Contents
How to protect your website from hackers
Jul 08, 2024
By Chelsea Knoll
Is your home safe?
Your website is the digital home of your business– just as you wouldn't leave your actual door unlocked and let intruders wander into your house, you wouldn't leave your digital home vulnerable, right?
So, let's talk about how to protect your website from hackers.
Can your website be hacked? Absolutely
The Internet is full of unsavoury characters looking for an easy score. And they're getting bolder. Trust us– it's no longer a matter of if, but when.
Today's hackers are very sophisticated, with a lot of reasons to target small businesses websites. They use a variety of tools and techniques to exploit any vulnerability they can find, and they're not just interested in data anymore (in case you were thinking "But my site doesn't store sensitive information, so why would hackers bother?").
Some are after money, stealing credit card information or holding sites ransom. Others want to use your site to distribute malware to unsuspecting visitors, using you to infect your customers. And some just hack for the thrill of it, to prove they can, leaving a trail of digital destruction in their wake.
What's at risk?
Okay, so your site gets hacked, and you just roll back. No big deal. You'll call your IT guy, he'll sort it out. Done.
Honestly, we wish it was that simple. But a malicious attack isn't always that easy to get over.
- Over 30,000 websites are hacked every single day (Forbes)
- 43% of hacks and cybersecurity threats target small businesses (CNBC)
- 60% of small businesses go out of business within 6 months of an attack (INC)
- On average, it can take over 100 days to even discover you've been breached (IBM)
We're not trying to scare you. But this isn't a problem that will go away.
Businesses that don't take website security seriously end up dealing with:
- loss of customer trust from data breaches, or from your compromised website infecting them
- major financial losses from paying ransoms to gain access to your own site, recovering data, fixing the breach, restoring your website (if you even can)
- getting on a Google blacklist and experiencing serious negative SEO impacts like quickly dropping keyword rankings on search engines
- loss of revenue from not being able to run ads (because ad platforms will shut your ads down instantly when they detect malware)
And so much more.
How does a website hack work?
Essentially, cyber attackers use vulnerabilities in your system like out-of-date plugins, old CMS themes, leaked passwords, etc to gain access and inject malicious code into the code of your site. These malware infections can sit there, undetected, for months before hackers activate them and actually take down your site - by which time the infection has spread, making it so much harder to find and eradicate. It also usually means most of your site backups are compromised as well (they also contain malicious code) which is why you can't just roll back your site.
So, how do you protect your website from hackers?
You have to approach cyber security with a multi-tiered approach. Think of it like locking your home, having a security camera and taking out a home insurance policy. There's no such thing as being too safe. So, here are a few security measures you should take.
Most of these are aimed at WordPress websites, mainly as WordPress sites are the primary target of hacks– in 2022, 96.2% of infections happened on a WordPress site. Which makes sense given WordPress websites are also the most popular CMS option.
Updating the theme and CMS
Think of your website's theme and Content Management System (CMS) like the operating system on your phone. Just as you eagerly await those updates to squash bugs and introduce shiny new features, your website needs that refresh too. Updating your theme and CMS closes security loopholes that hackers love to exploit, and (as a nice bonus) keeps your WordPress site running smoothly.
Update your plugins regularly
Plugins add a lot of really cool features to your WordPress website, from fancy contact forms to social media feeds. However outdated plugins are a massive security threat. WPScan found that 97% of the vulnerabilities tracked in their database were a result of plugins, with over 7000 known vulnerable plugins. So, you should be checking and updating these plugins at least once a month. This allows you to check if there are any known vulnerabilities in recent plugin updates, patch these up and keep your site's defences sharp and ready.
Delete any unnecessary plugins (and be careful about what you install)
Mo plugins, mo problems. Having a bunch of unused plugins is like hoarding old, rusty bikes in your garage. They take up space, slow you down, and, worse, could give tetanus to your website (metaphorically speaking). Keeping it clean and tidy and getting rid of old junk means less risk, less plugins to update and maintain, and of course, better security.
And, when you're looking at installing plugins to get new features, be careful. Given the open-source nature of WordPress where any user can contribute a plugin, there are fake plugins out there waiting to infect you with malicious code. WP-Base-SEO is an example of a fake SEO plugin that did the rounds, affecting thousands of websites.
Maintain strong password security practices
Your password is the key to your digital home. Crafting strong, unique passwords for your website's various access points is crucial. Mix in upper and lowercase letters, numbers, and symbols to create a less vulnerable key.
Once you have a strong password, put it somewhere safe. Use a password management system like LastPass, Bitwarden or Passbolt, set up two-factor authentication, and limit users who can access these passwords.
Limit user access
Like we said, don't give out access to everyone. Not everyone who works in the business necessarily needs to have website access. Reducing the number of users minimises the risk of accidental or intentional breaches, keeping your site secure from both external and internal threats.
If you do need to add certain people, don't give them access to the main password. Create specific user roles, with their own login credentials, and limit the access to the tasks they need to conduct. There are several different non-admin roles you can assign:
There are several different roles you can assign to users
Contributor
This role can add content, but not delete existing content. They can edit their own posts but can't publish without approval. They also can't access the media library or upload images.
