How to Protect Your Website from Hacking & Security Guide 2021

website-security

Did you know that hackers infiltrate more than 50,000 websites security around the world every day? This is a startling statistic. However, it does offer a stark reminder of why ‘it is so important for online businesses and bloggers to stay on top of their Internet security and privacy protection systems’.

Let’s take a quick look at some official statistics.

  • The worldwide web is home to over a billion websites, with US servers hosting around 380-million of those sites.
  • Every day, more than 30,000 websites experience some form of malware infection.
  • More than 73-percent of Americans say they have been the victim of a cybercrime.
  • More than 40-million Americans lose their private details to hackers penetrating business servers holding their information.
  • WordPress hacks are the most common, which is not surprising considering them host 25-percent of all websites.
  • Studies show that it takes hacker tools less than 10-minutes to crack a 6-character password.

Having your website hacked is a frustrating, and embarrassing experience that can cost you your online business. Hackers troll the internet every day looking for opportunities to exploit security protocols and take control of websites. The result of a hack on your site can result in a loss of all of your financial and client data, breaking the ‘public’s trust in your management and your company.

Hackers are after anything they can turn a profit with on the dark web. Credit card information and personal data are hot items that they can sell on the underground marketplace to criminals that run fraud rings.

Hackers use a variety of tools to achieve their objective, depending on their strategy. One of the more recent trends in hacking, ransomware infiltration, is a popular tool for hijacking a system and holding it for cryptocurrency ransom. The hacker encrypts all of your files and provides you with a key to unlock them only after paying an untraceable bitcoin ransom.

The Baltimore government offices recently experienced a ransomware attack, where the hackers held the office’s files for a ransom of 13 bitcoins, around $84,000.

Why You Need Online Protection

Going live with your website is similar to the grand opening of a retail establishment. If you want to prevent your customers from walking out of the door with all of your merchandise and the contents of the office safe, then ‘it’s best if you use some security protocols to safeguard your business from theft.

A website owner needs to take the same level of caution when going live. Installing internet security and privacy protocols will help ensure that no hacker can find a backdoor into your site and take control, locking you out of your business.

The work of securing your website ‘doesn’t stop after you finish setting up your security. Webmasters need to take a proactive approach to their internet security and institute systems that allow for regular updating and maintenance of their protocols and software.

Hackers gain a technological advantage with every passing year. The public release of government hacking tools by groups like “The Shadow Brokers”, helps arm hackers with new cyber weapons to take down sites and create havoc online.

We decided to give you all the information you need to protect your website from hacking.

Follow these steps to securing your site from online criminals:

1. Keep Up to Date with Industry Security Trends

As a website owner, you need to be aware of all threats to your online business. Sign up to the newsletters of a few authority sites in the online security industry. Using this strategy, you’ll stay informed about all new viruses and malware doing the rounds on the internet.

Staying “plugged-in” to industry news allows you to keep on top of global online security trends. Firms are continually releasing new products to help you counter attempts by hackers to breach your system.

2. Audit Your Network Security Systems

After reading this article, you’ll have a deeper understanding of why your online security is so important. Start improving your websites resistance to infiltration by completing a security audit of your network.

Hire a consultant to review your systems and make any changes that may be necessary for enhancing your security.

Your employees may unknowingly provide online criminals access to your website. Check your settings and make the following changes.

  • All logins expire after inactivity lasting more than a few minutes.
  • Change your passwords every eight weeks, and avoid using weak passwords like 123456 or similar.
  • Never write passwords down.
  • Set up your security software to scan for viruses and malware on all new devices registered on your network.

Tightening things up around the office can help immediate physical threats to your network, such as hackers attempting to breach your system using Bluetooth or Wi-Fi networks.

3. Update Security Protocols and Software

After removing the physical threats around the office, it’s time to take an unbiased look at your current security protocols. Are you under protected? Many website owners start their business on a bootstrapping model. As a result, they tend to take the bare-minimum approach to security costs.

This strategy can help keep costs down during the growth phase, but it increases your risk of a cybercrime breach. After you experience some success, it’s time to ramp up your security with some advanced software and programs, to make your site impenetrable to hackers.

Buy a security suite intended for your specific business. Some products suit bloggers, offering them the basics to keep their website protected. E-commerce businesses will need a complex system to prevent financial crime and data loss.

Update all of your software timeously. Delaying an update can create a vulnerability in your security, attracting hackers to the opportunity to exploit your system.

4. Make use of Web-Application Firewalls

One of the best ways to protect your site from hackers is with the use of a web application firewall. We are all used to our computers running firewalls to prevent infection by malware and other malicious code.

A web-based firewall works similarly, except it sits between the server and your internet connection, reviewing all the data that enters your site. WAF can be either hardware or software based, but the most common is a cloud-based firewall that requires you to pay a monthly subscription fee.

