With thousands of attacks daily on websites of all sizes, we thought we’d get your day started with some simple website security tips that should be a regular and central part of your security routine. And here’s why.
As hackers of all sorts constantly probe businesses of all sizes for any kind of vulnerability they can exploit, websites could by far be the biggest hole in security. And just one recent hack should have been a wakeup call for anyone responsible for website security. In the world of security breaches it seems like a lifetime ago, but it was less than three months ago that a company called Hold Security reported finding a stash of more than a billion usernames and passwords, along with half a billion email addresses, on the servers of Russian hackers.
So how did this small group of amateurs steal information on nearly a third of the world’s Internet users? They exploited a frighteningly simple vulnerability on hundreds of thousands of websites. The vulnerability was a SQL injection, something almost every security pro and even webmaster can easily fix with a couple of lines of code.
But it looks like hundreds of thousands of website owners were not aware of that vulnerability or easy fix, or weren’t using a website scanning service that would quickly find and neutralize it.
According to the researchers, more than 400,000 websites around the world were exploited by this one gang alone, and using mainly this vulnerability. And how were they attacked? The attackers used thousands of botted computers, many of them exploited business computers, to search for vulnerable websites.
This and other attacks were reminders of just how much work needs to be done in website security. These hackers could have easily been thwarted if the owners of these websites had taken even the most basic precautions.
So with that in mind, here are seven simple website security tips that should help keep hackers beyond the gates:
- Scan your website constantly for any vulnerabilities, and make sure you use a service that is up to the task.
- If you find malware, remove it quickly. If you don’t know how to do that, or you don’t have the resources, SiteLock’s SMART tool (Secure Malware Alert & Removal Tool) will do it for you.
- Try to separate your data. Separate by type of data — don’t mix customer phone numbers with email addresses, for example — or separate it into multiple databases to make it harder for hackers to get everything.
- Encrypt everything you can. You should always be encrypting any payment information, especially for PCI compliance, but encryption shouldn’t stop there. And make sure all user passwords are hashed and salted so they’re of little value if exposed.
- Consider using some form of two-factor authentication, for customer accounts and for employees, to added a very powerful extra layer of security.
- Make sure you’re using a web application firewall to block all that malicious content and traffic before it can make it to your site.
- Reduce the increasing risk of blacklisting by search engines by getting to vulnerabilities and malware quickly and fixing them quickly.
Your best decision in website security may be in the service you use to scan and guard your website. What many business owners don’t realize is that many of the cheaper services on the market actually do very little. Some services will help you find and fix any vulnerabilities they find but won’t actually block them or stop them. Others will help identify high risk threats like malware already on your website but won’t help you remove that malware.
It’s like your computer antivirus software telling you that you have a bunch of malware on your computer but it’s up to you to get rid of it. That’s OK if it’s a free service, but unacceptable when you’re paying them to protect you and your customers. So keep a copy of these website security tips handy, check them often, and share them around. Hackers won’t be glad you did, but you will be.
Contact SiteLock today to learn how to secure your website.