If your website has ever been hacked, you know how much of a pain it is. If you haven’t been hacked, it may just be a matter of time. Google Safe Browsing data shows that about half of a million websites are hacked at any given time, with thousands more hacked every week.
Researchers estimate that annual damages from cybercrime will reach $6 trillion by 2021. That’s larger than the entire economy of Japan, Germany or the U.K.
Unfortunately for small businesses, hackers don’t just attack large companies – startup-sized companies and even personal websites are being attacked, as well. If you own a website, you’re at risk of being hacked.
Fortunately, there are a few things you can do to reduce your risk, as well as reduce the impact if and when a hack does occur.
StartupNation exclusive discounts and savings on Dell products and accessories: Learn more here
Keep your website software updated
One of the most common ways hackers access websites is through outdated website software. They scan the web for websites, checking for any software or plugins they know to have security vulnerabilities.
From outdated WordPress installs to old themes and plugins, outdated software components often have security vulnerabilities that hackers can exploit. And there are a lot of sites that are using outdated software: one survey found that half of WordPress sites are using an outdated version of WordPress.
Keeping your software up-to-date requires a bit of planning, but usually it isn’t too difficult.
Here’s what I recommend doing:
- Review your entire website to identify all the software and components you’ve installed. Create a list with every piece of software that may need to be updated.
- If any of the components offer auto-updates (WordPress does, for example) turn that feature on. Make sure to check the software documentation for best practices to avoid auto-updates causing issues to your website (such as overriding customizations you’ve done).
- Use your list to check for updates regularly (weekly is usually sufficient) and install any that need installing. Use a recurring calendar event to remind yourself to check for and install updates.
- If you find an outdated component, create a backup of your website (just in case anything goes wrong during the update process), then update the component. In many cases, updating the software will just require one or two clicks.
Protect your password in transit
Often, the easiest way to hack your website is for a hacker to simply get access to your password. So, how can you stop a hacker from getting your password?
To start, make sure you’re only sending your password over encrypted channels:
- Switch your website to HTTPS to stop hackers from intercepting your admin credentials and logging in to your website. For example, if you’re using WP Admin, you want to be sure your admin login is HTTPS so hackers can’t intercept your credentials. If your WP Admin login URL is HTTP, your username and password are sent as plain text, and could be intercepted by a hacker.
- Use sFTP (Secure FTP) to encrypt your password when you’re connecting via FTP (transferring files between computers on a network). This makes it much harder for hackers to intercept your password and steal it. Most web hosts support sFTP—check your web host’s knowledge base for sFTP connection details (i.e. what server and port to use).
Related: 4 Signs Your Startup’s Website Isn’t Accessible (and the Trouble That Could Cause for Your Business)
Protect your password in storage
Using the above methods protects your password in transit, but what about if it’s saved on your computer? Hackers will often try to steal passwords from your computer or phone using malware, phishing or other tactics.
Here are two easy ways to foil them:
- Limit where you store your password. If you’ve got your password saved on your computer, Google Drive, within your email and on your mobile phone, that’s four potential places hackers could look for your website password. Store your passwords in as few places as possible, and if practical, keep them encrypted (in a password protected file).
- Install next generation anti-malware on your computer. If hackers can get malware installed on your computer (sometimes it’s as easy as getting you to click on a website link), then they can steal all your data, including your passwords.
Choose a more secure password
Many hackers won’t go to the trouble of looking for and stealing your password. Instead, they’ll just set up an automated program that keeps trying passwords (hundreds or thousands of times) until it guesses your password correctly. Or, they’ll check a database of passwords that have been stolen in other breaches and see if you used the same password on your website that you used on, say, your Yahoo email.
What’s a secure password? First things first, you need a password that’s hard to guess:
- Don’t use common passwords like “monkey” or “123456.” Hackers know all of the favorites and will start by guessing these first. Wikipedia has a list of the most common passwords you should avoid.
- Don’t use common English words. Hackers will often pull lists of words from a dictionary while attempting to guess your password. If your password is made from common words, a hacker could guess it with just a few hundred or thousand guesses (and this takes just seconds with an automated tool).
- Use special characters. A six-character password made up only of letters has 308 million possible combinations, and that won’t take very long to guess if you’ve got a powerful computer guessing passwords! However, if you include capital letters, numbers and special characters, your password will be thousands of times stronger – with a total of 735 billion combinations!
- Don’t end with ! or 1. When software started requiring passwords to contain numbers and special characters, many users complied by adding 1 and/or ! to their password. Hackers know that trick and it’s an easy one for them to guess. Use different numbers or characters.
- Make it longer. The National Institute of Standards and Technology (NIST) requires a minimum of 8 characters, but says that longer (up to 64 characters) is better. Twelve to 16 characters is a good length for most sites to use. A 12-character password is up to 30 million times stronger than an eight-character password.
Don’t reuse passwords
Hackers often use password databases obtained from past data breaches to gain access to websites. Researchers estimate that 178 million individual records were exposed by hackers in 2017. That includes credit card numbers, social security numbers, and yes, passwords. If your email password was exposed in a breach (for example, the Yahoo breach) and you used the same password for your website, then hackers have your website password.
This is pretty simple to defend against – just make sure you use a unique password for each site. If that’s too many passwords to remember, I recommend using a secure password manager to keep track of all your logins.
Enable brute force protections on your site
It’s pretty easy to block brute force attacks (a hacker trying to guess your password) on your website. There are a variety of plugins for WordPress, for example, that block logins after five incorrect passwords have been attempted. You can get a complete list along with ratings on the WordPress website. If your site doesn’t use WordPress, no problem—many website software packages come with features (or have plugins available) to block brute force attacks.
Restrict site access
The more people who have access to manage your website, the more chances a hacker might find their way in.
There are two main tactics you should use to minimize this risk:
- Only give the level of access that’s needed. If someone is an author who writes for your blog, don’t give him or her admin access; provide author or editor level access only. That way, if a hacker gets ahold of a password, they won’t have admin control over your website.
- Remove unneeded access. Regularly check your website and remove users who no longer need access. Over time, people tend to accumulate access credentials they no longer actively need.
It’s too easy to “set it and forget it” when it comes to website user accounts. But it’s worth it to check on and update account access regularly—you don’t want to make it easier for hackers to get in.
Implement recommended security customizations for your CMS
Every CMS or other website software will have a unique list of security best practices and features you can implement. Review and implement these features to improve your website’s security.
Here are security checklists for several of the most popular website platforms in use:
- WordPress Security Checklist
- Joomla Security Checklist
- Drupal Security Checklist
- Magento Security Checklist
Be prepared to monitor and respond
Implementing good security precautions can greatly reduce the risk that your site will get hacked. But no protection is 100 percent certain, so you need to need to prepare for any possibility.
Here’s what you should do to prepare for the worst:
- Backup: Backing up your website files and database(s) won’t keep your site from being hacked, but it makes it a lot easier to fix or restore your site if it’s ever hacked. Use a service that automatically backs up your website using secure, offsite storage.
- Monitor: There are a variety of free or low-cost tools you can set up to alert you to a security issue on your website. Google Search Console will send you alerts if Google detects malware on your site (there can be a delay with the alerts though, and some malware makers intentionally block Google from seeing the malware). There are also several free tools you can set up to alert you if your website content changes.
Hacked websites are a huge problem for businesses of all sizes, including startups. But as the saying goes, an ounce of prevention is better than a pound of cure. With these simple security precautions in place, you’ll have a much lower risk of getting hacked—and if you do get hacked, you’ll find it much easier to recover quickly.