You’ve almost certainly heard about hacking attacks on websites. You may have read up on how hackers attack websites. Have you, however, stopped to wonder just how hackers find vulnerable websites in the first place?
How hackers find vulnerable websites
It may surprise you to learn that one of the most common ways for hackers to find vulnerable websites is just to do an internet search. The main search engines have a lot of advanced functionality of which regular users are often completely unaware. This is great news for legitimate power users for whom these advanced features can be real time-savers. They are, however, unfortunately also very useful to hackers.
The good news is that even SMBs can afford to enforce robust security on their website. In fact, a lot of security is more about effective processes than expensive tools. Here is what you need to know.
You should always put security before design
Whenever you implement anything on your website, your first priority should always be to implement it in the most secure way possible. Then you look at the design aspect. Never work the other way around. If you have been working the other way around, or if you think you might have done so in the past, then you need to undertake a security audit of your site as quickly as possible and promptly address any issues it raises.
Think carefully about your choice of host
In principle, you can self-host. There will, however, probably be very few SMBs who choose to go down this route and they will probably be on the larger side. Most SMBs will be looking at some form of third-party hosting. When looking for a host, be sure to check their track record on security. There is absolutely no point in doing everything you can to secure your website from hackers if they can just enter it through the server on which it resides.
Once you have chosen your host, you will then have to choose what type of hosting you want. Many business-grade hosts will have a variety of options, but fundamentally they are all essentially variations of dedicated hosting (i.e. you have a server to yourself) or shared hosting.
Dedicated hosting does give you the reassurance of knowing that you can’t have your website compromised through someone else’s lack of security. Shared hosting, however, is generally a lot more affordable and can be made highly secure provided that you know what you’re doing. In particular, you need to set file and directory permissions very carefully. If necessary, get external technical support to help you.
Choose your software with care
As a minimum, you’re going to need a content management system. Some hosts mandate that you use their own proprietary CMS. These hosts tend to market themselves as all-in-one website-building solutions. Most hosts, however, will allow you to choose your own CMS and it’s advisable to research your options and choose the one which best suits your needs and wants - rather than just heading straight to WordPress.
Once you’ve chosen your CMS, you need to inform yourself on how to get the best out of it, including how to get the best security out of it. You also need to inform yourself about the security implications of any third-party extensions you opt to use. For completeness, it’s best to keep these to a minimum.
If you use open-source software then it’s strongly recommended to stick with options that have an active community. That way, you have a reasonable expectation of it being updated regularly. If you use proprietary software, then make sure it’s still being supported (for which read updated) by the vendor. Apply all updates promptly. To do this, you’ll either need to ensure that you get push notifications when updates are created or that you have a note in your calendar to check regularly.
Manage both internal and external users carefully
Administrator accounts are an obvious point of vulnerability, but even lower-grade accounts can do a lot of damage to your website. This includes accounts belonging to external users. In short, any website which allows external users to enter any data, even if it’s just their email address, has the potential to be compromised through that “point of entry”.
This means that external users should also have their activity restricted to a minimum and, where they must be allowed to take action, the actions they can take should be guided and validated as much as possible. This goes at least double if you allow them to upload files.
Please click here now to have your website scanned, for free, by cWatch from Comodo.
