How To Make Sure Your Website Is Following Security Best Practice

By Brad Girtz, 28th October 2018

For most people who own a website, cybersecurity is not something they regularly think about. Hacks and data breaches seem to be the domain of big companies like Facebook and Equifax. However, 43% of cyber attacks actually target small businesses and only recently we were approached by a small business owner to rebuild their website due to a major hacking incident. Every business needs to take security seriously. Naturally, most small businesses do not have cybersecurity experts on hand to answer questions. To help fill that gap, Plug & Play have asked our security pro for some advice on how to keep your site safe.

Understand What Hackers Want
Most small businesses think they are safe from hackers because they do not have anything they think a hacker would want. That could not be further from the truth. Broadly speaking hackers have 1 of 3 goals. They are either trying to gain access to data, gain access to hardware or target SEO.

Data: Not all hackers are looking for nuclear launch codes. Most are just interested in information like your date of birth, credit card number or passwords. This data can be used to break into other places or sold on. That means one successful hack can lead to many more.

Hardware: Hackers may not actually want to break or steal anything. They could want access to your hardware like computers, servers or other devices. Anything with computing power can be used to mine cryptocurrency or run any number of programs. The more hardware a hacker compromises, the more processing power they gain.

SEO: Hackers who want to help their sites or hurt yours might break into your website just to add links. Google looks at links as a vote of confidence. A hacker could add a link to your site to help another site succeed. They could also add many bad or damaging links to your site to hurt your search ranking.

How To Protect Yourself
Now that you understand the risks to your site it is time to learn how to defend it. We have compiled a list of simple steps that will help keep you safe.

  1. Make sure you are running the latest version of your platform.
    Every site has a CMS or content management system. A good example is WordPress. You should make sure you are running the latest version of your CMS.
  2. Keep your plugins up to date.
    A plugin is a piece of software that can be added to a CMS to increase functionality. If you are running an old or out of date plugin this is an open invitation for hackers.
  3. Get a penetration test done.
    Penetration testers are people who are paid to try to break into your website. They will tell you if there are any weaknesses and give you information on how to fix them.
  4. Always use strong passwords.
    That means a password of at least 15 characters with upper and lower case letters as well as special characters.
  5. Use a password manager.
    Most people reuse passwords or use poor passwords because they struggle to remember all the passwords needed in modern life. A password manager solves this problem.
  6. Fix any issues exposed by the penetration tester.
    A penetration test will only tell you where you are vulnerable, it does not fix the issues so you should make sure the relevant fixes are done.
  7. Run regular penetration tests going forward.
    New security exploits are discovered each day. If you run regular tests even once per year you will significantly reduce your risk.
  8. Think about hiring a security specialist or putting one on retainer.
    This is not right for every business but having someone available to call if you have issues significantly speeds up your ability to deal with or recover from security threats.
  9. Back everything up as much as possible.
    If you are the victim of an attack having a backup from before the attack means you can restore your information quickly.

If you follow these steps they will help protect your site from most threats. However, as we discussed earlier in this article, your website is not the only thing hackers may target. You also need to secure your hardware. Servers are a particularly high-value target for hackers so we have compiled a list of general security measures to keep them safe.

  1. Use an infrastructure tester.
    This is like a penetration tester for hardware.
  2. Keep your server software up to date.
    Software updates often include security patches that fix holes. By skipping an update you are putting your server at risk.
  3. Have a firewall and rules in place to restrict access.
    A well-protected server will only allow access to necessary services through a firewall.
  4. Always use strong passwords.
    That means a password of at least 15 characters with upper and lower case letters as well as special characters.
  5. Use a password manager.
    Most people reuse passwords or use poor passwords because they struggle to remember all the passwords needed in modern life. A password manager solves this problem.
  6. Back everything up as much as possible.
    If you are the victim of an attack having a backup from before the attack means you can restore your information quickly.

These steps will protect you from the vast majority of attacks. This is because hackers are usually looking for an easy target. However, if you are unlucky enough to follow these steps and still get hacked we have some advice that could help.

Websites

  1. Restore your backup from before the hack.
  2. Change all of your passwords.
  3. Keep a version of the compromised code to give to a penetration tester.
  4. Get the problem fixed ASAP.

Server

  1. Shut it down.
  2. Disconnect if from all other devices.
  3. Call an expert to go over it.

It is important to remember that you should consult a developer before you attempt to update a CMS or plugin as it can affect your site in unexpected ways if the update is done incorrectly. If all of the updating and testing sounds like it is too much to handle, Plug & Play can help with our hosting and security service. We can build a secure site, keep existing sites up to data and provide help with testing. Contact us today to learn more or discuss your needs.