If you have a small business, it’s tempting to think that your site is such small potatoes to hackers that they won’t bother with it, especially if you don’t keep credit card information or personal client details on there. But, unfortunately, anyone can be hacked, no matter what the size of their site.
Hackers may want to use your servers to mine for Bitcoin; they might encrypt your vital business files and demand a ransom to release them; they could set up a web server to deliver illegal files, or use your server to relay spam. They might even deface your website just for the fun of it.
Whatever they do, if you don’t have proper backups and plans in place to prevent hacking in the first place, a hack on your site could damage your reputation, cost you time and money to fix it, and, if the hack is severe in terms of either stealing people’s data or their money, it could cost you your business.
Even if you think you’re the most insignificant website on the internet, don’t take the idea of being hacked lightly. That’s a mistake you could regret.
OK, now that we’ve terrified the life out of you, here’s where we tell you how to prevent your website from being hacked.
The fact is that many hacks are opportunistic. Hackers scan the web for sites that have vulnerabilities, and simply having some decent security in place can be enough to get them to move along to another site that’s an easier hack.
1. Use a professional company to build your website
If you plan your website to include security before you even begin to have it built, you’ll be way ahead of the game.
Instead of having to catch up and install security measures later, the best way is to plan what you’ll need right at the beginning, so your site is secure from the start.
Do your research on the company you choose for your website. Look at testimonials from previous customers, check out their portfolio and their services pages, and make a list of questions to ask them before you hand over any money.
That way, you’ll be as sure as you can be that you have a decent company who know what they’re doing and can build you the secure website you need.
Look for a company like ALG Websites, as we thoroughly plan and test every website we build for security from the start.
If you’re just starting out with a new website, ensure that you use HTTPS, rather than just plain HTTP, and if you already have a website, consider switching.
If you’ve ever bought something on the internet, when you’ve gone to the page where you put your card details in, you’ll have seen a small padlock icon in your browser address bar or noticed that the HTTP changed to HTTPS as an indication that your data was secure.
Until recently, only the card transaction pages on a site used HTTPS, but it’s now a very good idea to use it for your whole website. Not only does HTTPS add extra security to the whole of your site, protecting your data, and your user’s data, but it also gives a highly professional impression of your company. And Google is now using HTTPS as a ranking factor and will be showing sites with HTTPS above sites without.
We’ll call that win-win-win!
3. Hide your admin pages
Why show hackers exactly where your admin pages are? If you hide them, any hacker will have a much harder time gaining restrict access to your site.
You don’t want your admin pages to be indexed by the search engines, so alter your robots.txt file to disallow indexing of those pages. If you don’t know how to do this, here’s a beneficial article from SEO Book.
If you’re using WordPress for your site, you can also change the name of your login page to a random string of letters, numbers and symbols, rather than the standard page of http://yoursite.com/login/ or http://yoursite.com/admin/. Check your CMS or ask your web designer, and this should be possible for your website.
On WordPress, you can also delete the admin user completely, add another user with a hard to guess name and give admin privileges to that user instead. Again, it’s another way of disguising how to get into your site. When you have your website built with ALG Websites, we’ll give you the option of renaming your admin area before it’s launched.
4. Use secure passwords
Here is a list of the 25 worst passwords of 2017 from Entrepreneur. It’s staggering to note that the top two entries are still ‘123456’ and ‘password’, despite dire warnings every year from IT professionals.
Users should use passwords which are a minimum of 12 characters and contain random upper and lower-case letters, numbers and symbols. A password made up of your birthday, or your child’s name is just too easy to guess. Think about it. How much time do you spend on Facebook talking about your family and posting pictures of your latest birthday celebration? It’s really not that hard to break into your website if you use any of that publicly posted information as your password.
Want to check how secure your current password is? Enter it into https://howsecureismypassword.net/.
Not only that, but every site you use should have a different random password, and you should change them frequently. If you use the same one for everything, a hacker only needs to crack or guess your single password, and they can get into everything you use online.
Try our password generator to make up completely random passwords that are very hard to crack: https://www.algwebsites.co.uk/tools/password-generator/.
And if you’re struggling to remember all those passwords, try a free programme such as LastPass which will remember everything for you.
5. Install security applications and a web application firewall
If you have WordPress, try iThemes security application. It’s free for the basic version which will do everything from blocking IP addresses to limiting the times when admin access is available, and a whole lot more.
If you have the budget, a web application firewall (WAF) is an excellent layer of protection, acting as a gateway for all traffic to your website and blocking hacking attempts, malicious bots and spammers.
6. Network security
It’s possible that a hacker could get into your website via your office computers if you don’t have good enough network security.
Set up an IT policy and rules on your system so that users have to use a strong password that is frequently changed. Limit login attempts to both your network and your website so that a hacker can’t have unlimited attempts at getting into your system, and set logins so that they expire after only a few minutes of inactivity.
It’s also a good idea to scan any devices such as USB sticks and external hard drives for malware each time they are plugged into your network.
Always, always keep everything updated, from the software on your network and computers to the plugins and CRMs that make up your website.
Companies issue patches and updates to block security breaches or fix vulnerabilities in their software, and if you don’t keep everything constantly updated, you’re leaving yet another way in for a hacker.
A lot of software updates, like the Windows updates for your operating system can be applied automatically so do set automatic updates where you can to ensure all of your staff have the latest patches and updates on their system.
CRMs often have an option for automatic updates, too, so take advantage of that wherever you can. It’s one less thing to think about for your company’s IT security.
8. Update yourself!
Following on from the above point, hackers are always finding new ways to break into systems, and new vulnerabilities in websites can become known overnight, so it’s a good idea to keep yourself updated with all the changes then you can protect against any new threats.
9. Back up everything!
While not a step you can take to prevent a hacker getting through, have backups of all of your data and your website is vital, just in case you get caught out.
Imagine if your site got hacked and you hadn’t got a backup in place to get everything up and running quickly. E-commerce sites can lose thousands of pounds in hours if they are down, and you don’t want to risk your business for the sake of paying out for some backup options.
WordPress has plugins such as Backup Buddy which will automatically back up at least once a day to Amazon AWS or Dropbox, or you could explore an option such as Carbonite which has a variety of solutions for businesses and individuals.
Whatever you do, pick something! Don’t leave your business wide open and vulnerable just because you didn’t take the time to put a backup in place. This is also something you should check with your website builder and your hosting provider, to ensure that they also provide site backups, at least of your databases.
Hopefully, now the idea of being able to protect yourself against hackers isn’t quite such a daunting one, and you have plenty of things you can put in place to keep your website and your business secure.