WAF is effective at protecting you from security breaches, and you have peace-of-mind knowing that spammers and hackers cannot penetrate your site.

5. Tighten Your Access Control

Should a hacker gain access to your admin account, they gain total control over your website. From there, the hacker can lock you out of your system, holding it to ransom. They also have access to all of your company’s data, including customer or subscriber information.

It’s best if you start to tighten things up around the office concerning your access control systems if you want to prevent this unfavorable situation. Make these immediate changes to your security protocol.

  • Enforce the use of complex passwords and usernames with your employees.
  • Since email accounts are one of the primary ways hackers access systems, limit the number of login attempts allowed every hour or 30-minutes, and limit password resets as well.
  • Ensure that no-one on your team ever sends login information by email.
  • Most sites use the default database “wp6_” change it to another prefix that’s secure and more challenging to guess.

These few changes help protect your website from hackers that infiltrate email systems in the hope of capturing sensitive information about logins and other company data.

6. Use Security Plug-ins

While a web application firewall offers the best protection for your website, you can beef up the security on your platform by using plugins as well. Free plugins for WordPress, such as Acunetix WP Security, provides your site with an additional sphere of protection that hides the identity of your sites CMS.

By hiding the CMS with this plugin, your site becomes more resistant to automated hacking tools used by online criminals. These hackers look to exploit weaknesses in specific build versions of WordPress sites known for their vulnerabilities.

7. Hide Admin Pages from Listing

If your site has its admin pages listed on Google, you’re inviting hackers into your system. Indexing these pages is like waving a flag saying you’re waiting for someone to hack your site. By using the robots_txt file, you discourage the search engines from listing these sensitive pages, keeping your site secure.

8. Remove Auto-fill for Website Forms

Does your support page offer auto-fill forms? If so, then you might want to consider removing this functionality from your website immediately. These forms provide hackers with a backdoor into your site.

Leaving auto-fill enabled for the forms on your site makes it vulnerable to a hack from any user’s stolen phone or laptop.

9. Always Use SSL Certificates

By now, we are sure that you understand the importance of using an SSL certificate (HTTPS) on your site. Providing a secure connection is indispensable, and you should never consider launching without the SSL up and running on your server.

Nowadays almost every hosting provider offers a free SSL. You can find it inside your cPanel usually under a name “Let’s Encrypt”. Or just find it manually in Security > SSL/TLS Status.

Encrypted SSL protocols ensure the safe transfer of your sites user information between the server and your site. This certificate prevents hackers from stealing or viewing the data while in transit.

10. Schedule Regular Back-ups

Backing up your data is the best way to prevent total loss of all of the information on your site. If a hacker takes control of your systems, what do you do about your business? If you can’t afford to pay a ransom, or the hackers permanently damage access to your site, then you have a huge problem.

Losing customer data is bad enough, but having to recapture all of your data is your worst nightmare come true. By backing up your data, you have all of your information in a secure location, and you can continue with business as usual while you sort out the mess with your website.

Set your system to back up to a remote server automatically at the end of each day. If you operate a data-intensive site, then you may want to consider backing up as frequently as every hour. Back up your systems to multiple locations on and off-site to ensure no-one can lock you out of your data.

11. Watch out for SQL injection

One of the reasons why you don’t want auto-fill forms left open on your site is an attack with an SQL injection. Hackers use these forms to gain access to and manipulate your database. If your website is using the standard Transact SQL, then it’s easy for attackers to insert rogue code into the query without your knowledge.

The code can change tables, delete data, and capture information. It’s easy for any webmaster to eliminate this security threat by using parameterized queries. Also, every web language has this feature, and it’s easy to execute.

Consider this SQL query:

"SELECT * FROM table WHERE column = '" + parameter + "';"

Should a hacker change the URL parameter to’ or ‘1’ =’1 this causes the query to appear as the following.

"SELECT * FROM table WHERE column = '' OR '1'='1';"

In this example, ‘1’ is equates to ‘1’ this allows attackers to add-on another query to the SQL statement, which also executes in the background.

Webmasters can fix this vulnerability by explicitly parameterizing the code.

Using MySQLi in PHP, this query would look like;

$stmt = $pdo->prepare('SELECT * FROM table WHERE column = :value');
$stmt->execute(array('value' => $parameter));

Using this quick fix, you stop SQL injections, locking down another weakness in your website. It’s surprising how many sites still have this vulnerability.

12. Protect Your Site Against XSS Attacks

Cross-site scripting, or “XSS” attacks, gain access to your system by injecting malware JavaScript into your webpages. This code runs in the background of the browser of your users, changing your page content, or downloading data back to the hacker.

As an example, should you display comments on a webpage without any validation, then hackers may send comments with script tags and tainted JavaScript, which steals user’s login cookies from their browser. This strategy allows the hacker to capture the login details of every person that views the comments.

