How to Make a Website Secure: 7 Tips You Can’t Afford to Ignore
A hacker attack occurs every 39 seconds in the US, affecting one in three Americans every year.
Don’t leave the front door of your site wide open! You need to secure your website, which means putting protection in place to keep out hackers, bugs, and other online nasties. Otherwise, your data could be at risk, your site could crash, or you could even lose money.
Here’s how to make a website secure:
- Install SSL – buying a simple Secure Sockets Layer certificate is a crucial first step.
- Use anti-malware software – to scan for and prevent malicious attacks.
- Make your passwords uncrackable – 123456 won’t cut it!
- Keep your website up to date – using out-of-date software is like leaving your back door unlocked.
- Don’t help the hackers – look out for phishing emails and other scams.
- Manually accept on-site comments – keep control over potentially dodgy comments.
- Run regular backups – to prepare for the worst case scenario.
Security is important for everyone…
…and our research confirms that. We spoke to 425 users, some choosing their first web host and others switching providers, about which features they value the most. 25% of all respondents named security as their number one priority.
But I’m not even making money through my website. It’s just a small blog. Why would anyone hack me? Why does it even matter if a hacker gets in anyway?
Apart from losing money, hacking can result in huge losses in traffic, your site being suspended or crashing, and even identity theft. Your personal data, and that of your visitors, could be at risk.
But how am I supposed to fight off hackers? I’m not that technically skilled!
This is another common worry, but luckily, you don’t need fearsome tech skills in order to secure your website. All of these steps are simple to implement, and we’ll walk you through each part of the process.
Before we get into the details of how to prevent your website getting hacked, we should probably talk about what a hacked website looks like.
While there’s no set way that a website will look after being hacked, there are patterns. And we should tell you now, if your site has been hacked, you’ll be in no doubt about it because something will be very wrong. Here are some common ways hacking presents itself:
- Ransomware. The hacker will threaten to publish your data and/or withhold access to your site unless a ransom sum is paid.
- Gibberish hack. You’ll spot loads of auto-created pages filled with keywords and gibberish, with the aim of getting them to rank on Google for key terms. When clicked on, they’ll redirect to a dodgy site.
- Cloaked keywords hack. As above, but slightly more sophisticated – at first glance, these will look like your site’s pages, as only the written content is altered.
- Japanese keywords hack. Creates random pages in Japanese full of affiliate links to stores selling fake merchandise.
- Malicious code/viruses. If malicious code or a virus is inserted into your site, your site may well go down, or you could be unable to access it. You may find that all your hardware is also affected.
- Denial of Service (DoS). Hackers use bots to overload a website with requests and crash the server it’s on.
- Phishing. Scammers contact your clients pretending to be part of your business and using your branding in the hope of finding personal information.
FROM THE EXPERT
We asked Krys Lambiase, Senior Product Marketing Manager at Endurance International Group (EIG), the parent company of web hosting giants Bluehost and HostGator, to share his insights on website security with us and our readers. You’ll find quotes and tips from Krys throughout this guide – first off, though, Krys reveals the biggest security risks to new websites:
“Outdated software. Website owners need to stay on top of updates to WordPress and other CMS’, plugins, and anything else that requires an update. In addition to fixing bugs or glitches, software updates typically include security improvements or patches. Hackers will always be searching for ways to capitalize on software vulnerabilities. These days, many cyber attacks are automated. Criminals use bots to scan websites that are vulnerable. So, if you’re not staying up to date on the latest software versions, it will be easy for hackers to identify your website before you can do anything about it.”
So now you know what a hacked website looks like, it’s time to look at the seven ways to prevent yours becoming one:
#1. Zynga: 172.9 million records hacked
On September 12th 2019, Zynga – the mobile game producer responsible for “Farmville” – was hacked.
The hacker accessed login details for players of the popular games “Words With Friends” and “Draw Something”, including:
- Log-in and Facebook IDs
- Phone numbers
- Zynga account IDs
This hack was originally thought to have affected 218 million people, because of claims by the actual attackers. But the final figure was estimated around 173 million by the breach monitoring site Have I Been Pwned.
