Guest post: 8 steps to protect your website

28 September 2017 by Linda Firth

Website security is a hot topic as attacks are quickly growing in number and sophistication. As a  small website or blog owner, you may believe that you don’t need to worry about your website, as there is no valuable content on it and you therefore won't be targeted. It will therefore surprise you to learn that this is absolutely wrong. Regardless of how trivial the content on your website might be, you are still at risk.

Many hackers are interested in a website, not for stealing any data or corrupting the site, but rather to use it for some even more sinister purpose. This can include using the website server to send out a bulk of spam mail, using the server to distribute illegal files, or even for bitcoin mining.

So how do you protect your website from such attacks? Well, lucky for you, we’ve already compiled a handy list of steps you can take that will help you with the task of protecting your website from these malicious, greedy hackers.

1. Keep everything up-to-date

This may seem fairly obvious, but is one of the most fundamental and important steps and as such, could not afford to be left out. Always make sure that every last piece of software relating to your website is on the latest version, especially any scripts or plugins. Many of these are open-source which means anyone can analyse their source code and discover loopholes. These loopholes are one of the most common ways for hackers to get inside your website and exploit it.

You can avoid this threat by simply keeping all your plugins, scripts, and platforms (such as WordPress) updated.

2. Security plugins

This one is dedicated to WordPress users (who are growing by the day). In addition to keeping all your software updated, it is crucial for a WordPress website to use security plugins, ensuring maximum safety. There are plenty of security plugins available, both free and paid, that you can benefit from to keep your website secure.

Some of the most popular security plugins include SiteLock and Bulletproof Security. These plugins seal up potential deficiencies in the WordPress platform, and provide an additional layer of security for your website.

3. Use HTTPS

In addition to using security plugins, you should also consider switching to HTTPS to further solidify the security of your website. Websites using the standard protocol for transporting data between the server and the client's browser, HTTP or Hypertext Transfer Protocol, are susceptible to hackers intercepting the data and using it maliciously. HTTPS makes the exchange of information through your website secure and impenetrable.

Using HTTPS is an absolute necessity if you either have an e-commerce based website, or one that deals with sensitive and private information from customers.

4. Choose the right web host

You may think that price is the most important aspect of choosing a web hosting provider, but there is so much more to consider. You could be laying yourself open to an attack if you simply go for the cheapest web hosting supplier, rather than taking care to choose one that you can trust. Look for reputable web hosting providers that offer features such as an SSL secure server (required for HTTPS), SSH Secure Shell Access, secure email support, a secure data centre, regular backups, etc. If you are unsure of the technical apsects of secure data hosting, choose a provider that comes on recommendation. Venture Harbour carried out some research that compared 53 different web hosting providers to narrow down the providers they recommend.

5. Sneaky SQL injections

Yes, SQL injections are not only sneaky but can be very nasty too, if a hacker manages to inject them into your website. Usually these injections take place through the web forms that you use to collect information from your website’s visitors. If you don’t put the necessary constraints on all the fields of a web form, hackers will be able to insert code into them which in turn, allows them to hack into your database and steal any sensitive information available.

A simple and easy way to protect your website from these injections is to always use parametrised queries. It will make sure that your website has very particular parameters for queries and thus, hackers will struggle to enter their malicious code.

6. The mighty XSS attacks

These attacks are similar to SQL injections in that hackers use web form fields to enter these; however, in terms of their nature, they are far more disastrous than SQL injections. XSS attacks (aka Cross-site scripting) refer to insertion of malicious script tags and JavaScript into your website, which can than spread itself across the accounts of all visitors who view the particular page it was inserted on.

As prevention against XSS attacks, make sure visitors don’t have the privileges (or opportunity) to insert JavaScript or script tags anywhere on your website.

7. Passwords & protection

It is best to use the most complex passwords possible for all your accounts, and especially for your website’s administrator account. Never use easy to remember passwords as they are often easy to guess as well. Don’t use words such as your child's name or your birthday as a password as hackers can usually access this information easily.

Also, make sure that everyone who has access to your website uses a secure, complex password that is impossible to guess. A single user’s weak password can put your entire website and all its visitors’ accounts at risk.

8. Web security tools

Fortunately, there are special tools that can analyse the overall security level of your website. After you have taken all the other security measures stated above, it’s time to actually check the security of your website through one of these tools.

There are many of these tools available both as premium and freemium versions. Some of the most popular security tools include Netsparker, OpenVAS, and SecurityHeaders.

Netsparker offers foolproof security against SQL injections and XSS attacks, however you can use any other security tool that performs similar actions.