Author
This role can influence all of their own content– writing, editing, deleting and publishing, with image access, but cannot make updates to other users' pages.
Editor
This role is really flexible, allowing them to influence content across the site, manage content and update links.
Install security plugins
An absolute must-have is a strong security plugin like Wordfence that can do regular vulnerability scans and detect malicious attacks before they take root. It's like having a guard dog that barks when a potential intruder seems to be sniffing about. Even at its free tier, this website protection plugin has some seriously useful features, though their premium tier is worth the extra peace of mind.
Enable the HTTPS version of your site
If you're working with an SEO agency that knows its stuff, this should already be done, as websites without SSL certificates have negative SEO impacts. But if you haven't already, purchase an SSL certificate for your domain to encrypt the data exchanged between your website and its visitors, ensuring that sensitive information remains confidential and tamper-proof. It also tells your visitors their safety is your top priority.
Backup your site regularly
Regular backups are your safety net, in case of a security threat you couldn't prevent. If something happens, you can restore your website with a backup, minimising downtime and data loss. And take several backups– it's always a good idea to have your own backups even if your hosting company offers database backups as well. As an example, with Dilate hosting, we take multiple backups through multiple sources so even if one version is compromised, we've got a safety net for our safety net.
You should backup on a daily basis if you have the capacity, or at least as often as you make key changes, to avoid losing that progress if you have to restore the old version. Keeping in mind that sometimes malicious code is hard to detect for a long time before it rears its ugly head, so the less backups you have, the further back you'll need to go.
Sign up for website maintenance services
Keeping a website as secure as you can is an ongoing battle. Signing up for a website maintenance plan means having a team of experts dedicated to ensuring your site runs smoothly and securely. They're on standby to address any vulnerabilities, apply necessary updates, and conduct routine check-ups, acting as the technical support crew that keeps your website robust and secure against potential threats.
Get a reliable hosting provider
Your choice of web hosting company makes a huge difference. Opting for a reliable hosting service is crucial, as it ensures your site remains accessible, loads quickly, and is fortified with essential security features. Look further into their hosting packages, and how their shared web servers operate. Think of it like having an apartment in a large apartment block– some nicer apartment blocks have amazing locks on the doors, security guards out front and spacious rooms, others have dingy locks that are almost falling apart, roaches in the walls and every unit is cramped up like a tin of sardines.
If you can, go local. An Australian hosting company usually means faster server response times and better customer service.
Educate employees on cybersecurity
95% of cyber breaches are a result of human error. Educating your team on the dangers of phishing, the importance of strong passwords, and safe website practices (like making sure plugins are from reputable sources) is as important as any other internal training.
Does this mean your site won't get hacked?
If you implement all of the above security measures, congrats. Your site is significantly more secure. But it's not invulnerable.
Hackers can still use brute force attacks or exploit new vulnerabilities that emerge. It's a bit like an arms race; as defences get better, attackers refine their tactics too. So, while these steps greatly reduce your risk, staying vigilant, keeping everything updated, and regularly reviewing your website security are key to staying one step ahead of potential threats.
Complacency is as dangerous as a vulnerable plugin.
Can a hacked site recover?
If you're staying on top of it, maybe. If you've got regular database backups, and you're doing checks once a month, and you have website security plugins doing daily scans for malicious code, the impact should be minimal. There should be an easy version of your site to roll back to, with some work to catch up on any lost progress.
But that's not always the case.
Imagine a hacked website with no regular maintenance. You have malicious code sitting in the backend, slowly leaking into all areas of your site code. 6 months later, out of nowhere, your site crashes. You install the latest backup– two days later, it happens again. Your backups are infected. Your rankings are crashing.
And the worst part is, once you're in that situation, finding the malicious code is an open-ended solution. You're spending thousands and thousands of hours of dev time for developers to manually check your website code line by line to find hidden infections. Which may not even fix it.
You have to roll back the site by months, and two years later, your SEO and search rankings haven't recovered. So much money, time and resources lost.
This isn't a hypothetical. This is something we've seen happen to a business that came to us for help.
And there are so many more stories like this. Don't let your site be one of them.
Ready to safeguard your site?
So, where to from here? If you're feeling a bit overwhelmed, and a bit nervous, don't worry. We get it. There's a lot to be done to protect your website, so it helps to have a security pro on your side. At Dilate, we offer hosting and maintenance packages to routinely update and monitor sites, so you can rest easy knowing your site is in safe hands. We'll work together to create a secure digital environment for your business– reach out today for a security audit and game plan.
RELATED BLOG
What is brand positioning, and how is it crucial to your business?
What is a customer journey map and buyer persona?
Here are some of the most common copywriting mistakes, and how to avoid making them
A lesson in decoding digital marketing terms
What is brand positioning, and how is it crucial to your business?
What is a customer journey map and buyer persona?
Here are some of the most common copywriting mistakes, and how to avoid making them
