How to Protect Your Website from Hackers in 2022
Today, having a website is essential for business growth and customer outreach. While corporate websites have the potential for tremendous business growth and success, they can also become a nightmare if they are not properly secured. Each year, one in three Americans are victims of a hacking attack, and that number is rising with an increasingly web-driven business world. As online business transactions are increasingly the norm, protecting your company’s website from attacks is imperative.
Hire a Website Maintenance Company
In the battle against hacking attacks, calling in the experts to help is an essential strategy. A website maintenance company can help out in several ways, including installing anti-malware software to scan for attacks and prevent them from happening. A web maintenance company can install a Secure Sockets Layer (SSL) certificate on your company’s website that allows “good” users such as your customers to access the website while keeping hackers out. A quality website maintenance company will provide you with ongoing support and a tactical plan to help keep your website safe and protected.
Require Strong Passwords
Strong passwords are a great way to thwart hacking attacks. Your website should require passwords to include the following:
- to be at least eight characters long
- include at least one uppercase letter
- include at least one numerical digit
- a special symbol, such as an !#$%&@ to make your password even stronger
Strong passwords are especially vital for administrator level user accounts, FTP/SFTP accounts and databases.
Additionally, using the same password for multiple sites and accounts can cause problems. Each of your websites and user accounts should have their own unique set of passwords. Make sure not to use common words such as “password” and do not use the same password for your website as your do for your personal email or social media accounts.
An advanced tip is making sure to “salt” your stored database passwords. Password salting is a technique used to make it very difficult to decrypt a stored password. Using this technique makes your passwords even stronger and can help minimize damage if a breach does occur.
Remove Old User Accounts and Form Data
If your website offers user accounts to your visitors, it is important to review those accounts regularly. It’s not uncommon for a website to have thousands of registered users and many of those that have not logged in for years. To protect your website, your users and their personal data, it is best to remove inactive accounts. This can be done by deleting user accounts after a set amount of inactivity, such as 2 years. It is best to notify users a few times before their account is removed to avoid accidentally deleting an account a user wants to keep. Another option is to keep the account active, but remove the private data such as names, addresses, email, phone number and payment data.
Old form data is an area many websites miss when they are monitoring their site. There can be a large amount of sensitive data stored in old form submissions that would be a prime target for hackers. It is best to automatically delete all form data after your site has used it for its intended purposes. If you need to keep some of the data permanently, make sure to store that in one secured area of your database and then delete any other references.
If you have to store sensitive data such as a person’s social security number, credit card or birth date, make sure to use high encryption methods for storing the data. Often it is best to use third-party data storage for these types of items. Two of our preferred data storage partners include Amazon EC2 and Google Cloud Storage.
Keep Software Updated
Keeping your software updated is a simple and effective way to make your website more secure. This includes updating software on both the web hosting server, as well as software on your website itself. Hackers will look for holes and soft spots in software that they can easily exploit. Keeping software updated is easiest if you use a managed hosting solution to perform software security updates automatically. However, if you are using third-party software, you will need to fix any potential security soft spots when they arise. You can join an RSS feed or a mailing list to get instant updates about any possible website security issues and respond accordingly.
For WordPress websites, it is very important to keep all your themes and plugins updated regularly. Some web hosts will do this for you, while others expect you to keep everything updated yourself. Outdated themes and plugins are the number one way hackers maliciously access a WordPress website.
Use A High Quality Web Host
Companies are always looking for ways to keep outgoing costs low. One way people try to save a few bucks is by choosing to use a low-cost or “budget” web host. While it can be very tempting to pay just a few dollars per month on your hosting, there are many hidden costs involved in that choice.
Most budget hosts provide only the basics of security for your web server and they will not assist with keeping your website updated or secure. It’s likely that your website will be hosted on the same server as thousands of other websites and if just one of those sites is left unprotected, your website becomes vulnerable to attack. We have cleaned up multiple hacked websites, only to find days later the same site was hacked again. The issue wasn’t the website itself, but the web server it was hosted on.
If a hacker manages to infect your web server, he then has access to everything on it, including your website. Look for these qualities when choosing a high-level web host:
- Consistently monitors and updates their web servers
- Protects the individual websites on their servers
- Offers SSL
- Provides top-notch support
Don’t let the allure of saving a few dollars open your website to potential attacks.
Secure Sockets Layer (SSL) Certificate
Adding an SSL Certificate to your website is one of the best ways to prevent a hacked WordPress site. Most experts consider an SSL Certificate to be the first line of defense in stopping a hacking attack on a website. An SSL Certificate should be used whenever personal information is exchanged between the website and the database or web server. Hackers often look for opportunities to seize personal information, which is much more likely to happen if the personal information is not secured by SSL. If hackers access personal information, they may use it to access user data and accounts.
Your website users expect your website to keep their data secure at all times. Modern browsers such as Chrome, Firefox, Safari and Edge will notify your visitors if your website is not secured by SSL. Many anti-virus programs will completely block your website from being accessed if it is not protected.
Website trust is vital to the success of your website and SSL is an inexpensive method for helping fight back against potential website hacks. If your site does not currently have SSL, check with your web host or contact Website Restore for assistance.
Monitor File Uploads
Permitting file uploads to your website can be very helpful, but also poses a significant security risk. A malicious uploaded file can contain code that opens up the website to hacking attacks if it is executed. All files that you allow to be uploaded to your website should be treated with suspicion and opened with caution.
To reduce the risk of an upload damaging your website, it is best to limit the types of files that can be uploaded. For instance, if you are requesting that your site user’s upload a photo, your site should only allow image file formats to be uploaded. These would include JPEG, PNG, WebP, SVG and GIF. Additionally, your website should only accept incoming files from registered users whom you trust.
If you own a WordPress website, we highly recommend using the Gravity Forms plugin for all of your online forms. Gravity Forms makes it easy to limit the types of uploaded files, block spam and manage who can access your forms.
While providing your end-users with error messages sounds like a helpful task, it can open the door to hacking attacks if you’re not careful. Error messages can reveal quite a bit of information about a website’s condition, which makes it easier for hackers to exploit the site. Error messages should always be generic and never provide in-depth details about the specific problems affecting the website. The message should also exclude information about which part of the query was inaccurate, which also opens doors for hackers to access your website.
Keeping It All Secure
Whether your website got hacked and you need to fix it fast, or you are wondering how to prevent a future hack, a website maintenance company is on hand to help. Contact us today for assistance and support in preventing hacking attacks and getting your website restored if an attack does happen.