Your company website is no longer just a company website – it’s your shop front, and likely a major source of business and lead generation. If it’s hacked or goes down, you’ll not only lose revenue, but you’ll risk damaging your brand reputation – or worse still, breaking the law.
A typical FTSE 100 company will lose around £120 million after a hack or data breach, and whilst small businesses are less likely to have millions wiped off their books, you could face serious problems if your website is insecure and hackers can access sensitive information.
The introduction of GDPR means companies can be fined 4% of their annual global turnover or €20 million – whichever is greater – if customer data enters into the wrong hands, so website security has never been more important. Don’t overlook it or leave it for another day.
Below, we’ve put together just some of the ways you can increase security on your website, and rest easy knowing that your customers’ personal data is out of harm’s way. Read on to find out more – and ensure your website complies with industry and government standards.
Keep it updated
It sounds obvious, but it’s important to mention: whether you’re running a CMS such as WordPress or your site’s powered by a custom solution, make sure all of your software and plugins are updated on a regular basis – and turn on automatic updates where possible to ensure you’re always running the latest versions of any necessary software your site needs.
One of the easiest ways to prime your website for a hack is to run outdated and unsupported software. If you’re not running the latest release, there’s a chance of vulnerabilities on your website – particularly if you don’t switch to patch releases, commonly issued to fix security bugs. It can understandably be frustrating having to log into your WordPress every week to update your themes and plugins, but if you don’t, there’s no guarantee your website is safe.
Use a password generator
The chances are that your website has a back-end, where you can log in and make changes or add content. Those areas are the most vulnerable to attacks, and so you should be sure that your passwords are strong and hard to hack. Data shows that 23.2 million people still use ‘123456’ as their password: that simply isn’t good enough if you care about security.
Every password related to your website, from your WordPress back-end to your cPanel and FTP accounts, should have their own strong, unique password. Use a password generator tool and opt for passwords that include symbols, numbers, upper and lower case characters, and at least 20 characters in length.
If you’re worried you’re going to lose them, then turn on password manager on Google Chrome or use an app like LastPass, which securely records your passwords and requires two-factor authentication to be accessed – great for security.
Don’t forget about third-party content. Plugins and add-ons should also be given a unique password to ensure they can’t be exploited – everything from MailChimp to Google Analytics.
Enforce a password policy for users
Once you’ve improved your own passwords, you should think about doing the same for your users. If you allow users to sign up for accounts on your site, then implement a password policy and require them to choose a strong, sophisticated password with mixed cases and special characters. If you’re serious about security, you could also send regular password reminders and require users to change their passwords on your website every six months.
Encrypt your website
If your website doesn’t have an SSL certificate installed, stop reading and speak with your web host as soon as you can. SSL certificates are essential for protecting and encrypting your website, particularly if you run an e-commerce website.
In order to accept credit cards on your website, you must have an SSL certificate to comply with the Payment Card Industry (PCI) standards. Even if you don’t handle sensitive information, SSLs provide an additional security layer between your website and user’s, making it much less likely for data to enter into the wrong hands.
The best part? You can get one for free via sites like Let’s Encrypt.
SSL certificates also build trust and credibility, as they display a padlock in your browser. In fact, last year, Google Chrome began labelling websites without an SSL as ‘not secure’.
Backup your website every week
It’s not just hackers you have to worry about – software updates can corrupt your files and servers, no matter how well they’re maintained, can fail or lose data. If you want to increase the security of your website and ensure your content and data doesn’t go missing, then you should pay for weekly back-ups to give you added peace of mind.
They’re cheap, they can be set up in just a couple of minutes site or server-wide, and they offer the reassurance you need that your website will be okay, even if the worst were to happen and you lost your files.
Admin directories (likely where you’ll log in to make changes to your website) are particularly vulnerable to hacks, with directories like /admin or /wp-admin most susceptible to malicious logins. Once they gain access to these folders, they can control your entire website, so you should make it harder for people to find them.
Rename your admin folders and disable public access, or limit to a set number of IPs, to be on the safe side. On WordPress, plugins like WP Admin Protect allow you to hide admin directories and redirect users to your homepage.
Choose a secure web host
When building your website, you should choose a secure and reputable web host that cares about security. The chances are that your website will be hosted on the same server as many other websites, and it will be the responsibility of your web host to ensure all of those websites are safe and secure.
If your website offers bargain-basement pricing, for example, that increases the risk of your website being hosted on the same server as a malicious site, which thus increases the likelihood of a DDoS attack or your website being hacked. Make sure your web host has good customer reviews and offers ongoing technical support for your peace of mind, and consider the benefits of website maintenance and management on top.
Serve content through a CDN
A content delivery network is an overlay network that helps deliver content to your end users much faster. Designed to improve performance and security, websites can take advantage of free and paid-for CDNs to power their website and sit on top of their web hosting package. If you’re looking to bolster your website’s security, consider a CDN like CloudFlare, as it’s free to use and hides your site’s IP address, making it harder for hackers to target your server.
What’s also useful about a CDN is that it ensures only genuine users can access your site, meaning resources are saved (like bandwidth) and performance is increased. What’s more, CDNs can help prevent against DDoS attacks, and they serve cached versions of your site if it suffers from downtime, improving user experience and search engine optimisation.
Delete old files
When was the last time you gave your website a spring clean? Delete files, databases and applications that you’re no longer using, not only to save space and organise your structure but to ensure that you’re not running outdated software that could be targeted by hackers.
Scan your content regularly
Scanning your website for security vulnerabilities is also recommended, giving your files the once over the determine whether anything has been tampered with and detect any possible security flaws. There are a number of free scanners on the web, which offer scan scheduling on set dates and times, with results emailed to you. Consider setting a security scan on your site regularly, or speak with your host who may be able to offer it to you for an additional fee.
Your website is your primary connection to your customers and as such, its security should be managed with the same care and consideration as your physical office or retail location.
At Zudu, we’re proud to offer website maintenance and hosting that’s reliable and worry-free, giving you peace of mind that you’ll never lose that connection. Get in touch to find out more.