You probably think “it will never happen to me” because why would someone want to target a small business with a low number of website visitors? In fact, 54% of small businesses think they’re too small for a cyberattack, but unfortunately, that’s not the case. Last year, 43% of cybercrimes happened against small businesses.
50% of small and mid-sized businesses say they have suffered at least one cyberattack in the last year. With a huge 91% of small businesses saying they don’t have cyber liability insurance, because they don’t prioritise cybersecurity measures.
We’ve noticed an increase in website security attacks amongst our clients recently and with cybercrimes appearing to jump 300% since the beginning of COVID-19, website security has never been more important for small businesses.
There are hundreds of blogs out there explaining cyber and website security, but hey, not everyone talks like the weird IT guy hiding in his dark room coding all day…
*Cue Maurice Moss and his 2 cups of tea*
(Source – http://bite.ca)
Those of us less tech-savvy people should be aware of the risks, without having to translate ‘nerd’. So we thought we’d write our own blog on the topic and translate the IT jargon for you.
Types of website security threats
There are many ways someone can hack a website, but let’s be honest, do you really care how they do it? We’ll list them below, but feel free to skip to the most important part here.
Spam…those annoying little emails and popups promising us 1 million dollars or some super hot date with all those sexy singles.
Or perhaps you had hundreds of random comments hammering your blog with links to other sites in an attempt to build backlinks (One-way links coming from your website to their own website to help them gain an extra ‘vote’ when it comes to search engine rankings).
These are some of the spam situations we are all pretty familiar with, right? But most spam is a little more malicious than that. They can contain malware which can harm your website visitors if they click on the links. Google will also penalise you for having malicious links on your site, which will affect your SEO ranking through blacklists, which we explain further on.
Malware (Malicious software)
Malware is one of the biggest threats to your website and it comes in many different forms including Viruses, Trojans, Spyware and Ransomware. 230,000 new malware samples are created each day and used to damage devices, steal data and make money with ads or affiliate links using server resources.
This means not only is your website a mess and causing your business damage, but your website visitors could click on a link that steals their data or downloads a malicious file onto their computer.
I literally had my mum call me the other week saying she had a virus on her computer. “A big popup came up and asked me to call a number”, she said. “The lovely man helped me get rid of the virus and installed some anti-virus on the computer”. “How much was that, mum?”, I asked. “$1,200 for 5 years”. “And how did you pay for that, Mum?…”
A DDoS attack is a distributed denial-of-service attack that targets websites and online services. The aim is to overwhelm a server or network with more traffic than it can handle. The goal is to render the website or service inoperable and can be combined with an extortion threat of a more devastating attack, unless the company pays a ransom.
Search Engine Blacklists
Generally, when a website contains something threatening to a user, such as malware, a website goes onto a blacklist. Search engines such as Google, Bing, Yandex, etc. can expel a website from its search results when a website is on a blacklist. This then results in the website losing nearly 95% of its organic traffic and it’s extremely hard to get off this list once you’re on it. Even more reason to ensure your website is safe!
What can you do to keep your site safe?
Ensure your website is secure
You need to ensure your website uses HTTPS protocol, which basically means to make sure you have the padlock symbol in bar at the top next to your web address.
This is used for secure communication between your browser and the website. It’s an enhanced layer of security over the standard HTTP protocol for sensitive data and transactions, such as billing details, credit card transactions and user login, etc. Most people look for this icon when making online purchases to ensure their data is safe. It’s also your responsibility to keep your customers safe and provide them with a secure online experience.
To ensure your site is secure, you will need an SSL certificate, which is purchased and installed through your website host. Once it has been installed, you may need to change your site address (URL) from HTTP to HTTPS. You can always contact your web designer/developer for help with this step, but if you manage your own website on a Content Management System (CMS), like WordPress, there will most likely be a plugin for your platform. For example, you can use Really Simple SSL, if your website is powered by WordPress.
Over 70% of WordPress websites worldwide are now using SSL and HTTPS.
Keep your website software up to date
Cybercriminals are after those glitches, the little security holes in vulnerable software that can be exploited. In fact, a lot of these cyberattacks are actually bots programmed to automatically find certain vulnerabilities in websites. This not only means they cannot differentiate your small business site to a large and popular one, but smaller sites are more prone to hacks as they generally have lower website security measures in place.
If you are using a CMS, like WordPress, plugins would have been a large part of the development process. Unfortunately, plugins are the most vulnerable to attacks and a hacker will find vulnerabilities in the plugin’s code to access sensitive information.
So what can you do?
- Ensure your WordPress core and plugins are updated regularly – Please keep in mind that plugins can clash if they have not been tested with the latest version of WordPress, therefore it’s extremely important that you do a backup before any updates.
- Avoid using unsafe themes – Make sure you verify the source of your themes. Free themes are likely to not have active support or have been built poorly.
- Avoid plugins that have not received updates for more than 12 months – These plugins have usually been abandoned by the author and are no longer reliable.
Choose safe web hosting
It’s important to choose wisely when looking for a website host. Most hosting providers have security on their servers, however, if you’re on a shared hosting plan, you’re at a higher risk of an attack.
When on a shared hosting plan, your website is stored on a server with other websites, which means if one of those websites gets hacked, the hacker may gain access to the server you are using as well.
Make sure you’re using a reputable hosting provider and choose a package that works for you.
Use strong passwords
We can’t stress this enough! The amount times we have been sent passwords like ‘password123’ is quite scary. You must ensure that you are using strong and different passwords across all platforms.
If you’re anything like me and have hundreds of accounts, and a terrible memory, you will probably want to use a secure password manager, like LastPass.
Use security plugins and tools
If your website is powered by WordPress, there are many great security plugins to help protect your site from attacks. They include 404 detection, file change detection, brute force protection, strong password enforcement, lock out bad users, hide login area, away mode, and more!
Our favourite WordPress security plugins are:
Make regular backups
If you still manage to get hacked, even with all of these preventative measures in place, the one thing that will save you from loosing your entire website is making regular backups. Some website hosting companies will offer security packages with regular website backups included. However, there are also great plugins for CMS, like WordPress, that backup your entire website (database and files) on a schedule and store them off-site in a safe, secure location.
Our favourite WordPress security backup plugin is Backup Buddy.
Adjust your default CMS settings
If you’re using a CMS, like WordPress, there are some default settings that you may need to change and customise.
If you don’t want to allow comments on your posts, you can turn them off, or even switch comment approvals on, so that comments are not posted immediately to your site. Let’s be honest, comments are not always welcome and you might like to stay out of the drama!
Website security should be one of your top priorities. You’ve invested in your website design and development, and even if you’ve done it yourself, time is money. If you haven’t taken any steps to secure your website, one of your biggest assets is at risk right now.
Unfortunately, it’s near impossible for any website to be 100% safe and secure, as hackers are always going to find new ways. But by implementing some of the steps above we can decrease the risk of an attack and not only prevent one, but fix one should it ever be successful.
If you’d like to find out how you can keep your website safe, shoot us an email.