What’s the Minimum Amount of Security Your Website Needs?
Unfortunately, over half (54%) of the businesses surveyed for the 2018 State of SMB Cybersecurity report believe they’re too small to be a target for hackers. But the data paints a different picture:
- 67% of small- and medium-sized businesses were attacked in 2018;
- 82% of those attacked had antivirus software installed on their systems;
- 72% had intrusion detection systems in place.
In reality, businesses aren’t failing to secure their websites because they believe they’re too small to attract the attention of hackers. The truth is, most point to a lack of resources to explain why they forego security. Here are the top three reasons given:
- We don’t have enough personnel to manage security;
- We don’t have enough money to pay for it;
- We don’t know a thing about security or where to start.
But here’s the thing: websites are not difficult or expensive to secure. You just need to know which security measures are absolutely necessary for a website to have and where to procure them. Here’s where you should start…
Find a Secure Web HostYour choice of web host
can affect your website in a number of ways, including how well it’s protected from hackers. For starters, if security is at all a concern for you (or the client you’re building the site for), then a shared hosting plan won’t be ideal. If any website on the shared server is attacked, it could easily spread to your own. Secondly, if your web host doesn’t prioritize security on its end, it’s a good idea to look elsewhere. While many web hosts do a good job of this, be wary of the ones who provide no information about their dataccenters, how their assets are secured, or what level of security has been implemented (e.g. physical facility monitoring, server firewalls, etc.). Finally, look for a web hosting plan with built-in security features. It’s not necessary for hosts to go above and beyond with this, but it’s a good sign when they’re willing to lend a hand.
Use a SSL Certificate
One of those security features your web host should be able to throw in (even if it’s a paid upgrade) is an SSL certificate. It’s a form of encryption that turns a regular ol’ unsecured HTTP website: Into one with an extra layer of protection and an HTTPS address: You can see how my Chrome address bar calls attention to the differences in security. HTTP websites receive a “Not Secure” label while HTTPS get a trust mark either in the form of a lock or a green label. Google’s algorithm does something similar when it ranks websites, penalizing those without this security feature and rewarding those that have it.
Use Well-Coded Software
While you may be able to control how you design or code a website on the front end, you may not have a lot of control over the code behind it all. What’s more, any time you add a new extension, the integrity of that code now has a chance to affect your site as well. To start, choose your software wisely, including:
- Your website builder solution or content management system;
- Your theme or design template;
- Your extensions or plugins.
Even if you don’t know how to review the integrity of the code, look at user reviews. Are there any glaring issues with vulnerabilities introduced by the software? If so, steer clear. In addition, the software developers should always be working to improve it. That’s why, depending on which software you use, you may see the occasional update to patch bugs, performance issues, and vulnerabilities. If you don’t see these updates or the provider has a reputation for not supporting their software, that’s another reason to find another solution.
Maintain a Strongly-Enforced Password Policy
With each new application we add to our workflow, a new password needs to be generated. And while you might know that it’s bad practice to use the same or similar passwords across all applications, do your clients? Or anyone else with access to the website? A weak login is the easiest way for a hacker to get inside a website. By enforcing a password policy across the board, you can help safe-guard against brute force attacks. Now, some site builder solutions enable you to hide the login URL or to implement two-factor authentication. It’s a good idea to take advantage of those if you can. I’d also suggest requiring stronger passwords. A long string of letters, numbers, symbols, and capitalization will help hackers from being able to guess your users’ login information.
Use a Spam Blocker
Even if spam isn’t too much of a concern, it’s a good idea to keep it from ever going near your website, even if just to remove the nuisance factor. To protect your contact and comment forms from spam, there are a few things you can do. You can use a spam-blocking plugin, which turns spam into an out-of-sight, out-of-mind matter. You can use a reCAPTCHA like the one used on this website: It’s just an extra step humans need to take to confirm their human-ness. You can also implement a honeypot. Essentially, it’s a hidden field laid down as a trap in a form. Humans can’t see it and, so, they won’t know to fill it out. Spam bots, however, will see it and fill it out.
All-in-One Security Plugin
Ideally, your website should be running on a secure server. However, it’s not really the host’s job to ensure that your website is protected from every angle. To make sure your website is covered as much as possible, look for a high-quality, all-in-one security plugin. It should include things like:
- A firewall
- Brute force protection
- Spam prevention
- User registration and access limitations
- Database and file security
It should also have a monitoring system built it. It will alert you to things like too many failed login attempts, unexpected file changes, and so on.
Always Backup Your Files
Finally, don’t forget to have a backup system in place. If all of the security measures above fail, you’ll want a recent backup of the website you can fall back to in order to restore your website to safety. Some web hosts may include backups in your web hosting plan, but it’s also a good idea to automate the process with a backup plugin and then store frequently saved copies of your site in a safe and remote location (like a free Amazon S3 account).
Why Website Security Should Concern You
Hackers are creative. They can get into a website from a comment form, through the login page, and from an exposed file on the backend (among other methods). If a vulnerability exists, they will find it. Unfortunately, when a website is left open to attack, it can have devastating consequences for a business:
- Loss of control over the website
- Stolen records
- Loss of customer trust
- Damaged reputation
- Google blacklisting
- And more
As the designer or developer who built the website for them, failing to properly secure it could be just as harmful to your business. So, it’s best to know what you can do to implement, at the very least, a minimum amount of security to every website you build. Featured image via Unsplash.