The 12 Most Critical Website Security Protections Every Business Must Have In Place Now
Protect Your Company from Cybercrime, Data Breaches, and Hacker Attacks
Are you a sitting duck?
You, the CEO of a small business, are under attack. Right now, extremely dangerous and well-funded cybercrime rings in China, Russia, and the Ukraine are using sophisticated software systems to hack into thousands of small businesses like yours to steal credit cards, client information, and swindle money directly out of your bank account. Some are even being funded by their own government to attack American businesses.
Don’t think you’re in danger because you’re “small” and not a big target like a J.P. Morgan or Home Depot? Think again. 82,000 NEW malware threats are being released every single day and HALF of the cyber-attacks occurring are aimed at small businesses; you just don’t hear about it because it’s kept quiet for fear of attracting bad PR, lawsuits, data-breach fines, and out of sheer embarrassment.
In fact, the National Cyber Security Alliance reports that one in five small businesses have been victims of cybercrime in the last year—and that number is growing rapidly as more businesses utilize cloud computing and mobile devices, and store more information online. You can’t turn on the TV or read a newspaper without learning about the latest online data breach, and government fines and regulatory agencies are growing in number and severity.
Your business websites are not immune to these attacks. Even if you don’t process credit cards or store sensitive information on your web server, you can still be a prime target. Hackers are motivated to crack websites for a wide variety of reasons. Often, they don’t care about your particular website, they just want access to the resources that run your website (e.g., bandwidth, disk space, the CPU, etc.). They may also seek to crack your website to get into other websites on the same server. Some hack for the sport of it. Of course, some just like to make trouble for others. As Alfred says in reference to the Joker, “Some men just want to watch the world burn” (Batman, The Dark Knight). Because of all of this, it’s critical that you have these twelve security measures in place.
- Require strong user passwords on your website.
Though many people still underestimate the importance of strong passwords (and some overestimate the value), this one issue is repeatedly shown to be the easiest means for an attacker to gain access to your website, server, database, or whatever other system you’re trying to secure. Though it is certainly true that even strong passwords can be cracked, the majority of hackers don’t have the time, expertise, or resources necessary to crack strong passwords. So this is still your best initial line of defense.Though something like this can make a strong password: jHiy&6%67^8jfEEjdU@329M
So does this: ILovePizzaThatIsCooked@425Degr33$(Keep in mind that since both of these are shared in this document, which is on the web, neither are now strong passwords).Of course, the second password if far more memorable than the first. Its length, coupled with some complexity within it (upper and lower case characters, plus special characters and numbers) make it a strong password. Combining that with it being far easier to remember than the first example makes it a better password.If you manage too many passwords to remember (you should use different passwords for different accounts), we recommend you using a password manager. Absolutely do NOT store your password in a “secret” unencrypted file on your computer. Depending on your exact needs, here are a few to password managers to consider (from free to just a few dollars per month):
- Require strong email passwords.
Several years ago, we didn’t enforce strong passwords for our clients who host their email with us. After about three accounts were compromised, we stopped being lax about this security component.Your business’ reputation could be severely damaged if one (or more) of your email accounts is compromised, and an attacker sends inappropriate emails to your customers. Compromised email accounts are also an easy way for attackers to gain access to your contact list, which can give them powerful insight into how to build an effective phishing campaign. Moreover, if an attacker uses your compromised email account(s) to run a spam campaign, the server that hosts your email can get added to email server blacklists. When this happens, all email coming from your server can be blocked by spam software that relies on those blacklists, meaning that your customers will never know you emailed them.None of these scenarios are good. Strong email passwords are a must.
- Require strong passwords for server-side services, such as cPanel, FTP, SSH, etc.
Strong passwords…again! Just as critical as strong passwords for your website admin accounts and email are strong passwords for your server-side services. If an attacker gains access to these services (e.g., cPanel, FTP, SSH, your database, etc.), he can completely destroy your website. He can also tarnish your reputation by posting inappropriate content on your website.So once again, enforcing strong passwords on these services is a must.
- Set up two-factor authentication, if possible.
Many systems/services now offer two-factor authentication (“2FA”). Instead of only requiring a username and password, 2FA requires a separate code/key/token that is sent to you from the system you’re trying to log into. These can be emailed or texted to you, for example. Typically, once 2FA is set up, you log in to your website using your normal username and password (your strong password). This sends you to another page that tells you a code/key/token has been sent to you via email or text, and you’re shown a field into which you need to enter that code. Once you get the email or text, you enter the code into the field, and complete the login process.Though 2FA is somewhat cumbersome, it’s a small price to pay for a significant gain in security. We highly recommend enabling 2FA on your website, if your CMS supports it.
- Remove default admin accounts.
Often CMSs come with default admin accounts. Often, this is the first line of attack (an “attack vector”) for hackers. Though some CMSs finally started disabling this “feature” (default admin accounts), plenty still create an “admin” username during initial installation. By no means is disabling or removing this user going to stop hackers in their tracks. However, it removes a very simple attack vector from their arsenal, so they have to work harder to find other possible vulnerabilities.
- Ensure core Content Management System (“CMS”) software is updated regularly.
Just as Windows or Mac OS send out regular updates, CMS developers also release updates, or patches, regularly. This can happen multiple times per month sometimes. Though some updates are related to adding new features, others are security patches.It is critical that these updates are installed regularly. We typically recommend these be checked at least twice per month (once per month at the very least).Be aware that CMS updates can break your website if they’re not installed correctly or if you have incompatibilities with other software in your website (e.g., plugins/modules/add-ons) or even other software on your server (e.g., the version of your database software or a programming framework, like .NET or PHP).
