Website security 101: keeping your website safe from hackers

From moats, tall towers, and drawbridges to iron doors and battlements, castles in medieval times took a number of protective measures. Website security today is much the same—several layers of defense secure a website from intruders. 

And it’s not something that you can ignore considering there’s a hacker attack every 39 seconds. Cybersecurity is crucial irrespective of the size or worth of your online business. Taking the security of your website lightly can cost you customers, reputation, money, time, and much more. 

So, let’s explore website security in today’s post. We’ll talk about what website security is, it’s importance, and some website protection measures you must take now if you haven’t already. 

Let’s get to it: what is website security and why is it so important?

Simply put, website security or cybersecurity is a set of protection measures and protocols you take to secure a website or web application. It is an ongoing process since many of the steps you take to secure a website need to be repeated regularly. 

Website security measures are meant to prevent the exposure of sensitive data to cybercriminals as well as save your site from malware, spam, and other threats. Meanwhile, ignoring all the precautions can lead to hackers stealing your customers’ sensitive data such as credit card information. For instance, earlier this year Wells Fargo customers became victims of phishing emails multiple times.

Think of it like this: would you ever leave all the doors of your house open and the safe unlocked in Gotham City where robberies are common? Bet you wouldn’t. Not securing your website is akin to inviting attackers to have a tea party in the online hub of your business. 

5 reasons to take cybersecurity seriously

Still not convinced about the necessity of cybersecurity? Here are 5 facts that show how essential it is and why you need it: 

1. Cyberattacks are common and can happen to innocuous and unprepared small websites as well.

Businesses of all sizes are at risk of cyberattacks. Dubsmash, Quest Diagnostics, and Canva are some victims of hacker attacks. While big websites are enticing, small ones are easy targets. This is why it is crucial to set aside a monthly budget for updating your security measures, improving system weaknesses, and more. 

2. Cyberattacks are expensive for business whereas cybersecurity is way cheaper.

For a small business, cybersecurity solutions cost around 4% of its operational budget whereas a big organization may spend just up to 2% of it on cybersecurity. Compared to this, the average cost of a data breach in 2019 reached a staggering $3.92 million, as per the 2019 IMB Cost of Data Breach Report. 

3. Some types of cyberattacks can be difficult to spot.

Sometimes businesses are not even aware their online security has been breached. Cybercriminals can continually extract sensitive data and use it for a larger purpose without the victim’s website even knowing. Strong and updated security measures protect from such stealthy criminal activity. You can use a tool like Sucuri SiteCheck to scan your website for viruses, website errors, malware, and more. 

4. Website security protects the SEO and reputation of a business.

Cybersecurity shares a direct link with SEO. If your website gets hacked, you can end up with having it filled with spammy outbound links or sneaky redirects to some dodgy website—that’s in case hackers use your site to boost the ranking of their own project with the help of dark-hat technique. They can as well inject malicious code to your website or mess with your robots.txt file and get your website out of Google’s index. 

In any case, both types of negative SEO attacks can hinder your rankings, and your website can get hit by Google’s quality algorithms or get a manual penalty. In that case, your website will not be shown in Google search results either fully or partially. 

You won’t get any notifications if your website gets flagged by Google algorithms, but you’ll surely notice the drop in rankings. In case you get a manual action imposed on your website, you’ll find a respective notification in your Google Search Console. 

Google will not reveal the information to the public—users will still be able to access your website as long as they manage to find it. But if the news of your website’s hacking does get out, it will even further negatively impact your reputation and hamper growth. 

5. Cybersecurity protects customers as well and reassures them.

Sometimes Google does tell users not to visit a website if they value their privacy. Such cases have nothing to do with negative SEO attacks and Google penalties, as users get a warning message whenever a website’s security certificate expires. An SSL certificate ensures that all the information passed between the user and the website is encrypted, and whenever it expires the encryption stops working as well.

Users can still access the website in spite of the precaution by clicking the Advanced button, but most will surely leave at this point.

Interestingly, if a website never had encryption enabled in the first place, users will be able to view the website freely. The only turnoff is the ‘not secure’ notice users will see in the address bar as opposed to the padlock for website protected with encryption.

Though not as devastating as the “Your connection is not private message”, the “not secure” notice is still no good as it harms your business reputation. 

Following website security best practices

Hopefully, by now you are eager to take all the necessary steps to turn your website into an impenetrable fortress and sleep well knowing you won’t face the disastrous consequences of falling victim to hackers. 

