5 Tips to improve your website security

What do Carphone Warehouse, British Airways, Mumsnet and Ashley Madison have in common?

As long as you haven’t been in hibernation over recent months, you’ll probably remember at least one of them appearing in the news after having had their websites hacked.

Unfortunately it is becoming an all-too-common experience for website owners. Even very recently we have had a few of our clients’ sites hacked. The source can be anything from an international group –a recent hack was by an Anti US/Pro Syria group. But it could easily be from a 14 year old kid wanting to test out his coding/hacking skills. That happened.

So what can be done to at least attempt to keep the hackers at bay?

Here are our top five tips. Many of these will be for you to check with us or your web developers –if you are not one of our clients. But some you can check and implement yourself.

Have secure passwords

If you update your website yourself, you will have an account enabling you to do this. Is your password for this account easy to figure out? Something like “Password123”, “123456”, “qwerty”, “football”?

Having a secure password should really go without saying, but unfortunately too many people don’t take the setting of passwords seriously enough, instead choosing words that are easy to remember over greater security.

Sky News reported on the most common passwords people use back in January. It was extremely revealing. Those passwords I listed above were all in the top 25. Thankfully more people –possibly due to the rise in hacking and identity theft– are choosing to have more secure passwords. Make sure you are one of them as this is the simplest tip that you can do yourself. Don’t give the hackers a helping hand.

Choose a non standard username

Very much like the password situation, if I was to guess someone’s username to log into their website it would be ‘admin’. This again is easy for hackers to guess. Even your name will be more secure than that, as if it’s a random hack then the perpetrator is less likely to know your name.

During a period of 10 hours, one of our sites was accessed 38 times by the same hacker trying to get into the site using the default ’admin’ username. Had we kept the default username, that would have given them a big helping hand in trying to crack the site. And trust me, they don’t need a helping hand! Thankfully the default username had been changed and they didn’t hack it.

As a side note, this is something to pay attention to with your home Wi-Fi setup; to login and change the settings, the default username is often ‘Admin’. Change it to something unique to increase your security.

Keep WordPress up to date

As we shared last month, WordPress has approaching 25% of the market when it comes to content management systems. The downside is that it can be prone to hacks. This does not make it a bad choice as there are many things that can be done to make it more secure.

If you have a monthly care plan with us, here are some of the items we cover each month (depending on the level of plan):

  • Update WordPress core system - whenever a new version is brought out, currently version 4.3
  • Update WordPress plugins - plugin authors can produce regular updates to increase security
  • Security testing - we run your site through multiple tests to check for malware, malicious code, any anomalies in the files or if it has been blacklisted
  • Web traffic alert - to see if your site has had a denial of service attack, where the hacker uses multiple systems to flood your site so the server overloads

We are currently updating our care plans and will publish details shortly, enabling you to have quick access to sign up for one if you haven’t already, to give you peace of mind on your website security.

Backup your site

In dealing with a recent hack, we managed to restore a site within an hour. Aside from the issues of dealing with the hack itself, the data could be quickly restored because we had recent backups.

Clients on a care plan that includes monthly reporting are shown how many times their site is backed up per month. Within the plans we also run off-site backups, so if a server is completely wiped (which is unlikely, but does happen) there are other locations in which backups of your website are stored.

If you don’t know whether your site is being backed up, don’t just assume this is happening. Find out for sure.

For those on Squarespace CMS, backups are handled directly by Squarespace. There’s no real provision to fully back up your site like there is with WordPress, but having said that Squarespace is a hosted platform in which all system updates are handled for you. And they have a pretty good record on website security.

Ask questions

There are many other technical tips that can be carried out. But as the focus of this piece is very much non-technical, this final tip is all about helping you as a website owner or the person responsible for your website know what to ask your developers –whether that’s us or someone else.

So here are a few questions to ask:

  • What’s your plan if my site is hacked?
  • What’s the process for restoring my site should a server fail?
  • What is your backup process?
  • How do you proactively protect sites from attacks?
  • What plugins do you use for security?

Conclusion

According to Sophos in this BBC news article, around 30,000 websites are being compromised every day by hackers. Many blue chip companies spend hundreds of thousands on website security and we still hear in the news when they get hacked.

Whilst there is no way to make your site 100% bulletproof, we hope we have highlighted a few things you can do so you don’t give the hackers a helping hand.

If you have any questions about website security, let us know in the comments box below.