Category: Tutorials
Share:

“An ounce of prevention is worth a pound of cure.” Benjamin Franklin’s saying is still relevant even today, especially when it comes to website security. Unfortunately, many business owners today are not abiding by that old piece of advice. Small businesses are especially vulnerable, and the number of threats grows at alarming rates. A recent study states that cyber attacks cost US companies $15.4 million per year. Even Congress is currently discussing Legislation targeted small businesses internet security: the Main Street Cybersecurity Act.

One of the reasons small businesses fail to prevent hackers from attacking is that they do not have resources dedicated to the deal with their website security. Luckily, there are many strategies at $0 cost that you can start implementing today. With these 10 steps of free security prevention tips, you can save potentially millions of dollars on data recovery and lost business:

1. Implement Strong Passwords

Easy to do, but constantly overlooked! Choosing a strong password is very important for keeping your site safe and secure. What constitutes a strong password? This would be a combination of lowercase, uppercase, numbers, and symbols (such as these: %, *, !). Concerning length, the longer the password the safer it is; ideally more than 10 characters.

In contrast, weak passwords are short, show no variations of lowercase-uppercase-number-symbols and contain easy to guess words: password, 1234, test, admin. Avoid these at all costs!

WordPress has its own password generator built-in, which will provide you with password suggestions that follow these standards. If you are not working with a WordPress site, external online tools can provide a similar outcome – try LastPass or Passwords Generator.

A common observation is that random passwords such as $bV[3vKS8k~w{q will be almost impossible to remember causing tremendous inconvenience if you are not using a password manager as 1Password or logging in from a device where the password is not saved. My suggestion is to use phrases instead of words and combine them with the special characters in a way that is meaningful to you. For example: MyCatIs100%.MyDog2!

Much like chain, the safety of your website comes down to it’s weakest link, or in this case your weakest user password. Make sure all your users adhere to good password practices. For an additional layer of security, request password updates regularly and consider a two-step authentication solution.

2. Remove obvious usernames

Usernames are often forgotten when you focus on setting strong passwords… However, neglecting username assignment can leave your website wide open to attack. A simple and effective method to protect your site against automated attacks is to create usernames that are not obvious. Avoid admin, test, username, demo, yourdomain, login, and so forth.

3. Review active users and their user roles, and remove inactive users

WordPress and most CMS systems have neat user management features that will provide both control and flexibility. Establishing different user roles and privileges to your organization’s workflow is key to your website security. A person posting events and press clipping to your website probably does not need access to editing scripts or installing new code. Similarly, not everyone should be able to edit, delete or publish pages. Make sure that these privileges are reserved for the proper personnel. Review the rules you have in place and make sure they are suitable.

Follow this up with a little bit of house-cleaning. Check your website for any users that no longer work or contribute to your business. Check for any cases of multiple emails being assigned to the same individual; an example would be that you registered with your Gmail account and then again with your Yahoo account, or that you created a new user just to test user privileges. All of these accounts that are not serving a specific purpose should be removed. Extra accounts that aren’t used can be an easy target for hackers to gain another entry point. Remember to assign any content from accounts being deleted to a different user when removing the account to avoid any loss of content.

4. Keep your software updated

Keeping your website up-to-date is extremely important. The top reason new CMS versions are made available is to address security vulnerabilities. Website owners may ignore it, but hackers certainly don’t. Skipping on core updates is not a risk worth taking.

Luckily, websites built following good practices and using reliable modules can be updated without major disruptions. Just in case, always remember to backup your database and code before performing any update ( see more details on the backup item below ).

This step requires your due diligence to monitor when new updates become available. Your CMS will usually do a good job at notifying the website administrators that new versions have been released: WordPress and Magento show you a message in the admin panel dashboard, or in some cases, you will receive an email. Hosting services may notify you as well since it is their best interest to avoid vulnerabilities on their server.

However, CMS core updates are just one part of the battle. Plugins, modules, and themes should be monitored and kept up-to-date as well. Depending on the complexity of your website, it could be challenging to keep track of all the different parts on a regular basis – in that case, consider contracting someone to take care of monitoring and updating your website.

5. Disable automatic subscription

If your website runs on WordPress and does not allow visitors to register, make sure the Membership / Anyone can register feature is disabled. Although it may not be visible to regular visitors, this may be used as a point of entry for ill-intentioned hackers.

6. Spam filters

Comments and reviews are an important part of user interaction, but they are also an easy target for spammers. Make sure comments are not posted without curation, install a spam filter and have someone monitor comments. If your site is running on WordPress, Akismet is a free spam filter tool that can provide you with essential protection after proper configuration. For high traffic (and highly spammed) websites, additional tools may be required.

7. Choose a good hosting service

Shopping for quality web hosting is certainly not very attractive and can be tedious. Most website owners wind up choosing their hosting service based on price alone, which can be a dangerous thing to do.

Factors that are usually neglected by low-cost hosting providers which could put your website at risk are:
– out-of-date technologies and tools
– other sites hosted on the same server
– lack of activity monitoring
– poor support and documentation

Picking the right host is an important step toward keeping your website safe. Many times the cost difference is minimal between a cheap service and a good one. Do your research and make an informed decision, and if you are unsure then ask for help.

8. Work from a clean computer

If your local computer is contaminated with malware, viruses or any other form of vicious scripts, it is just a matter of time before your website is infected as well. Take steps to ensure your machine is well protected. Antivirus and malware blockers can go a long way.

9. Regular backups are your insurance policy

If anything goes wrong, a backup will be the last resort that will allow you to restore your website.

When it comes to WordPress, a backup should consist of two parts: codebase and database. Although it is possible to perform these backups manually, it is certainly much more efficient to have a system that takes care of it for you. The advantages are two-fold: no labor involved after the initial setup and no-risk of skipping or forgetting a backup.

It’s important to remember that an outdated backup will not be of much use. You should establish the frequency of backups based on how often your content changes. If you are running a blog that publishes a new post every day, a daily backup would be recommended. Set your automation accordingly and check regularly for any errors or issues.

Another important factor is where to save your backups. Although some hosting services offer automatic backups, the ideal solution is to store backups on a different server for an added layer of security. If a hacker gains access to the server, your backup folder will be as vulnerable as the original code and data. Keeping the “Don’t Put All your Eggs in One Basket” motto, we recommend the use a cloud storage such as Amazon S3 or Google Drive. Keep in mind that sensitive information should be protected regardless of the server where it is being stored, so encryption may be required.

Remember that any instruments are only as good as their settings: backup automation – being it a plugin, module or a script – will only be useful if its parameters are addressing the individual website needs in terms of frequency, destination, depth, and scope.

10. Have an emergency plan

You may have noticed that a lot of the points listed rely on monitoring the health of your website. Even with the right steps in place, if something bad happens someone needs to be there to identify that something has gone wrong (monitoring), take action to fix the issue (recovering), and make changes to prevent the issue from occurring again (securing).

Choosing a good set of tools will help with monitoring; they will provide indicators, reports or flags, similarly to the check engine light on your car’s dashboard. Though, if you ignore the light or don’t check it at all, then the issue will not fix itself. This is where the emergency plan comes into play. Knowing ahead of time who is responsible for monitoring and who to contact for recovering and securing can save critical amounts of time and money.

Ready.gov has an on-point piece of advice mostly addressing natural disasters, that could certainly apply to our digital world: Make a plan. Be informed. Plan ahead. Take action.

Taking preventive steps is the best investment you can make on your website. It will avoid a very costly process of recovery.

Keep safe everyone!

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.