So the question is: what can you do to protect your website? Here is the checklist for you to go through.

✅ Get a secure web host 

Opt for a hosting provider that uses web application firewall (WAF) for active network monitoring. WAF is a gatekeeper that won’t let hackers and malicious bots access your website and exploit its vulnerabilities. For example, it should stop hackers from taking over your website using SQL injections or Cross-Site Scripting or taking your site down with a DDoS attack. 

Also, a reliable hosting provider should be regularly scanning its web servers for malware and provide you with reports. And in case, in spite of the precaution, malware does make its way into your website files, the hosting provider should help you with identifying and removing it. 

✅ Use HTTPS protocol

HTTPS is a secure communication protocol that uses encryption to provide the integrity of data traveling across the web. HTTPS ensures that hackers won’t get their hands on users’ data including sensitive information such as passwords and banking card details. 

Earlier we have published a detailed guide on how to switch from HTTP to HTTPS, so if you haven’t yet moved your website to HTTPS, make sure to check it out. 

To run on HTTPS a website needs a valid SSL certificate. Make sure to renew it regularly, use an up-to-date version of SSL and modern encryption. 

✅ Restrict administrative access

When trying to get their hands on your website, hackers often aim for accounts with administrative privileges because taking over such accounts gives them greater control of your business. To reduce this risk, restrict the use of accounts with administrative privileges—only use them when necessary and only grant access to people who really need it.

✅ Combine strong passwords with two-factor authentication

Using strong passwords is a must for anyone willing to protect their accounts. However, sometimes even strong passwords fail to sustain a brute-force attack. That is why a good idea is to add an extra layer of protection by enabling two-factor authentication for your CMS and hosting accounts. If you store and process sensitive information on your website, you may also consider making your users go through two-factor authentication to access their accounts.

✅ Change default CMS settings

When creating a new piece of malware, cybercriminals often target the most popular CMSs to gain control over the maximum number of websites using the same malicious code. Adjusting default CMS settings can save you from falling a victim to malware, as your website will no longer work in exactly the same way as thousands of other sites hackers were targeting. So make sure to change user controls, file permissions, comment settings as these small adjustments make a big difference.

✅ Update your software and regularly

Every software update comes with security improvements—it often fixes known bugs and vulnerabilities that hackers can exploit. That is why it is crucial to have an effective patch management practice in place that includes your servers, CMS, plugins, and all the other products you use on your website. Also, make sure to get rid of the old software that you no longer use especially if it hasn’t been updated for a while, as such software leaves a loophole for hackers to access your system.

✅ Backup your data

As long as you take all the measures listed above, you should sleep well knowing that your website is well protected from intruders. However, there’s always a small chance that something will go wrong—after all, cyber threats are constantly evolving as hackers keep finding new vulnerabilities to take advantage of. To mitigate the consequences in case that happens to your website, you want to have all your data backed up.

Today there are a variety of backup options to choose from. Many hosting providers have data backup included in the hosting plan and such backups are normally done automatically. The downside is that the amount of data you can back up may be limited. Then, a cPanel also has an inherent backup feature, but in this case, you’ll have to do things manually. 

WordPress users can make use of one of the dedicated backup plugins to duplicate a live website to the staging area or to copy website files to cloud storage, either their own (e.g. Google Drive, Dropbox) or the one provided by the plugin developers. Depending on the features set, WordPress backup plugins may be free or come at a yearly fee.

The best practice is to combine multiple backup methods. For example, you can do both daily incremental backups to a cloud storage and weekly server backups. 

Make sure to regularly check that everything runs properly and you can restore your data from the backup.

Summing up: you can’t do without website security 

Website security is not just a buzzword. Cyberattacks can do real harm to your website like making it non-operational or turning it into a dump filled with spammy texts and outbound links to dodgy websites. Hackers can use your website for phishing attacks leading to a massive data breach that is always associated with both financial and reputational losses. 

To stay on the safe side, you’ll have to take every possible measure to mitigate the risk of having your website hacked. Following website security best practices does cost some time and money, but you surely can afford it. The price you’ll have to pay if falling a victim to hackers is something you can’t afford. 

Svetlana Shchehel

Svetlana is the Head of Content at SE Ranking. Her interests span across digital marketing, SEO, and translation. She regularly shares her expertise on the SE Ranking blog and across various marketing media. Svetlana believes that complex notions can be explained in plain words and loves creating immersive stories. Svetlana spends most of her evening hours learning new languages, planning memorable trips, and petting her cat.