How to secure your website from today’s online threats, hackers, and risk
Here’s an alarming statistic: hackers attack every 39 seconds. On average, that’s 2,244 times each day!
If you are like most businesses, you probably think hackers have a bigger fish to fry, and they don’t have any reason to target your site. Unfortunately, that’s not the case. Consider this: 43% of cyber-attacks are against small businesses.
While hackers very seldom discriminate, some industries are more vulnerable than others. This 2020, some of the sectors and industries that are most at-risk to breaches and cyber attacks include:
Healthcare organizations continue to be one the most vulnerable to cyberattacks. According to CPO magazine, healthcare saw a 55% rise in cyberattacks, and 26 million were in the U.S. Public healthcare institutions are specifically targeted for the valuable personal data they store and process.
One of the top attack vectors cybercriminals use is phishing. According to a phishing report, the construction sector is one of the most at risk for phishing attacks.
Malware and ransomware directed at construction firms are hazardous as confidential blueprints, bids, plans, financial information, and even personally identifiable information (PII) are typically stored within one system.
IT and Telecoms
With the rollout of 5G, more sensors and devices connect to communities, localities, organizations, and supply chains. While this can usher in a new wave of communication revolution, many experts also predict it can also pose cyber risks to consumers and businesses.
Cyber Attacks and COVID-19
Attacks aimed at exploiting the chaos brought about by COVID-19 have been evident since January of 2020, when the outbreak started to garner international attention.
Most attacks have increased in sophistication, with some targeting Coronavirus-related anxieties rather than the typical attempts at extortion or financial fraud.
Other attacks have targeted some of the tools used by remote workers, including Zoom video conferencing accounts with fake sign-in pages, fake requests to reset virtual private network (VPN) accounts, or incoming chat requests from colleagues on corporate messaging systems.
Website Security in a Nutshell
In essence, website security refers to the measures taken to ensure your website is secure from cyber-attacks. Website security is an ongoing process and an integral part of website management. A secure website is about as crucial as having a reliable website host.
If your website is compromised and blacklisted, you can lose 98% of your traffic. In some instances, an unsecured website can be as bad as not having any online presence. Case in point: a client data breach can result in hefty fines, lawsuits, and a ruined reputation.
Why Websites Get Attacked
As of February 2020, there were over 1.75 billion websites online, providing hackers with an extensive playground. Unfortunately, most website owners and administrators assume their website is an unlikely target since it’s small.
While most hackers pick more significant sites when looking to sabotage or steal information, any website (however small) is valuable enough to accomplish other goals. Hackers have various hacking plans, some of the most prevalent include:
- Abusing server resources
- Exploiting website visitors
- Tricking crawlers and bots (Black Hat SEO)
- Stealing information stored on the server
- Pure defacement or hooliganism
Website Threats and Vulnerabilities
Some of the most common website threats and vulnerabilities to look out for include:
Cross-site Scripting (XSS)
Cross-site scripting attacks involve injecting malicious client-side scripts into websites and using the sites as a propagation method. What makes XSS dangerous is it allows the attacker to inject content into the website and change its display.
The attacked website’s browser will then execute the code when loading the page. If the site administrator loads the code, the script is executed with the attacker’s privilege level. Eventually, this can lead to a potential site takeover.
SQL injection attacks are carried out by injecting malicious code into a vulnerable SQL query. The attacker adds a specially created request within the message. The website sends the message to the database.
When the attack is successful, the database query is altered and will return the attacker’s information. SQL injections can also modify or add malicious data to the database.
A DDoS (Distributed Denial of Service) attack is a non-intrusive Internet attack. It is designed to take down a targeted website. It also works by flooding the server, network, and application with fake traffic to slow it down significantly.
Credential Brute Force Attacks
A credential brute force attack involves a very straightforward process. An attacker will program a script that will try out multiple usernames and password combinations until it finds one that works. Once they gain access, attackers can launch various malicious activities, from stealing credit card information to launching spam campaigns.
Website Malware Attacks and Infections
When hackers gain unauthorized access to your website, they can:
- Drop a backdoor to retain access
- Inject SEO spam on the page
- Use visitors’ computers to mine cryptocurrencies
- Redirect visitors to scam sites and show unwanted ads
- Launch attacks against other sites
- Collect credit card data or visitor information
- Run exploits on the server
- Store control scripts and botnet commands
Keeping Your Website Secure: Best Practices
Keeping your website secure is the best practice. Safeguard your website from all forms of online attacks by keeping in mind the following:
Every day, numerous websites are compromised due to outdated software. That said, consider updating your website as soon as a new CMS version or plugin is available. The latest updates might patch a vulnerability or contain security enhancements.
It is essential to keep in mind that the majority of website attacks are automated. Bots scan sites to look for exploitation opportunities.
In some cases, updating once a month would no longer suffice. Otherwise, bots might find a vulnerability before you even get a chance to patch it.
Website firewalls can also come in handy as it patches a security hole once updates are released.
If you are running a WordPress website, it would be good to get the WP Updates Notifier plugin. The plugin will notify you through email if a core update or new plugin is available.
Create strong passwords
To clean infected websites, remediators will log into a client’s server or site using the admin user details. Most are surprised to find out how weak most root passwords are. It may not be common knowledge, but there are many lists of breached passwords available online.
Most hackers combine those passwords with dictionary word lists to end up with a more extensive list of likely passwords. If the password you are using is on the list, it will only be a matter of time until your site gets compromised. Create long and unique passwords.
Limit user permissions and access
Two integral parts of user management that tend to get overlooked are accountability and monitoring.
Ideally, you should have a separate account for every user, so you can easily keep an eye on their routine behavior (i.e., when and where they usually access the site).
If you see login at an odd hour or from a suspicious location, you can investigate right away.
Keeping an audit blog is also one of the easiest ways to detect suspicious website changes early. An audit log is a document that records the events in your site so you can easily spot anomalies and confirm if the account has been compromised.
If you are using a WordPress site, you can download free security plugins from the official WordPress repository.
Install an SSL certificate
SSL certificates encrypt data in transit between the client (web browser) and the host (firewall or webserver). They ensure the information is not intercepted and sent to the correct server.
Some types of SSL certificates like extended validation SSL or organization SSL provide an additional layer of credibility and allows visitors to see your organization’s details and validate that you are a legitimate entity.
If you have not taken any steps to secure your website, now is the best time. Keep in mind that a secured website will not only protect your visitors but your business, reputation, and revenue as well.
By Anthony Tisara. Follow the team on Twitter @mybizniches
Before you go..
If you found the topic interesting, you can join our free monthly newsletter. It’s filled with insights written by industry leaders who will keep you up-to-date on what is going on in the world.Get our newsletter