In response to the attack, Zynga advised its users not to use the same password for multiple accounts – this reinforces the importance of having unique, secure, and separate passwords for different online accounts.
#2. 7-Eleven, Japan: $500,000 of customers’ money lost
If you think that waiting one day more to sort out your security won’t make a difference, think again.
7-Eleven Japan introduced a new payment app for its customers, but left a major flaw in the form of an easy password reset that could be requested by just about anyone.
The app was launched on Monday, July 1 2019, and was shut down two days later on July 3 due to customer complaints – it only took hackers this long to break into around 900 accounts and steal ¥55 million ($510, 000).
Hacker attacks are frequent, and if they find a weakness you can bet they won’t hang around to exploit it. Don’t wait to sort out your security – your users’ data is at as much risk as yours if your site comes under attack!
#3. Marriott: 500 million guests’ data exposed
Hotel company Marriott International was compromised by a hack that started as far back as 2014 – and went unnoticed until 2018. It was still hitting headlines last year, as Marriott continued to deal with the fallout.
It was initially thought that around 500 million customers were affected by the hack, which leaked:
- Phone numbers
- Email addresses
- Passport numbers
- Date of birth
- Encrypted payment details
Since then it’s been suggested that the number of people affected was actually much lower – around 383 million. Still, with 5.25 million unencrypted passport numbers having been exposed, that’s still a pretty huge cybersecurity fail.
Despite this, one of the main things that Marriott has been criticized for is its response to the attack – mostly due to a lack of communication, as well as further security concerns over its email domain.
If you’re running a business website, or even a personal blog, and it gets hacked, make sure you communicate clearly with your audience. Be quick to fill them in on what’s happened, give them the facts, and also empathize with them about how they might be feeling.
Learn from where businesses like Marriott got it wrong!
Good website security starts with you – choosing a reliable website builder or hosting provider, making sensible choices about how you run your site, and putting in the extra effort to make passwords secure.
And we’re here to help you along the way!
Hopefully you’ve learned how to secure a website, and have found it’s not as hard as you first thought. You don’t need tech skills or a huge budget to make your website secure – as our list has shown!
We’ve outlined the seven steps you can take to start securing your website. This is by no means an exhaustive list, however – there are plenty more tips, tricks, and tools you can use to better protect your website.
If you’re a WordPress user, for example, you can find plenty of security tips in WordPress’ support pages. Sucuri is another great resource, with a huge wealth of guides, infographics, and courses to help you confidently secure your website.
For now though, start out by following our simple steps…
How to Secure a Website: 7 Simple Steps
- Install SSL. An SSL certificate is an essential for any site. It encrypts information passing between your website and your visitors.
- Use anti-malware software. Use a software like SiteLock to scan and protect your site from malicious code.
- Make your passwords uncrackable. Use a random combination of letters, numbers and symbols when possible.
- Keep your website up to date. Install any software or plugin updates as soon as they become available.
- Don’t help the hackers. Watch out for phishing emails.
- Manually accept comments. This allows you to trash any that are spam before they go live.
- Run regular backups. If your site does get hacked, this way you’ll have a recent version to reinstall.
If you already have a website, the first step now is to check if you have an SSL certificate installed. You’ll know if you don’t, because your web address will start “http” instead of “https”. You should also check your passwords, and make sure they’re strong enough to stand up against attacks!
Fortunately, SSL certificates are easy to obtain, and relatively cheap to purchase – although we’d recommend finding out exactly how much an SSL certificate costs before reaching for your wallet!
If you haven’t started building your website yet, then the most important step for you to take next is to choose a good quality website builder or hosting provider, depending on how you want to build your site.
Yes! Even if your site is small and doesn’t make any money, securing your site is essential. It’s a question of protecting your own data, and that of your visitors.
Website builders are typically far more low maintenance when it comes to security. That’s because you’ll automatically get any updates, and most throw in an SSL certificate for free. That said, they’re certainly not invincible, and it’s important to still create strong passwords and watch out for phishing emails.
We’ve outlined some specific types of attack above, but essentially a hacked website could lead to: denied entry to your site, data breaches, identity theft, fraud, your site going down, the content of your pages being altered, and the list goes on.