Even if you don’t store customer payment details on your website, hackers could still target your site to use it as a relay to send email spam, attack other websites as part of a botnet, or mine for cryptocurrency using your compromised web server. A good web hosting provider will have security features in place to help protect your website from security breaches and malicious code.
However, there are many other things you should do as a website owner to make it harder for hackers to compromise your website.
1. Keep on top of security patches
When a common vulnerability and exposure (CVE) is discovered in software used in web server software, hackers sell the details of the exploit on the black market. If your web server isn’t patched to fix the vulnerability, attackers can execute any code they like on your web server, essentially allowing them access to all your website files, customer databases, and passwords.
A website includes a lot of software to keep track of. In most cases, company websites make use of web server software like Apache, databases like MySQL, and content management systems (CMSs) like WordPress, not to mention a whole host of plugins for said CMSs. All of these programs and plugins must be kept updated.
It’s important to have proactive patch management and a testing policy in place to make sure you’re always running the latest versions of software that have been patched for the latest security vulnerabilities.
2. Use website security tools
Cyberattacks on businesses continue to rise. There was a 31% increase in the average number of attacks on companies around the world between 2020 and 2021, and the percentage of successful breaches increased from 44% to 61%.
To combat this, you can use website security tools like Sucuri SiteCheck and WPScan that test your website for security holes so you can patch them.
Most website hosts offer security tools as part of their plans or as an added monthly cost. GoDaddy, a leading website hosting provider, offers security plans that include malware scanning, unlimited site cleanups, and DDoS (distributed denial of service) protection.
Malware scanning checks your files periodically for suspicious files, whereas DDoS limits the damage hackers can do to your website if they try to overload it with thousands of concurrent requests.
3. Lock down file permissions
Each file on your web server can be set to be read-only, read-write, or executable. Different user accounts can have different levels of access to your files, too. It’s important to keep these file permissions as tight as possible, so there are fewer avenues of attack for a malicious actor if they gain access to your web server.
This is especially important if you use shared hosting, a popular type of web hosting where hundreds or even thousands of websites share a single web server. If you have loose file permissions set up, it’s possible for one of these other website owners to change the code of your website or run any script of their choosing on your hosting, simply by overwriting files in your directory.
4. Use HTTPS across your website
Beyond hackers making attacks directly on your website, you must also consider man-in-the-middle attacks. This is where a hacker located on the internet between your website visitors’ computers and your website can see the data being sent back and forth. Using this data, they’re able to log in to your customers’ accounts, potentially wreaking havoc.
The most obvious solution to this problem is to implement HTTPS (Hypertext Transfer Protocol Secure) across your website. All communication between your website and its visitors will then be encrypted, so no one can listen to the traffic being sent.
Choose a security-focused web host that makes implementing HTTPS easy. For example, all hosting plans from Bluehost, a popular website hosting provider, include an SSL certificate from Let’s Encrypt at no extra cost. Other top choices include GoDaddy, A2 Hosting, and Network Solutions.
5. Be careful with file uploads
If you allow files to be uploaded to your website for any reason, you must be extremely wary of the security risks involved. If your file upload code is poorly written, a hacker can upload a script that will be run by your web server. This could open your site for abuse, allowing the hacker complete control over your website.
Extensive checks should be performed on file uploads to ensure the files that users upload are safe. If you want to let visitors change their avatar by uploading a new image, for example, you need to check that the file uploaded is indeed an image and that it’s within specified file size limits.
When you store files uploaded by users, don’t use the filename they provide. Instead, when you’re writing code that uploads files, create your own, safe filename, so it’s harder for hackers to overwrite files on your server.
6. Have a strong password policy
Enforce strong passwords across your organization. Having a minimum number of characters and requiring the use of uppercase letters, numbers, and symbols in your employees’ passwords will make brute force attacks extremely difficult to perform.
Passwords should always be stored in an encrypted format so that even if there is a security breach, the hacker will not be able to use any password data they find.
Each of your staff who must work on the website should have their own password with only the level of access they need. This means if their particular user credentials are stolen, the harm a hacker can do is minimal, as they can only gain access to a small part of the system.
7. Don’t give out information in error messages
Error messages are very useful when you’re building a new web application or troubleshooting a problem. But displaying detailed error messages to users of your website is not just unprofessional, it’s a security risk.
A hacker can get vital information on the software you’re running if you allow error messages to be displayed to them. They can use this information to decide the type of exploits to try to run on your software. Detailed error messages can offer vital insights into the attacks that will work on your website, so keep your error messages in logs server-side instead of displaying them to your users.
8. Guard against cross-site scripting attacks
Many sites allow visitors to change page content in some way, such as leaving a comment on a blog post. This content is then displayed to your other visitors. Without due care, this can be a security issue, as hackers can include scripts that run code.
Clever use of this tactic, known as cross-site scripting (XSS), allows hackers to steal the login cookies of your other visitors. With this, they can access your customers’ accounts, see their personal details, and even make purchases.
To guard against such attacks, all user-generated content uploaded to your website must be stripped of all potentially malicious data. This is called sanitizing input. All major CMSs like WordPress automatically perform this duty for you, but it’s important to remember if you write your own website code.
9. Avoid SQL injection attacks
SQL (Structured Query Language) injection attacks are one of the most common attack vectors in website hacking. SQL is a computing language used to make queries to a database. An SQL injection attack is where a website visitor intentionally enters text that allows them to execute any code they want to on the database.
To minimize the potential for SQL injection attacks, you should always consider any input that comes from a remote user as potentially malicious. Your website code must cleanse all this data to ensure no malicious code can be run on your database.
10. Use DDoS protection
A DDoS (distributed denial of service) attack is a type of attack where a massive amount of traffic is sent with malicious intent to a website, usually from multiple locations. Your website server can become overloaded by this huge amount of traffic. Your website may crash, significantly slow down, or become unavailable to legitimate visitors. In a worst-case scenario, a DDoS attack can open your web server up to further attacks where the hacker gains access to user credentials or personal information.
Protecting against DDoS requires investing in solid network infrastructure that can handle large amounts of traffic. You can also use firewalls, which will intelligently disregard traffic that looks like a DDoS attack, or a DDoS mitigation service, which routes all incoming traffic through a filter before sending it on to your web host. You can also make use of CDNs (content delivery networks), which effectively spread your internet traffic across different servers around the world, minimizing the harm a DDoS attack can do.
Choose a website builder and hosting provider that takes security seriously, updates software often, and makes it easy for you to use HTTPS across your website. Lock down your site by enforcing strong passwords, checking file permissions, and guarding against SQL injection, XSS scripting, and DDoS attacks.
These tips on how to protect your website from hackers cover some of the most important ways for you and your IT team to protect your website and keep your business out of the firing line.