- Ensure all plugins/modules/add-ons are updated regularly.
As with CMS software updates, updating the plugins/modules/add-ons used in your website is critical as well. In fact, there are typically more vulnerabilities introduced by this software than in the core CMS software itself.As with updating the core CMS software, updating plugins/modules/add-ons can break your website if there is an incompatibility between this software and your CMS and/or if you install the updates improperly.
- Remove inactive plugins.
Inactive plugins (or modules/add-ons) can pose a significant security risk. Often we find that website administrators don’t worry about updating inactive plugins, because they think that since the plugin is inactive, it doesn’t matter. This is completely wrong!That software, though in an “inactive” state, can still be run by attackers if they gain access to it through a vulnerability. The best practice is to simply remove inactive plugins from your website. If the plugin is inactive, you’re not using it anyway. If you eventually realize you do want to use it, you can download and install it again, and then keep it updated.
- Keep all server-side software updated regularly.
You may not have much control over this aspect of your website security, but it’s every bit as critical as these other points. Server-side software includes things like the operating system, email services, database software, programming frameworks, web servers (e.g., Apache, IIS, NGINX, etc.) and so on. Security vulnerabilities are found in server-side software on a regular basis and must be patched to avoid additional attack vectors for hackers.Sometimes your only line of defense here is a vigilant hosting company (like Edge Webware!). So selecting a solid hosting company that stays on top of server-side updates is an important part of your overall website security protocol.
- Implement a robust fault tolerance (backup) protocol.
Though the goal is to never have to resort to backups, by avoiding website hacks altogether, if your website is cracked by a hacker, your backups suddenly become your best friends!However, backups have to be set up and managed properly. If they’re not, you may have a false sense of security. For example, putting WordPress backups on the same drive that hosts the website can lead to gaping security vulnerabilities. Additionally, periodically checking backups to ensure they are running properly mitigates against pulling a backup when it’s needed only to find that they hadn’t been running properly for the past month.Backups should be stored in several locations, and they should be saved for at least a month to ensure you have a clean (and hopefully current) version of your website to revert to if needed.
- Install an SSL certificate and force your website to encrypt all traffic.
If you have a website that is built upon a CMS, this is an absolute must. All CMSs have a page that allows you to log in to the admin area. This login page accepts a username and password. If that page isn’t encrypted, when you click the login button, you’ll be sending your credentials over the Internet in plain text. That means anyone who is “sniffing” your connection can see your username and password, and they can read it just like you’re reading this newsletter. Clearly, that’s not good!SSL certificates are inexpensive, easy to install, and provide yet another level of security that helps you mitigate against attacks. On top of that, Google gives a slight boost in search engine ranking to websites that are encrypted. Plus, both the Google Chrome and Firefox browsers started to display warnings on unencrypted pages that collect certain user data (e.g., login credentials, email addresses, etc.) and will be expanding to any form fields in the near future. There’s no good reason to not have an SSL certificate set up on your website anymore.
- Lock your domain name(s) with your registrar.
Finally, the security of your website is dependent upon the security of your domain name as well. First, be sure to use a strong password on your account with your domain name registrar (yes, another strong password…all of them should be strong!). If an attacker gets access to that account, they can inflict serious damage to your domain name registration.Second, most domain name registrars (e.g., GoDaddy, Google, Name.com, NameCheap, Register.com, etc.) offer the ability to lock your domain name(s). Though this is only one aspect of security, it can provide yet another valuable layer of security to your website’s overall security plan that makes cracking through very difficult. Locking your domain makes it more difficult to make changes to your domain. Plus, typically you’ll get a warning email from your registrar if your domain name is unlocked. So if an attacker does gain access to your account and tries to make changes, this notification can tip you off to that, allowing you to quickly contact your registrar to alert them of the suspicious activity so they can stop it immediately.
Want help in implementing these twelve essentials?
If you are concerned about the dangers of cybercriminals gaining access to your website and/or your website’s database, then call us about how we can implement a managed security plan for your business.
At no cost or obligation, we’ll have one of our senior developers conduct a free Website Security And Backup Audit of your company’s website to review and validate as many as ten to fifteen different data-loss and security loopholes, including small-print weasel clauses used by many 3rd-party cloud vendors (like your hosting company), giving them zero responsibility or liability for backing up and securing your data. We’ll also look for common places where security and backup get overlooked, such as those outlined above. At the end of this free audit, you’ll know:
- Is your website really and truly secured against the most devious cybercriminals? And if not, what do you need to do (at a minimum) to protect yourself now?
- Is your data backup TRULY backing up ALL the important website files and data you would never want to lose? We’ll also reveal exactly how long it could take to restore your files (most people are shocked to learn it will take much longer than they anticipated).
- Are you accidentally violating any PCI, HIPAA or other data-privacy laws? New laws are being put in place frequently and it’s easy to violate one without even being aware. However, you’d still have to suffer the bad PR and fines.
- Is your server software up-to-date and/or does you hosting company keep it updated as new technology becomes available?
- Are you already hacked, but just don’t know it? Are there suspicious files hosted within your website right now, which can be used to attack your site’s visitors?
I know it’s natural to want to think, “We’ve got it covered.” Yet I can practically guarantee my team will find one or more ways your business is at serious risk for hacker attacks, data loss and extended downtime – I just see it all too often as we have new clients come to us to fix their hacked websites regularly.
Even if you have a trusted Web development person or company who put your current website in place, it never hurts to get a 3rd party to validate that nothing was overlooked. I have no one to protect and no reason to conceal or gloss over anything we find. If you want the straight truth, I’ll report it to you.