In 2020, the Internet Crime Complaint Center (IC3) received 791,790 cybercrime complaints, with reported losses exceeding $4.1 billion — a 69% increase in total complaints from 2019.
Whether you already have a website or are looking to create one, internet security is something that should be at the forefront of your mind — especially today.
A website with weak security tells users you don’t care about their online safety.
According to Eric Florence, Cyber Security Analyst at SecurityTech, “If your website security is weak, it sends a message to anyone who visits it — including potential clients.”
We’ve asked Florence and other cybersecurity experts to provide insight into how to secure a website the right way in 2021. Let’s dive into the different ways your website can get hacked, plus the step-by-step process for how to secure your website.
How Can Your Website Get Hacked?
According to a survey by security company Tripwire, one in three IT professionals (34%) in Europe reported that their organization has been breached as a result of an unpatched vulnerability — this is a weakness to the system, which allows attackers to run a malicious code.
Here are some of the most common website security attacks:
- Phishing: This is a type of social engineering where an attacker sends a deceptive message to trick someone into revealing sensitive information (e.g., account or credit card information) or to deploy malicious software (e.g., ransomware). An example is CEO impersonation fraud, where attackers send a scam email pretending to be the CEO or another senior figure in an organization requesting payments or sensitive information.
- Ransomware: This is a type of malware in which the attacker threatens to publish the victim’s personal data or block access to it unless a ransom is paid.
- Denial of Service (DoS): This is a cyber-attack in which the criminal makes a website, server, or network unavailable to its users by overwhelming them with unnecessary requests and Internet traffic until the system can no longer respond and crashes.
- SQL injection: This is a technique in which attackers insert malicious SQL statements into an entry field for execution to access information that was not intended to be displayed (e.g., sensitive company or customer data).
- Cross-site scripting: This is a type of attack in which a criminal inserts malicious scripts into an otherwise trusted website to steal the user’s identity data through cookies, session tokens, and other information.
- Code injection: This is a type of attack in which criminal exploits poor handling of untrusted data to introduce malicious code into an application.
- Malware: Short for “malicious software,” this is a generic term that refers to intrusive code that tries to take control of your website viruses, worms, and more.
Who Is Behind These Cyber Attacks?
85% of data breaches — incidents that result in the confirmed disclosure of data to unauthorized parties — involve a human element, meaning anything that involves a social action (e.g., phishing and stolen passwords). Additionally, the majority of attacks were caused by social engineering, which consists of psychologically manipulating people into performing actions like revealing confidential information.
What Types of Financial Losses Can Cyber Attacks Result In?
The short answer? A lot. According to the Verizon 2021 Data Breach Investigations Report, 95% of Business Email Compromises (BECs) and 95% of Computer Data Breaches (CDBs) caused a $30,000 median loss, and for ransomware, the median amount lost was $11,150.
Whether through social engineering or more technical and advanced cyber attacks, there are many ways your website can get hacked. Now, let’s dive into the steps you need to take to keep your website cyber safe.
9 Steps to Secure Your Website
Step 1: Choose a Secure Website Hosting Service Provider
The very first step to having a secure website is choosing a secure website hosting provider.
This step is often overlooked, but all the time and money spent on other cybersecurity measures will be useless if you miss it.
Since the web host is where all your company data and files are stored, if your hosting service provider is the target of an attack, your website’s data will be as well.
Additionally, if your web hosting service lacks security features, there’s no easier way for hackers to break into your site.
Make sure your web hosting provider has security features like web application firewall (WAF) and denial-of-service (DDoS) protection. And in general, stay away from shady hosting providers if you want to keep your website safe. Bluehost is an example of a hosting provider with all the security features you need.
Step 2: Use HTTPS and an SSL Certificate
According to Harman Singh, director at cybersecurity services company Cyphere, encryption is a must-have for website security — considering that Google warns visitors when they access a website site without SSL and puts them in a disadvantageous position when it comes to SEO).
An SSL certificate will encrypt the information that passes between your website and your visitors.