To stop this threat in its tracks, webmasters must ensure users can’t inject any active JavaScript code into your webpages. This vulnerability is a concern in pages built by user content, such as forums, where attackers generate HTML interpreted by other front-end frameworks, such as Ember and Angular.

These types of frameworks provide your website with protection from XXS attacks. However, mixing client and server rendering results in the creation of other vulnerabilities that hackers may try to exploit. Attackers can inject content that triggers code to run, by using Ember helpers or inserting Angular directives.

When generating HTML dynamically, ensure you utilize functions that make changes you need, such as, “element.textContent”, and, “element.setAttribute”, which automatically escape the browser – instead of setting “element.innerHTML” manually, use the functionality of your templating tool to handle the escaping, rather than setting the raw HTML content.

Content Security Policy is another powerful tool in the webmaster’s toolbox for protecting your website from attackers. Your server returns this header to your browser, limiting the JavaScript executes on the page.

13. Avoid File Uploads to your website’s visitors

Whenever you allow users to upload files to your site, it creates a significant vulnerability to your security. It doesn’t matter if it’s only something as tiny as an avatar, the upload may contain a script that executes on your server, turning control of your website over to hackers.

It’s vital that you treat all files with suspicion, especially if you run a site with a forum, where users upload hundreds of pages of content every day.

The issue is that you can’t rely on file extensions to verify the file type. Faking an image is a relatively simple thing for a hacker to do, and you have no way of knowing what the file contains.

You can’t trust file headers for the “image”, and it could contain some malicious PHP code that executes on your server.

If you can’t adopt a strategy of preventing users from uploading files, then some of the options available to you are renaming the file on upload to change file permissions and ensure the correct file extension.

If you are already using *nix, you can open a .htaccess file that allows access to approved admins. This strategy stops double extension attacks. Your goal should be to prevent any direct access to user-uploaded files on your website altogether.

By using this fix, all files uploaded to the site remain stored in an external folder outside of the webroot. Should your data not be immediately accessible, you’ll require a script to retrieve them from the external folder, such as an HTTP handler in .NET, before sending to the browser.

Image tags support an src attribute that is not a direct URL to an image so your src attribute can point to your file delivery script providing you set the correct content type in the HTTP header.

If you can, set up a DMZ (Demilitarized Zone,) limiting access to port 80 and 443. This strategy is only possible if you have access to the server from an internal network. You’ll need to open the ports to accommodate the uploading of files, and for remote login to the server over RDP or SSH.

SFTP or SSH protocols are best for secure transport of files uploading from the internet and run your database on a separate cloud-server, rather than your web server. This strategy allows you to block out external attempts to access your website, only allowing your web server control. As a result, you minimize the risk of exposing your data.

14. Your Code is Always on Display

Anyone can land on your webpage and right-click to reveal your code. There is no way to turn off this function. Should you decide to disable the right-click function on your webpage, then users will not be able to use any right-click functions anywhere on the page.

Some companies offer software that supposedly “cloaks” it when people right-click, but none of these solutions work. Browsers require access to your code to render website pages, and they need it available for viewing.

15. Limit Physical Access to Your Server

If your server is at your offices, then it’s vital that you have secure offices. Some online criminals will risk breaking into a physical location to tamper with servers. Install stand-alone alarms in your office, and link them to a security company. Ensure that all of the locks on your doors are tamper-proof, and limit physical access to your offices.

In Closing – The Financial Costs of a Hack

The result of a hack on your website can range from minimal, to catastrophic, depending on the nature of your business. For example, in 2016 the cryptocurrency exchange, Bitfinex, lost some of its bitcoin holdings to hackers, with an estimated value of $73-million.

That example is far different from a local business that experiences a ransomware demand from hackers but does not use their website for online marketing purposes. In this case, the owner would not store their client’s data online, and the hackers would gain no value from the data on the site.

Regardless of the size of the hack or the type of website affected by the attack, every online business will suffer some repercussions from the breach. Here are the costs associated with recovering your website from cyber criminals.

Taking Back Control of Your Site – Ransomware payments or fees to hosting companies to take your website offline are expensive.

Revenue Losses – If you run a profitable online business, every hour that your site stays down costs money in lost sales.

Asset and Data Costs – If hackers steal your customer’s information, then it will severely tarnish your reputation online.

Google Blacklisting – One of the worst effects of a hack. If your site is a victim of a malware or phishing campaign, then Google may drop you in their search rankings or blacklist you.

Customer Backlash – Your customers will not take you handing their data over to criminals lightly. You’ll need to go into damage-control mode to put out the fires.

In closing, you can see the enormous financial and legacy costs associated with a hack. Preventing attackers from accessing your website should be a top priority for your site. If you don’t have the expertise necessary to boost your security, hire a consultant to help secure your website.