How to Secure a Website: 7 Simple Steps
- Install SSL
- Use anti-malware software
- Make your passwords uncrackable
- Keep your website up to date
- Donât help the hackers
- Manually accept comments
- Run regular backups
1. Install SSL
One of the easiest things you can do to protect your website, yourself, and your users, is to install an SSL (Secure Sockets Layer) certificate. You may not realize it, but you come across SSL all the time when you browse the web â itâs the reason for the s in https, and the padlock in the address bar.
Good to knowâŠ
SSL stands for Secure Sockets Layer. You install an SSL certificate on your website, and it encrypts data (such as login details) passing between your site and your visitors. There are different levels of SSL â e-commerce sites processing payment details, for example, should use a more advanced version.
SSL encrypts information passing between your website and your visitors. Google now warns visitors when theyâre entering a site without SSL, and even discriminates against those sites in its search results.
Itâs especially important to have SSL security if youâre accepting payments through your site, asking for login details, or transferring files. Without it, the data is unprotected, and vulnerable to hackers.
The hosting provider HostGator includes free SSL security on all its plans. Here, it shows the importance of SSL.
Itâs not important for you to know the technical ins and outs of SSL security, so donât worry if you donât really get how it works. The most important thing is to know that your site needs SSL, and how to go about getting it.
There are multiple ways to install SSL. The three main ways we suggest are:
- Choose a good quality website builder that includes SSL for free
- Choose a hosting provider (such as HostGator) that provides a free SSL with all plans (if youâre building your site with a content management system, such as WordPress.org)
- Install a basic Letâs Encrypt SSL for free yourself
If you want a much higher level of security, youâll need to pay for an advanced SSL certificate. These vary in price, and you can buy them from hosting providers, or registrars such as GoDaddy. Unless youâre running a large online store, or handling large amounts of sensitive data, the free version of SSL will probably be sufficient.
Did you know?
Hacking is the number one method of data breaches online, accounting for 61.9% of lost information. More than 8 billion records have been lost because of hacking.
2 Use Anti-Malware Software
Anti-malware software might sound like a lot of jargon, but the good news is that anti-malware software actually does the hard work for you â so you donât need to worry about any of the technical stuff.
There are plenty of different anti-malware options out there. Some have free plans â like Bitdefender Antivirus Free â while others you have to pay for, such as SiteLock.
SiteLock is used by over 12 million websites, and offers different packages that provide varying levels of protection. This means you can tailor your security to your siteâs needs, as well as your budget. Some of the security services it provides include:
- Web scanning
- Malware detection and removal
- Web application firewall
- Vulnerability patching
- DDoS protection
- PCI compliance
If you donât know what all this means, thatâs okay â thatâs what anti-malware software is there for!
SiteLock is the global leader in website security, and is a popular anti-malware software that often comes included in hosting plans.
A good quality website builder or hosting provider should look after your siteâs security for you. Hosting providers often include anti-malware software as part of their plans â some even throw in paid services like SiteLock for free!
Other providers include a built-in set of tools â InMotion, for example, includes a security suite on its cheapest plan. This is made up of:
- Free SSL
- Hack protection
- Automatic backups
- DDoS protection
These are the security basics for your site, and the features you should look for whenever youâre looking at picking a hosting provider. Whether your provider comes with tools built-in, or offers extra freebies such as SiteLock, anti-malware software gives you a welcome extra layer of protection.
Did you know?
A DDoS attack could cost a small business
- Make Your Passwords Uncrackable
Passwords. Theyâre so familiar that we can sometimes forget just how important they are. Itâs easy to overlook the fact that often, your password is all thatâs standing between a hacker and your personal information.
Not only are passwords a vitally important step, but theyâre also one of the easiest things you can change to increase the security of your website. Spend just 20 minutes today making your passwords stronger, and youâll be on your way to a more secure site.
Did you know?
40% of surveyed small business respondents said that their company suffered an attack due to employeesâ passwords being compromised. The average cost of each attack was just over thousand!
A survey carried out by the UKâs National Cyber Security Center analyzed the most common passwords used by accounts that had been breached across the world. They then put together a list of the top 10 most hacked passwords â if youâre using any of the following, itâs time to change it (like, right now)!
- 123456
- 123456789
- qwerty
- password
- 111111
- 12345678
- abc123
- 1234567
- password1
- 12345
Instead of using easy to guess phrases, here are some things you should do instead:
- Combine three random, unrelated, but memorable phrases
- Use a randomly generated sequence of characters
- Donât reuse passwords â use a password manager to keep track of them all
- Make your password long
- Never use personal information in your password â itâs the first thing hackers will try!