As Singh suggests, “Make sure that when setting up your site’s SSL certificate for a secure browsing experience, you don’t forget about enforcing expiration alerts so you always know it’s time to renew before it’s too late.”
If you use a great website platform or hosting service like Bluehost, SSL will be included for free. If this is not the case, you’ll need to learn how to use an SSL certificate yourself. If you want to learn more, here’s a guide on how to move your WordPress to HTTPS.
If you want an additional layer of security, you can purchase an advanced SSL certificate from your hosting provider, but unless you own a large online business, you should be good with a free SSL certificate.
Step 3: Set Proper Admin Rights
In 2020, 56% of critical vulnerabilities would have been mitigated by removing admin rights.
According to Jane Frankland (executive, influencer, author, and founder of the IN Security Movement), “Removing admin rights is one of the most basic, yet powerful and protective, measures an organization can take.”
The more people have access to a website, the more difficult it becomes to ensure that all security measures are followed.
An environment where administrative privileges are restricted — and fewer users can make changes — is stable, predictable, and easier to administer. Having said that, simply reducing the number of privileged accounts will not mitigate security risks.
According to the National Security Agency, below are best practices for controlling administrative privileges:
- Don’t allow local, non-service accounts to access the network: Deny remote access and make local administrators use machines physically at the console. If that’s not possible, make sure they’re using secure workstations.
- Restrict systems that privileged accounts can access: Since users may inadvertently expose credentials, limit the number of high-risk computers being used.
- Remove standard users from the local administrator group: Removing membership of standard user accounts from the local administrator group creates an additional barrier that potential attackers must overcome.
- Make sure administrative accounts don’t have email accounts or internet access: Privileged accounts should not be used to browse the internet or access emails, and other tasks that involve processing potentially malicious information.
- Follow the principle of least privilege: Reduce the number of privileged accounts (e.g., the ones with domain admin credentials).
- Use multi-factor authentication: Add at least two MFA levels for privileged accounts.
- Manage passwords effectively: Require regular password changes, ensure passwords are different for different accounts, and keep passwords in an off-network location (like a safe).
Step 4: Get Strategic with Passwords
“New websites are susceptible to misconfigurations that can allow the site to be vulnerable to unauthorized access or information disclosure. This is mostly due to system administrators using default configurations and poor password protection.”
—Dr. Kellep Charles, Digital Protection Expert.
64% of sites have unencrypted passwords in their networks, which makes it easy for potential attackers to compromise systems just by tracking the network traffic.
When creating a new password, make sure it includes a variety of letter sizes and symbols, it’s not related to you in any way, and change it on a regular basis. You can use a password management tool like LastPass to measure the strength of the password and to store it safely.
In addition to using secure passwords, these are some best practices to reduce the risk of account takeover:
- Restrict access to authentication URLs
- Limit the number of possible login attempts
- Use CAPTCHAs
- Add multi-factor authentication
The last one is particularly important. Unfortunately, only 12.84% of GitHub accounts and 9.3% of npm maintainersuse MFA to protect their accounts, but this is one of the most effective ways to keep your accounts safe, so make sure you implement it to your website.
Step 5: Keep Your Website Platform Up-to-Date
No matter which website platform you’re using, it’s important you keep your system up-to-date, along with its themes, plugins, and extensions.
According to Eric Florence, the best way to keep a website secure is to keep your current system completely up to date to limit the vulnerability of your website. Software updates usually include patches — or fixes — that cover the security flaws and keep hackers away. But that’s not enough. If you use plug-ins on your site, make sure they are constantly updated too.
Florence goes on to say that, “perhaps the biggest mistake that website owners make in terms of security has to do with updating their site. If you are using WordPress or any other website provider, it is vital that you keep your site and themes and plug-ins updated as much as possible. Whenever there is a new update available, download it ASAP. These updates not only add functionality, but they also add extra security.”
Step 6: Use Anti-Malware Software
Anti-malware is a software program that scans information technology systems or individual computers to detect, prevent, and remove malware.
According to Harman, using anti-malware software needs to be in your checklist when building a website — and it’s particularly important to have it before your website is live.
