Website security

Website security – keeping the bad guys out

Website security

Website security and much of what we do on the web is something we all take for granted.Whether it’s online banking, shopping, booking cinema or theatre tickets we just assume that everything will work as and when we need it to. A well built and managed website should continue to work as intended with little or no trouble in spite of the best efforts of the more shady characters out there.

A hacker is someone who illegally gains access to and sometimes tampers with information in a computer system or in this case a website. Their motivation for hacking into a website can be anything from using the site to spread malware or send spam through to stealing personal information. Sometimes they do it just because they can.

You might also be interested in “is your WordPress site secure?”

A really determined hacker can bypass all but the best website security, there’s a reason why large companies spend vast amounts of money to ensure that their data is safe.

If you think that you don’t need to pay any attention to website security or that your website is too small to be a target think again. Hackers use software to scan huge numbers of websites for vulnerabilities that they can use to gain access so if your website has any weaknesses sooner or later they will find them.

However, there’s no need to panic. Whilst it is very difficult to guarantee a website won’t be hacked there are a number of simple steps you can take to minimise the chances of it happening to you.

  1. Use strong passwords

    – According to Splashdata the worst passwords in 2015 were 123456, password and 12345678. You can view the full list here. A strong password consists of 6 or more characters that are a combination of letters, numbers and symbols. Of course one of the reasons people use weak passwords is that they are easier to remember so the trick to setting a good strong password is coming up with a way of recalling it. One way of doing this is to take a sentence like “My favourite film is Back to the future 3” and then use the first character of each word. So in this example the password would be MffiBttf3, not bad for a first attempt but it could be stronger with more characters and symbols. Another option is to use a password manager to keep track of all your passwords for you. All you have to do is remember the strong master password and it des the rest for you. If you regularly access password protected sites across different devices make sure that you choose a password manager that supports all the different platforms including web, iOS and Android. Finally make sure that you secure all your devices with a strong password not just your website admin area. If hackers can gain access to your computer then they could install software such as a key logger to obtain your website password.

  2. Keep your website up to date

    – Web technologies are constantly advancing and out of date software poses a security risk. Most content management systems like WordPress are regularly updated to patch website security problems discovered since the previous release. It is these problems that hackers target so it is essential that you take advantage of any updates as they are released. The same goes for any add on software or plugins as these are a common point of entry for hackers. When updating software or plugins there is a small possibility that the update may break your website. Whilst this is unlikely you are advised to take a back up of your website files and/or database before proceeding – see point 3 below. That way you can always restore your site to a time before the update was applied. You should be ok applying minor updates (i.e. 1.11 to 1.12) but if you are in any doubt speak to your web developer first.

  3. Take regular back ups

    – A good back up strategy may enable you to roll back your site to before any security breach occurred. You can then patch the vulnerability or update software and be up and running quickly. If you don’t have a satisfactory back up solution discuss your options with a web developer or the person who built your site. It is important to be able to make back ups of both the site files and the database. You may already have limited back up functionality included as part of your hosting package but quite often you have no control over how often these back ups are taken. If you are running your site on WordPress there are numerous cloud based back up solutions that enable you to choose how often back ups should occur, how long to retain them for and where they should be stored such as Dropbox, Google Drive or Amazon Drive.

  4. Scan your website files regularly

    Website securityThis is essential to identify any changed or rogue files. Some website security solutions allow you to schedule regular scans and email you the results so that you get an early warning of problems. A good plugin should enable you to restore original files where they have been changed as well as delete/quarantine them. As always you should have a recent back up of your website files and database before making any changes.

  5. Install antivirus software

    on any computers you use to access and update your website. To be honest you should be doing this regularly anyway if you value the data stored on your computer. It is especially important if you use a computer or device to update your website as you run the risk of hackers capturing your password or infecting files which you may unwittingly upload to the web server. If you use public computers be extra careful and always use safe browsing/incognito mode

  6. Connect to Google Search Console.

    Website securityFormally Google Webmaster Tools this is a service that lets you monitor your website and optimise it’s visibility in search results as well as provide you with advance warning of any website security issues. Once connected Googles robots will index the contents of your site, crawling each and every page and use this information to compile it’s search results. If, in the process of crawling a page Google discovers any suspicious code it will flag this up in your Search Console. Depending how serious it deems the issue to be and how long any warning messages are ignored you may find that Google places your site behind a warning screen and hits you with a search engine penalty. Both of these are enough to slow traffic to your site to a trickle so it’s in your interest to detect problems early. Whilst your at it you may as well connect your website to Google Analytics which is a free Google service that tracks and reports website traffic. Aside from a wealth of useful data about how visitors are using your site, significant changes in browsing patterns may be an advance warning of a problem. You can sign up to both services using a free Google account although depending on your level of expertise you may need a web developer to make the necessary changes to your website.

It’s worth pointing out that all of the above steps are ongoing actions you should be taking on a regular basis. They are over and above any steps taken by your web developer to secure the site when building it.

None of the above website security tips guarantees that your website will not be hacked but it goes a long way to making it more difficult for the hackers and will give you some peace of mind. If you need any support in securing your website, please call now on 01157 841 070 or send a message.