Thereâs a seemingly endless list of password tips out there, and you should combine a few of these tactics to create uncrackable passwords. Once youâve got your shiny new bulletproof passwords, be careful with them â do not share them around, even with friends, and do change them regularly (about once every quarter).
4 Keep Your Website Up to Date
Weâre not talking about posting the latest gossip, or keeping your visitors in the loop with your newest product. This is about the importance of keeping your websiteâs software up to date.
If you use a website builder, you donât need to worry about this so much, because most builders will handle software updates and security issues for you. However, if youâre using a platform such as WordPress, you need to be totally on top of things and running updates when necessary.
You need to run updates for your WordPress core software, as well as any plugins youâve installed. If you donât, then it can all become outdated and vulnerable to bugs, glitches, and â worst of all â hackers wielding malicious code.
Did you know?
Cybercrime will cost the world in excess of trillion annually by 2021 â thatâs a 100% increase from 2015!
The good news is, you should be able to set these updates to happen automatically in your dashboard â but itâs still worth keeping an eye on and making sure everything is running smoothly. Letting your site become outdated can be a fatal blow in terms of security, so it doesnât hurt to be vigilant about staying on top of updates.
Good to Know⊠When youâre choosing plugins for your WordPress website, be careful about the quality. Plugins can be built by anyone, and poor quality ones can contain bugs or malicious code. Read reviews, look for trusted developers, and check out the plugin thoroughly before clicking Install.
5 Donât Help the Hackers
We know, this sounds like a total duh moment. Well, obviously Iâm not going to hand over my details and let my site get hacked â thatâs the whole reason Iâm reading this article! The trouble is, people are still â through no fault of their own â falling prey to scammers and unknowingly giving away important information about themselves.
Did you know that 92.4% of malware is delivered via email? That makes it the number one method of attack, and means you should always be on the lookout for anything unusual in your inbox.
Thereâs always more tech you can put in place to protect your website, but you mustnât forget that 95% of cybersecurity breaches are due to human error. Protect your website by being on your guard, and being suspicious of texts, emails, or phone calls asking for personal information.
It sounds simple enough, but scams are growing ever-more sophisticated. Here are five things you can do to make sure your website doesnât open the door to unwelcome visitors:
- Beware of public or open internet connections if youâre working in a shared space like a cafe â they wonât be secure!
- Never click on links in emails that seem suspect â delete the email straight away! This is still important if youâre using a professional email connected to your website, rather than a personal one.
- Be careful who you grant access to your website â check admins are people you can trust, and make sure theyâre security-conscious.
- Change the default settings, passwords, and usernames of your site as soon as youâve set up your account â this is especially important for WordPress sites.
- Only trust verified professionals to access your site. For example, scammers sometimes want to take control of your screen under the pretense of fixing a technical issue.
You get the idea. We know this seems like common sense, but phishing emails are becoming increasingly realistic â so stay on high alert!
6 Manually Accept On-Site Comments
Is there a better feeling than hitting publish on your site and then seeing comments start to roll in? Itâs proof that people have actually visited your site â and enjoyed it.
Comments are the perfect way to measure engagement, provide social proof to other visitors, connect with other people in your niche, and even take on constructive feedback. We love receiving comments, and you should too!
However, there are always those comments that arenât quite so fun. Bots, fake accounts, and trolls are ready and waiting with a silly comment or spammy link. At best, itâs annoying â at worst, it can pose a security risk to you and your users.
If people can post comments directly to your website, thereâs a chance that malicious links might sneak into the comments section. This is particularly dangerous for your websiteâs visitors, who might click on the link and risk exposing personal data or accidentally install malware.
Did you know?
One in ten URLs are malicious â and this numberâs on the up.
To combat this, you can change your siteâs settings so that you need to manually approve comments before they appear on your site, giving you the chance to delete any spam. Other ways to reduce these malicious links include:
- Use an anti-spam software or plugin (such as Akismet for WordPress users)
- Ask visitors to register before they can start commenting
- Turn off comments on posts after a month or two
These tactics should keep your comments section a safe, fun, and happy place for both you and your visitors, and keep hackers and their malicious links on the outside.
7 Run Regular Backups
Following each of the steps weâve outlined so far will help you to stop hackers in their tracks. But donât take your siteâs security for granted â just like having a safety net beneath you is a good idea when walking a tightrope, running regular backups of your site just makes sense.
Creating backups of your website ensures that if the worst were to happen, youâd still have a recent version of your site stored safe and sound, and ready to be relaunched.