He says that “if you are building a website, make sure that your checklist has an anti-malware tool or malware scanner. Malicious activities like installing malware on the web page can be prevented and illegitimate access to your site is difficult when this software is installed in advance of launching it on the Internet.”
There are some antivirus software options — like AVG — that have basic versions available for free, including viruses, spyware, ransomware, and other malware blocking; unsafe links, downloads, and email attachments blocking; programs and files scanning, and automatic security updates.
While antivirus software can keep you protected from traditional malware like worms and phishing attacks, for an additional layer of security, you should go with antimalware software, which focuses on broader, more advanced software threats.
Step 7: Install Security Plugins
To add a level of protection to your website, consider using security plugins and software.
As Bram Jansen, Chief Editor at vpnAlert, suggests, “Hackers can’t get into your site because of security plugins. Even the most up-to-date hosting platforms are vulnerable to some extent. No one can take advantage of them if you install these plugins. If you use a content management system (CMS) to create your website, you may augment it with security plugins that actively block website hacking attempts. Security plugins are available for all of the major CMS platforms, and many of them are free.”
When it comes to WordPress security plugins, there are many alternatives, based on the type of website you operate. Bulletproof Security and iThemes Security are two examples of security plugins you can use for additional safety.
If you’re using a different website platform, consider using software like SiteLock, which also offers daily monitoring for malware detection, vulnerability identification, active virus scanning, and more.
Step 8: Run Website Security Checks
To keep track of where you are with website security and be aware of any major risks, you should perform website security checks regularly — at the very least on a quarterly basis.
Website security checks consist of verifying the website’s availability, integrity, and confidentiality, as well as privacy and compliance with data protection laws.
ImmuniWeb provides a “Community Edition” free online test tool to check your website security, privacy and compliance.
You can also use a free tool like the SiteLock Scanner, which uses the “Risk Assessment” predictive model to determine a website’s likelihood of compromise. Patchstack also offers automated security checks and patching and helps you stay protected from plugin vulnerabilities.
Step 9: Run Regular Website Backups
One of the biggest mistakes website owners make is not having a proper back-up. Following a cyberattack or data breach, running regular back-ups is essential to mitigate data losses.
“When running a website, data is currency. Having a solid hold on that data is critical for maintaining the integrity of the website. Creating a solid data backup plan through a reputable cloud service is a must. Cloud storage is perfect for data back-ups, as it is available from anywhere with a secure WiFi connection, meaning the back-up won’t be affected by a broken or damaged computer.”
—Kristen Bolig, Founder of SecurityNerd.
Here’s what Harman has to say about running website back-ups:
“Having a secure backup and recovery plan is a must-have because if the website or its content become corrupted in any way, it would be nearly impossible to get back up without disaster.”
A good backup solution will let you restore data from local storage devices. You can also take advantage of cloud-based solutions that offer automatic backups of your site at regular intervals.
As Harman suggests, “Take care when storing sensitive information on cloud computing services since they can’t guarantee complete privacy due to their reliance on third-party vendors/servers.”
We suggest that you use the 3-2-1 backup strategy (recommended by the United States Government) for maximum protection and availability:
- 3: Make 3 copies of all important files: 1 primary and 2 backups.
- 2: Keep the files on 2 different media types
- 1: Store 1 copy offsite (e.g., outside your home or business facility)
Keep in mind that you can use a plugin like UpdraftPlus to run an automatic backup of your website.
What Are The Biggest Security Risks For New Websites?
We asked Neil John, tech enthusiast and software engineer at One Computer Guy, what new websites should worry about when it comes to security. Here’s what he thinks:
“As new websites have mostly weaker security and their defense systems are easier to break through, SQL injections are the most common security risks for them. Hackers try to access the back-end and database of the website to alter or delete the important information. SQL injections are inserted into a website through an application code to access the database. These codes are attached to an original code or query that travels in and out of the website to transfer data. In case there is a security flaw, the code enters the website, giving hackers access to the back-end and complete website data.”
According to digital protection expert Dr. Kellep Charles, there are other risks new websites should look out for: “Too often when a new website is put into production, configuration issues are often the most common problems that are associated with security incidents.”
