If you, like many business owners, are of the opinion that your business website is unlikely to be affected by cybercrime, please think again and read on.
On average 30,000 websites are hacked every day (source Sophos Security Threat Report) and hackers create 300,000 new pieces of malware every day (source McAfee). With the technological advancements we have seen over the last few years, these numbers are only going to rise.
Whilst some big brands may be specifically targeted, generally, cybercriminals simply use highly effective computer software programs to automatically detect vulnerable websites, which are perfect to infect, no matter how big or small they are.
The majority of the time it will be easy to tell if your site has been affected:
- It will not work at all – with a delightful message appearing instead stating ‘your site has been hacked’
- It may redirect to some unsavoury content
- Parts may be missing or not function properly
Occasionally, however, the attack can consist of cloaked malicious code which is undetectable to the human eye. Incidents of this nature can affect your search engine rankings as the content could be interpreted as spam and result in your website being flagged or de-listed.
So what security measures can you put in place to help protect your website against cybercrime?
Whilst it is important to ensure you chose a reputable hosting company to look after your website (especially if you are using a shared server plan), there are a few simple changes and standard practices you can also follow which could ultimately protect your site from approximately 80% of the day to day cyber attacks:
1) Keep your software up to date.
The content management systems (CMS) many of us use to build our website nowadays (like WordPress, Drupal or Joomla) regularly update their software. Most of the time, you, as a user will need to manually log into your website admin interface and apply the upgrade. As well as introducing new features, the key reason for most updates is to add additional protection to your website from the latest virus or malicious code.
This principle also applies to any themes or plugins you use on your site – always keep them ALL up to date.
If you don’t feel you have time to monitor your website, pay a management company to do it for you.
2) Username & password management
First, make sure your username is bespoke. When you or your web designer first install your CMS software, sadly many still use the default username option of ‘ADMIN’. How does this make a difference? It simply gives a hacker 50% of the information it needs to access your site!
Second, have a strong password. According to safetydetectives.com, who have researched the 20 most hacked passwords in the world (and broken them down by country), these are the top 5:
- 123456
- password
- 123456789
- 12345
- 12345678
This is madness! Whilst we all know password management can be a pain, it’s for our own good – please take the time to create bespoke passwords, strong ones tend to have at least 8 characters, using a combination of letters, both lower case & capital, numbers and other symbols.
Third, regularly CHANGE your passwords – the recommended interval is every 60 days.
Fourth, DELETE any old users.
Fifth, consider using Two-Factor Authentication to add a process to get your identity confirmed before access to your website is granted. This can be another password or pin, a code sent to a physical device (e.g phone), or biometric (e.g fingerprint/face scan).
3) Protect your site
Use a security plugin or extension and run a website security scan on a regular basis.
I run all of my websites on WordPress and use a free security plugin that appears to tick all the boxes. It is regularly kept up to date so that it works with the latest version of WordPress and has over 3 million active installations! You can learn more about how it works by visiting the Wordfence Plugin overview available at wordpress.org
As mentioned in (2) above, hackers will try and use ‘known’ usernames to access your site. With a security plugin, you can set your system to automatically block these attempts AND lock them out permanently, or for a set period of time.
This is a screenshot showing a week of attempted logins for a small niche website of mine – over 160 in a week!. Other usernames I have seen in these reports include test, events and administrator.
4) Have an SSL Certificate
An SSL Certificate indicates that your website has an encrypted connection. It also demonstrates you have authenticated ownership of the website domain. Visually, a padlock symbol will appear next to your domain URL along with ‘https’ at the start (instead of just ‘http’).
Whilst it won’t prevent cyber attacks, it can minimise phishing, helping to protect your personal data and that of your clients.
As a side note, in July 2018, Google started marking non-SSL websites as ‘not secure’ flagging up a warning for visitors to acknowledge before allowing them to go on and view the site. If you haven’t added SSL to your website, you could be missing out on valuable website traffic.
5) Be Vigilant With Comment Approval
Getting comments on your website pages and posts is a good way to improve your organic search engine rankings, but only if they are genuine and clear of spam. Set your comments to manual approval and monitor them carefully. Spam comments often contain unsavoury words and website URLs, which if approved can pose a security risk and damage your website reputation.
6) Use Google Search Console
Google still leads the field in terms of search engine popularity and offers some great tools to help you manage your website. As well as providing important analytical information, there are 2 ways it can help you pick up on any possible cybercrime activity:
a) Security Issues (under Security & Manual Actions) – Anything unusual will be reported here.
b) Content Queries (under the performance section) – Make a diary note to review these from time to time. The list should only contain words that are relevant to your site.
To sign up for Google Search Console (it’s free) visit: https://search.google.com/search-console/about
Recovering from a cyber attack can be a slow and frustrating process and could have a severe impact of your business both in terms of reputation and profits. Once implemented, the recommended measures in this article take a few minutes each month. Take action now to stop your business website from being the next victim of cybercrime!
This article was originally published on 9 Feb 2015, and updated 22nd June 2020