A backup is essentially a copy of your website data â such as files, content, media, and databases. If you have a large or complicated website, youâll need a larger amount of backup storage to save all of your data.
There are multiple ways to backup your website, including:
- Use a backup service such as CodeGuard or Sucuri, which does the work for you at a price.
- Use a web host that includes backups in its plans, like A2 Hosting. Some hosts have backup software built-in, or available as add-ons. However, these can have limited storage, so we usually recommend not relying on them for all your backup needs.
- Use a WordPress plugin such as UpdraftPlus or VaultPress. WordPress users can simply install their chosen plugin and manage their own backup preferences.
Using a backup service is usually the safest and most reliable way to go. Still, whichever backup method you choose, there are some important things that you should always look for:
- Off-site backups â this keeps your data far away from hackers in a secure, off-site location rather than in a normal server. This also protects your backups from hardware failure.
- Automated backups â remember when we said that 95% of security breaches were through human error? Donât forget to create backups and pay the price â by automating this process you can simply sit back and relax.
- Redundant backups â this means your websiteâs data is stored in not just one, but multiple server locations. Think of it like having backups or your backups!
- Regular backups â itâs no good if youâre only running backups once per year. If a hack attack strikes, youâll be left with an outdated version of your site. You should aim for weekly backups at the very least.
The more frequently you update your website, the more frequent your backups should be. We recommend erring on the side of caution, though â if you come under attack, youâll never be sorry that you backed up your site too much!
8 Why Cybersecurity Is Important â 3 Case Studies
#1. Zynga: 172.9 million records hacked
On September 12th 2019, Zynga â the mobile game producer responsible for Farmville â was hacked.
The hacker accessed login details for players of the popular games Words With Friends and Draw Something, including:
- Usernames
- Passwords
- Log-in and Facebook IDs
- Phone numbers
- Zynga account IDs
This hack was originally thought to have affected 218 million people, because of claims by the actual attackers. But the final figure was estimated around 173 million by the breach monitoring site Have I Been Pwned.
In response to the attack, Zynga advised its users not to use the same password for multiple accounts â this reinforces the importance of having unique, secure, and separate passwords for different online accounts.
#2. 7-Eleven, Japan: ,000 of customersâ money lost
If you think that waiting one day more to sort out your security wonât make a difference, think again.
7-Eleven Japan introduced a new payment app for its customers, but left a major flaw in the form of an easy password reset that could be requested by just about anyone.
The app was launched on Monday, July 1 2019, and was shut down two days later on July 3 due to customer complaints â it only took hackers this long to break into around 900 accounts and steal „55 million (, 000).
Hacker attacks are frequent, and if they find a weakness you can bet they wonât hang around to exploit it. Donât wait to sort out your security â your usersâ data is at as much risk as yours if your site comes under attack!
#3. Marriott: 500 million guestsâ data exposed
Hotel company Marriott International was compromised by a hack that started as far back as 2014 â and went unnoticed until 2018. It was still hitting headlines last year, as Marriott continued to deal with the fallout.
It was initially thought that around 500 million customers were affected by the hack, which leaked:
- Names
- Addresses
- Phone numbers
- Email addresses
- Passport numbers
- Date of birth
- Genders
- Encrypted payment details
Since then itâs been suggested that the number of people affected was actually much lower â around 383 million. Still, with 5.25 million unencrypted passport numbers having been exposed, thatâs still a pretty huge cybersecurity fail.
Despite this, one of the main things that Marriott has been criticized for is its response to the attack â mostly due to a lack of communication, as well as further security concerns over its email domain.
If youâre running a business website, or even a personal blog, and it gets hacked, make sure you communicate clearly with your audience. Be quick to fill them in on whatâs happened, give them the facts, and also empathize with them about how they might be feeling.
Learn from where businesses like Marriott got it wrong!
Good website security starts with you â choosing a reliable website builder or hosting provider, making sensible choices about how you run your site, and putting in the extra effort to make passwords secure.
And weâre here to help you along the way!
Hopefully youâve learned how to secure a website, and have found itâs not as hard as you first thought. You donât need tech skills or a huge budget to make your website secure â as our list has shown!
Weâve outlined the seven steps you can take to start securing your website. This is by no means an exhaustive list, however â there are plenty more tips, tricks, and tools you can use to better protect your website.
If youâre a WordPress user, for example, you can find plenty of security tips in WordPressâ support pages. Sucuri is another great resource, with a huge wealth of guides, infographics, and courses to help you confidently secure your website.