Here are some of his top tips for securing a new website:
- Do not install the website with default settings. This is especially important with CMSs such as WordPress and Joomla. You should change the administrative usernames and password as well as the default URL to access the administrative login.
- Disable services and features that are not needed for the website to operate. Unnecessary services and features increase the attack vector to the website and increase administrative tasks.
- Perform a web vulnerability scan before placing the website into production. Vulnerability scanning examines the whole site and the operating system looking for configuration deficiency and vulnerable services in an automated manner.
In short, new websites need to pay close attention to SQL injections. Together with Local File Inclusion (LFI) attacks, SQLi attacks represent almost 93% of the total vectors used against certain industries. If you recently built a website, make sure you manage the admin permissions appropriately, and disable features that you don’t need on your content management system. Before pushing the website live, run a vulnerability check to find holes.
The Importance of Website Security: 3 Examples
To show you the implications that a cyber attack can have on a business, here are three famous examples of financial losses caused by cybercriminals.
Amazon, CNN, eBay, and Yahoo! — a $1.2 Billion Damage
On February 7, 2000, 14-year-old hacker MafiaBoy launched project Rivolta, a denial-of-service attack that overwhelmed the servers of Yahoo!, Fifa.com, Amazon.com, E*TRADE, eBay, and CNN, making their websites unresponsive to commands.
Senior analyst Matthew Kovar estimated $1.2 billion in global economic damages.
WannaCry — The Worst Ransomware Attack in History
In May 2017, the WannaCry ransomware cryptoworm attacked computers with the Microsoft Windows operating system by encrypting data and making files unusable. Each computer owner was asked for a ransom payment of $300 in virtual currency Bitcoin to unlock the files.
While Microsoft had released patches to avoid this ransomware attack, most of WannaCry’s spread was from organizations that did not apply these.
According to Europol, this attack was unprecedented in scale, encrypting data on at least 75,000 computers in 99 countries. As of May 2017, a total of 93 payments totaling $27,407.85 were transferred and have by now reached $500,559.92.
Facebook and Google — a $100 Million Phishing Attack
Between 2013 and 2015, Evaldas Rimasauskas and his co-conspirators created fake email accounts that looked like they were from Taiwan-based company Quanta Computer and sent phishing emails with counterfeit invoices to Facebook and Google employees who handled transactions with the Taiwanese firm.
Before being arrested, the cybercriminals received more than $100 million from the tech giants.
Wrapping Up: Make Your Website Secure
Cyber attacks are constantly increasing. Honeypot data shows an approximate 35% increase in total attack volume in 2020 compared to 2019.
Today, securing a website is important not only for large enterprises but also for small companies and online businesses. In fact, the gap between small and large businesses with regard to the number of breaches is much less pronounced.
You have three main options to make your website secure:
- If you use a content management system like WordPress, you won’t need to learn how to implement the steps in our list yourself. However, you still need to make sure all security checks are met and regularly update your website platform.
- If you build a custom website, you can use the latest technologies (like Web application firewall) to make sure you’re applying all security best practices.
- If you want to build a custom website but don’t want to use third-party technology, you should research OWASP (Open Web Application Security Project), a nonprofit source for developers and technologists to secure the web.
Ayal Abramovich, devOps engineer at Elementor, explained that at his company, “developers work hard to mitigate known vulnerabilities or bugs that can lead to security breaches. Our company adopted the “OWASP top 10” approach in order to avoid security breaches in our products. It’s very important to stay tuned with their latest version as the packages may include security patches.”
Despite their efforts to improve code with the goal of preventing attacks, there are many other variables that can cause website security breaches.
He went on and explained that “Despite our efforts to prevent attacks by improving the code, there are many other variables that can cause security breaches on websites. Therefore, customers who really like their website to be protected should place their sites behind a WAF (web application firewall). In today’s world, there are many providers that have WAF services and some of them even have out-of-the-box configuration.”
With that said, follow the steps in the infographic below to learn more about the importance of website security, and how to ensure your website is safe from cyber-attacks.