How to keep your website secure

Common threats and practical steps to take to secure your website

There are some shocking statistics just out from the Government’s cyber security breaches survey. Half of businesses and around a third of charities reported having experienced some form of cyber security breach or attack in the last 12 months. So, how and why are these breaches occurring, and what can you do to stop yourself falling victim to one?

Types of Cyber Security Breaches

To work out how best to protect yourself you need to know what you’re protecting yourself from. Below are the most common types of breach / attack.

  • Cyber Attacks:This is when someone (or a bot developed by someone) exploits vulnerabilities in your website’s code to steal data, inject malware, or deface your site.
  • Data Breaches: This is when the personal and / or financial data of your customers is compromised which leaves you with possible legal and likely financial repercussions.
  • SEO Spam: A bit like the first one, this is when spammy links are injected into your site to manipulate search engine rankings which can end up harming your online reputation.
  • Downtime: This meanwhile is when ‘Distributed Denial of Service’ (DDoS) attacks bombard your website with traffic with the intention of overwhelming it so it becomes unavailable to your real life users.

Protecting your website’s security

Now that we’ve established the common types of threat – what can you actually do to mitigate your risk and protect your organisation?

  • Strong Passwords: This means absolutely no use of Password123! All websites we build will tell you how strong your password is when you first set up your user account and we highly recommend you don’t settle for anything less than one deemed strong. If you’re unsure how strong your current password is there are tools you can run it through to check, but as a rule of thumb – have a mix of upper and lower case, numbers and special characters, eg. a star or exclamation mark. Along with having a strong password it is vital you do not share your password with anyone and everyone who needs to be able to update the content on your website has their own account in order to do so. In addition, we recommend having multi-factor authentication set up to give an added layer of security.
  • User roles: Keep under review who has access to your site, what level of access that is and whether it is still appropriate to what they need to do. If a member of your team only needs to be able to edit content on occasion then there is no need for them to have full administrator access for example.
  • Secure Hosting: This may be an area you leave to your web developer, but if not make sure you choose an established reputable hosting provider offering proper security features, such as SSL certificates, firewalls, and regular backups.

How we keep your website secure

We’ll continually monitor the areas mentioned above and offer guidance where necessary. The following points are the outline of actions we take to enhance your efforts. While some may necessitate the expertise of a qualified website developer, others can be managed by those who are confident with tech and have some experience in website management.

  • Regular Updates: Keeping a website’s CMS, in our case WordPress, up to date is not just about ensuring access to new features. Updates are released every time a security flaw has been discovered and patched, without implementing the updates you’re not able to take advantage of these security patches meaning your website is vulnerable to hackers / bots searching for vulnerabilities they can exploit to gain access to a website.
  • Data Encryption: We implement what is known as SSL/TLS encryption to secure the data transmission between your website and your users, we do this for all our websites but it’s particularly important for e-commerce sites handling financial information.
  • Backup and Recovery: Our systems are set up to regularly back up a website’s data and files so they are stored securely offsite to mitigate the impact of any potential breach.
  • Code Reviews: Our Lead Developer conducts regular, thorough code reviews to identify and vulnerabilities in your website’s codebase, including SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), we then update our code accordingly as required.
  • Web Application Firewalls (WAF): To filter and monitor traffic to your website and block any malicious requests we install what’s know as Web Application Firewalls.
  • Security Headers: When building a website, or undertaking a rebuild we will configure HTTP security headers which also serve to reduce the risk of various types of attacks, including clickjacking (when a person is tricked into clicking on something which is not actually what it says it is but instead has a malicious piece of code in which might steal their data) and data injection.
  • File Permissions: We will work with you to set appropriate file permissions to restrict access to any sensitive files and directories, this serves to prevent unauthorised modification or execution.
  • Minimise plugins: Plugins can be a back door way in for hackers to access your website, as we discuss in our article here. We therefore keep the use of third party plugins to a minimum and ensure any used are kept up to date, wherever possible we build our own. There are though security plugins which can assist our work in monitoring and defending against threats which we use where appropriate.
  • SSH: An additional way in which we keep the websites we work on secure is by only ever accessing servers with our websites on them via SSH. This is a protocol which requires a handshake between the server and local machine. How it helps in terms of security is because the handshake requires a file on the local machine to have a matching code to the one of the server before any connection can be made.

Need a review of your website's security?