In the current climate it is essential that you have an understanding of the security issues surrounding your website. Discuss security from the offset with your web developer and get them to explain how they will be protecting your site but also what you and all those using the site should be doing on a day to day basis to ensure security is upheld.
Know your hosting company and your server control panel login details
The first step you will need to take if your site does get compromised is to notify your hosting company, whether by you, your developer or a security expert, so do ensure you know these details as you will need to act fast if your website is hacked. A common control panel is cPanel. Whatever it is, make sure you know how to access it.
Discuss with your web developer what back up system will be set up for your website. Keeping a backup may be your easiest and best protection against a security attack, as it will allow you to turn back the clock. While this doesn’t prevent attacks, it does cure them when needed. Find out how frequently your site will be backed up and where those back-ups will be stored.
You should be backing up the files on your website and the website database.
This is normally done by the hosting company.
Most default user names for logging in are “admin” and hackers know this. Ask your developer to set up accounts with custom logins for each user rather than generic ones. Know who is logging in and who has access to your site. It’s also wise to delete accounts as soon as they are no longer needed.
Also you can ask your developer to hide the name of the person who has added a post to your site, as that is also the user name.
Use ‘strong’ passwords. i.e. it should be 12 characters minimum and include numbers, symbols, capital letters, and lower-case letters. Use a mix of different types of characters to make the password harder to crack. Don’t use common substitutions, either — for example, “H0use” isn’t strong just because you’ve replaced an o with a 0. Ensure passwords are changed regularly. Don’t use the same password for more than one site.
You may find it useful to use a password generator or password manager. Password managers, like LastPass or even the in-built Google password manager, mean you can store passwords securely and not have them written down.
Be careful with your error messages
Keep error messages as generic as possible. Whilst you may want to be helpful to users, don’t give away too much information which a hacker can then exploit. For example, when entering a username and password, the error message should be a general error if entered incorrectly. Saying that the password is wrong but the username is right will mean the hacker can focus on that username.
Installing Hyper Text Transfer Protocol Secure (HTTPS)
Does your site need to operate with https? Hyper Text Transfer Protocol Secure is the way data is governed when it passes between the website and the user. It is advisable for sites that collect and transmit personal information to encrypt the data ensuring it remains private as it travels between the server and the user.
“You can make your site secure with HTTPS (Hypertext Transport Protocol Secure), which protects the integrity and confidentiality of your users’ data. For example, when a user enters data into a form on your site in order to subscribe to updates or purchase a product, a secure site protects that user’s personal information and ensures that the user communicates with the authorized owner of the site.” Google
Installing additional security plugins
You should discuss with your web developer what additional security plugins they intend to install. Security plugins can help reduce the risk of your website being hacked offering several features to make your website more secure from known vulnerabilities.
Some examples we use on WordPress:
- Wordfence: offers a firewall which prevents the website from being hacked, it scans the site searching for malware and alerts the webmaster quickly in the event the site is compromised.
- iThemes Security– Away Mode: as most cyber-attacks happen at night this plugin disables access to the WordPress Dashboard for a specific period.
Check your developer has registered your site with Google Search Console, this is a free service offered by Google that helps you monitor and maintain your site’s presence in Google Search results but also lets you easily monitor and resolve security issues, such as hacking and malware. Once your account is set up then make sure you have access to the account log-in details in the event of your site being hacked.
“61% of webmasters who were hacked never received a notification from Google that their site was infected because their sites weren’t verified in Search Console.”
General Security practices for daily users
Keep your website software updated
Hackers use ‘script’ to scour the internet in an attempt to find website security issues in software. To help prevent this you should always make sure that your software version is up to date. Popular Content Management Systems like WordPress are constantly working to patch up security issues so keep a regular eye on your website dashboard which will notify you of the latest updates.
Update third party plugins
Keep third party plugins updated. These are pieces of code added to your site that allow you to alter and add to your site, keeping your plugins at the latest versions will help prevent hackers finding weaknesses in the code.
Keep your passwords safe, don’t share them with anyone. You should also learn how to change your password so you can do this regularly.
If users receive an email asking to confirm their identity or to share sensitive information they need to be 100% confident the sender is legitimate. It’s advisable to never give out confidential information like passwords, credit card numbers, or even your birth date.
Think before you click:
- If you receive a strange or suspicious email containing a link or attachment and you’re uncertain of who it’s from or exactly what it is, do not click on it. A quick call to the person who sent you the email can clarify if it’s legitimate. If you receive something you believe to be a scam email – delete it and remove it from your ‘deleted emails’ folder.
- If you suddenly find that there are files that you can no longer open, or that appear corrupted, or if a warning appears on your screen saying your files are encrypted, turn off your machine and let your IT support provider know immediately so that they can take the correct measures to reduce the security risk.
What to do if your website is compromised?
- Your first action should be to contact your hosting company as they may be able to help you recover your site more quickly
- Get your website taken offline, this will help to prevent any further damage to your search rankings but also prevent any users being infected if malware has been installed.
- Ensure all your user accounts are checked, that there are no unknown users and reset all passwords
- Check to see if you have any out of date software
- Log into the Google Search Console and review the Security Issues to find out the details of the attack.
- Get your site scanned & cleaned of all the hacked content, consider using a security expert who will be able remove tiny scraps of malware and also detect how the hackers gained entry and secure your site.
- Submit a request and review in the Security Issues section in Search Console when your entire website is clean and secure. After Google checks that your site is fixed, they’ll remove the “This site may be hacked” message.
- Google is not going to rank websites which are unsafe so it is best to get it sorted as soon as possible. Once your site is back up and working you should keep a close eye it to make sure you have properly fixed the issue and the hackers cannot regain access to your site.