Like pensions, flossing, and insurance, website security is one of those things that business owners know they should be dealing with. But it’s often left on the “some day” list because real work and real life gets in the way. “My business is small – why would anyone want to hack my site?”, “I don't take payments”, “It doesn't really matter anyway” - It's easy to justify not worrying about the security of your website, especially if it's just a simple brochure site.
But most website hackers don't care who you are, and unless you're a big brand, they are unlikely to specifically target your business. What they want is your visitors. What they want is to access your website and your web hosting platform so that they can use it for their own purposes. The hackers will instead run automated “scripts” that trawl the web looking for vulnerable websites, and use these vulnerabilities to find their way in. Once they have access, they can do whatever they like, but mostly it's about doing bad things to people that visit your site.
A large number of hacked websites don't show any symptoms to the website owner. Once they have access, the hacker adds some code to your site which silently delivers malware, viruses or spam to unsuspecting users, some of whom will be your real or potential customers: “Would you like to download our brochure, it comes with a free side of ransomware!”. Imagine if Starbucks starting sneezing into every coffee.
And don't for a minute think that because you're small, they won't find you. In our experience, within 24 hours of a website being online and listed anywhere on Google (yes, including page 999,211), you will find automated scripts probing your website for insecure areas.
If you're not dealing with the security of your website you are putting yourself at risk of embarrassment. If you store any sort of personal data or payment data, or if you manage your own web hosting platform, you could also be risking large fines and a data security nightmare.
Here are our top five tips for addressing the security of your website
1. Audit your websites
As with any business activity, you should be planning before you act. Many companies now have more than one website, possibly using different technology, managed by different people or companies. It's important you identify what you have now, so that you can prioritise your time and money.
Which websites belong to your company? What technology do they use? (Wordpress, Drupal, Joomla are all popular website technology, but there are hundreds of others)
Where are they stored/hosted?
What data is stored on these websites? Can users log in? Do you store personal data? Do you take payments of any kind?
2. Make sure your website code is up to date
Most modern website software offers regular security updates, and for the most common website software such as Wordpress and Drupal these will be free. Ask your existing website manager or your IT team to check whether these security updates have been applied recently. Are there any outstanding? What's the risk?
Updating a Wordpress or Drupal site regularly should only take a few minutes. If your site security has not been checked recently, it might take longer to bring it up to scratch, but once you've done that you can maintain the security easily. You should check for updates at least weekly, and ideally turn on the automatic email notifications that these systems provide, so that they can tell you when an update is needed.
If you are using a version of Wordpress older than 4, or a version of Drupal older than 7, you should upgrade immediately.
Use a free tool like Sucuri's Site Check to check whether your site is secure, and if in doubt, get an expert to check your website code and advise on what updates are needed.
3. Enforce strong passwords
Remember that Information Security Policy you created back in 2012? It's time to dust it off and pay attention to it! If you're not already requiring your staff and website users to use strong passwords, you should do it now. A strong password is one that is hard to guess, but easy to remember (how about using a line from a favourite song, a limerick, an inspirational quote?).
An even stronger password is one that's hard to guess and hard to remember, but only if you don't end up writing it down. To keep your hard to remember passwords secure, use a password manager like LastPass, 1Password, or similar. These tools will store your passwords for you, and all you need to do is remember a single, long, secure but memorable password.
And remember, don't share or re-use passwords. Security can be a pain, but it's much less painful than the clean-up afterwards if you ignore it.
4. Secure your web hosting platform
If you're on shared web hosting such as 1&1, Dreamhost, Fasthosts or UK2.net you rely on them to keep their systems secure. Ask them about firewalls, intrusion detection systems and how they proactively manage their shared platform to keep you secure from other users.
If you're on a “VPS” private server, or have your own server on your internal office network, how is this kept secure? Like Windows software updates, servers need to be updated from time to time, and many web hosting companies assume that if you have a VPS you know how to keep it secure.
You should have at least a firewall in place to prevent unwanted traffic from reaching your server. Most serious users will also want to use an intrusion detection system and virus scanner on their servers.
It's worth paying a little more for your web hosting to make sure it's secure.
5. Add an SSL certificate
Adding an SSL security certificate (sometimes referred to as HTTPS) is good for your website security, your users' security, and even for your Google rankings. Yes, that's right, Google prefers sites that use SSL, largely because it knows website users prefer it.
SSL encrypts any information sent between your user and your website, including login details. If you enter a username and password into a website that is not using SSL (i.e. does not have https:// at the start of its web address), then you are potentially exposing your username and password to anyone on the same network. If you're doing that in Starbucks on their wifi, then it's not just the barista's sneeze you're sharing. By adding an SSL certificate, your visitors can send you their details safely and securely.
Adding an SSL certificate to your website is cheap, easy and a reliable way to show you're a grown up business that cares about your users.
6. Take regular back-ups
Sometimes even the best precautions are not enough, and if you find yourself in a situation where a nasty has made it through your security, having a recent back-up of your site can be a life (and business) saver.
You should make sure that you have back-ups that are regular, automatic, a2. Make sure your website code is up to datend off-site, and that you retain for a sensible amount of time.
regular: How regular will depend on how frequently you make changes. If your website changes daily, you should have daily back-ups. If it only changes monthly, then monthly back-ups may be enough. The key question to ask is “how much information am I willing to lose”. Count that in days, and then back up at least that regularly.
automatic: Hands up who's got an external disk that they bought to back-up their PC and then it's sat in the corner gathering dust? If you have to remember to do your back-ups, you won't do them. Guaranteed. So use tools built into your website software or your server hosting platform to back-up automatically, and to let you know whenever the back-up fails.
off-site: As well as for security, back-ups are essential in case of disaster. If your web server dies, or you accidentally delete all files, you want to make sure your back-ups are safely stored somewhere else.
retained for a sensible time: You might not realise that your site has been hacked right away, so make sure you keep back-ups for at least enough time so that you can go back to a 'clean' version pre-hack. 30, 60 or 90 days is probably enough, but remember that unless you have very clever systems you'll lose any data that was added to the website between now and when the back-up was taken.
7. And one final tip
Talk to an expert, of course. If you've any questions, give us a call on 01865 422112. Our website gym includes a basic security check for your site, and we can advise you on how to make your site secure and how to back it up in case of disaster.