8’);
But that will only work for you if you’re not using HTML. If you are using HTML, running your code through the HTML purifier is your best alternative.
9. Reduce SQL injection vulnerabilities.
As with step 8, this step is probably more the job of a webmaster than a business owner, so ask for help if you find the suggestions confusing.
SQL injection vulnerabilities aren’t as common as XSS vulnerabilities, but they’re still cause for concern. They allow hackers to get ahold of the sensitive data stored in your database – which often includes information like your customers’ credit card numbers.
All of the best methods for prevention here are pretty technical and you can check out the SQL Injection Cheat Sheet for more detail on what each defense means. The main five defenses against SQL injections are:
- Using parameterized queries to help your database distinguish the difference between code and data.
- Using stored procedures that are clearly defined within the database and provided to users, rather than letting them enter their own.
- Escaping user supplied input (which is only recommended in some cases), so the database knows to recognize any information users supply as different from SQL code written by the developer.
- Enacting least privilege – which relates back to step 5 – to make sure users only have as much permission as they need and no more.
- Employ white list input validation, which allows the database to detect any unauthorized input before processing it.
If your eyes just glazed over, you’re not alone. If you don’t understand this stuff, it’s better to bring in someone who does so it gets done right.
10. Use a DDoS mitigation service.
Distributed denial of service (DDoS) attacks occur when a hacker sets a large number of compromised systems to flood the bandwidth of a website all at once. The server gets overwhelmed and starts to reject all visitors.
Having a web hosting provider that’s put protective measures into place is the first line of defense, but with how common DDoS attacks have become, making an additional investment in a DDoS mitigation service can further reduce your risk.
Hackers are constantly working to create new methods to get around these protections. In addition to putting these ten tips into effect, take some time throughout the year to read up on new security threats and best practices.
The stakes here are high – you need your customers to trust you and your website to consistently do its job. Make sure you treat website security as the priority it should be.
Keep your site secure with regular maintenance.
Download our free Website Security Checklist.