How Do You Prevent Your Website From Being Hacked?

On May 7, Colonial Pipeline — one of the largest oil pipelines in the nation — was hit by a ransomware attack, forcing it to shut down. Since Colonial is one of the main pipelines servicing the southeastern U.S. and the East Coast, panic ensued at gas stations across the region. In the end, the company paid out $4.4 million in ransom ($2.3 million was later recovered by U.S. law enforcement).

Cyberattacks like that only happen to large businesses, though, right? Not exactly. According to CNBC, 43% of cyberattacks are aimed at small businesses. Not only that, but the average business ends up paying $200,000 to fix a security breach.

Preventing your website from being hacked starts here: with an awareness that none of us are immune to cyberattacks. While we often hear about major events like Colonial, we largely ignore the everyday occurrences of attacks on small business websites.

You’ve put a lot of time, energy, and money into establishing your business. It’s time to dig into your website security and make sure your hard work and finances are protected. Let’s make sure you don’t become another cybersecurity statistic by following these steps to prevent your website from being hacked.

Different Ways Your Website Can Be Hacked

Before we learn how to protect your website, let’s take a quick look at the different ways your site could be hacked. It’s difficult to find the motivation to secure your website if you don’t fully understand its vulnerabilities.

There are several different ways a hacker can damage your website, mess with your data, or ultimately cause you to lose money. This is by no means an exhaustive list, but these are a few examples of how a website can be hacked:

• Phishing: Hackers contact you, your employees, or even your clients using your company branding or an email address that is strikingly similar to one your company would use. The goal with phishing is to collect personal information or company information that will give them access to your site.
• Ransomware: When ransomware is installed on your system (usually through a phishing scheme), the hackers hold your data hostage for a ransom.
• Malicious Code: Anytime a hacker is able to embed malicious code on your site, it could affect your hardware, your website visitors, and even prevent you from accessing your own site.
• Distributed Denial of Service (DDoS): Hackers use bots to flood your site with fake traffic that could cause your site to crash.
• Google Hacking: This uses Google Search to find security vulnerabilities in a website’s code.

Whether you’ve experienced one of these cyberattacks or not, the goal for the rest of this article is to show you how to keep your website safe from any future hacks.

How to Secure Your Website

Preventing your website from being hacked is easier than you think if you know what steps to take. These are 7 basic things that any website owner can do to help secure their website, whether they’re tech-savvy or not!

Keep Your Software Up To Date

As hackers continually learn how to circumvent security features, software is always advancing and updating to prevent breaches. However, your software isn’t as secure if it isn’t up to date. If you’re using a CMS like WordPress, Wix, or Squarespace, it is especially important to continually update your plugins and theme, two major sources of security breaches.

Check to see if any of your software offers automatic updates. If so, turn that feature on for peace of mind. For any software that doesn’t automatically update, create a schedule to regularly check for and install updates.

Install an SSL Certificate

SSL stands for Secure Sockets Layer. When you install an SSL certificate on your website, it encrypts the data that is passed between you and your visitors (login credentials, payment details, etc.).

This step is vital if you have an eCommerce site or collect sensitive data from your clients. However, it is also important even if you don’t do any of those things. By having an SSL certificate, you are communicating to your customers that you care about their data and that your website is secure.

Not sure if you have this layer of protection? You can always double-check by typing in your URL. If your website URL says HTTP:// before your address, and there is no padlock image, then your website is not secure. A locked padlock and HTTPS:// is your indicator that an SSL certificate is in place.

There are several ways to add an SSL certificate to your website.

1. Download and install a free certificate from Let’s Encrypt.
2. Check with your website host or CMS to see if they offer a plan upgrade that includes an SSL certificate.

Not only does the lack of a certificate keep your website vulnerable to hackers, but it can also damage your reputation with visitors (and search engines). If your site poses a risk to visitors, search engines may flag it, deterring them from ever clicking on your website.

Upgrade Your Passwords

Verizon’s 2021 Data Breach Investigations Report reminds us that simple brute force hacking (guessing your password combo over and over until they gain access) is still a huge issue for website owners. In fact, 89% of attacks on web applications were accomplished through brute force or stolen credentials.

The easiest way to prevent this from happening is to beef up your passwords. Here are a few tips:

1. Use a combination of letters, symbols, and numbers that aren’t easily recognizable (one of the top passwords is still 123456 — you can do better!).
2. Change your password regularly.
3. Set up two-factor authentication for you and any other user or client login. This extra level of security goes a long way in preventing a hacker from breaching your site.

Considering Updating to a Paid Theme

Using a free theme is incredibly tempting, especially if you built your website yourself and are trying to keep costs low. However, these free themes are a type of open-source software, and while many are safe, there are those that aren’t built well and don’t include regular updates. These themes are much more vulnerable to being hacked. Hackers access vulnerabilities in the code (a.k.a. Poorly written code or code that is simply accessible since it is open source), and wreak havoc on your site.

If you aren’t ready to upgrade to a paid theme, there are a few other things you can do to protect your website:

1. Regularly check for theme updates to make sure you have the latest version.
2. Research the source of your theme before you use it. Some developers of free themes have a great reputation for creating solid code that is safe for your site.
3. Install anti-malware software to scan for malicious code (more on that below).

Install Anti-Malware Software

Regardless of what platform or website host you are using, you should have some form of anti-malware software in place. Some website hosts or CMS platforms provide free software or already have it installed when you create your site. Double-check your plan to see what you are paying for (and what you aren’t paying for) before downloading new software. You may have a free anti-malware plugin already waiting for you.

What does this software do? Depending on what you have installed or access to, it can scan for malicious code, detect and remove malware, patch vulnerabilities, and even protect against DDoS (distributed denial of service hacks that we talked about above).

Backup Your Data

If there is one thing every website owner should know, it is that the best protection against getting hacked is to have a current backup of all your data. The thing is, cyberattacks are sometimes unpreventable (and they are certainly unpredictable). Despite your best efforts, websites get hacked every day. To keep your business and your website safe, always keep a current backup of your site. That way, if you do get hacked, you are able to get back up and running much faster.

The majority of the cost associated with cyberattacks (apart from ransoms paid) is income lost due to downtime and money spent trying to recover data. You can spare yourself from both expenses by having all of your data in a secure backup should the worst happen to your website.

Teach Yourself (and Your Team) How to Recognize Social Engineering

The data regularly shows that a majority of website breaches involve humans. In fact, in the latest report on cybersecurity, 85% of incidents involved a human element. What does that mean for you and your website? It’s time to learn how to recognize social engineering.

Social engineering is a term used to describe a method hackers employ to gain personal information. This happens in the form of phishing emails that convince you to click on their links and enter personal login details, or text messages appearing to be from a co-worker or boss asking for a “favor” that involves revealing personal data.

If the biggest potential for being hacked rests with you and your team, then personal education is a must. Take a course on cybersecurity and how to recognize common schemes. Remind your employees to avoid quizzes and personal questions they see online (especially social media). You know the ones. “If you got married where you first met your spouse, where would that have been?” It seems like fun and games, but what you’re doing is publicly sharing the answer to one of your security questions. If you’re tempted to participate in a quiz or answer a question on your friend’s wall, pause and think about whether or not the answers are linked to common two-factor authentication questions.

1. Where you and your spouse met
2. Your first car (make and model)
3. First job
4. Favorite teacher’s name
5. City where your mom or dad was born
6. Name of your first pet

The list could go on and on, but I think you get the idea. With more and more of our lives lived online, there are opportunities everywhere for hackers to access our personal information. Don’t give them the privilege of gaining access to you.