10 Steps: Protect Your Website From Hackers

A little bit of insurance advice for websites.

So you’ve spent a couple thousand dollars on a really nice website with all the bells and whistles, your organization has put in dozens of hours tweaking it to be just right but what have you done to protect your website from hackers? Just like with a vehicle or your other belongings, you need a plan to keep your investment safe.

Step 1 – Make daily/nightly backups.

Automatic backups may already be available from your website hosting company, or you may need a third party program to do this for you. In our experience, some web hosts can restore your files from a certain point; some for a fee, some for free. Check with them to see what’s available and what the restore process is BEFORE you have website issues. If your host doesn’t offer anything, look for a reliable third party program or have your web developers do this for you. We include a full offsite backup service for every website we manage here at Appletree.

Step 2 – Keep your plugins and files updated.

Some website content management systems will alert you when updates are available, some do not. When a website update becomes available, run it. We’ve talked over and over about how non-updated sites have wreaked havoc on organizations from information leaks to election hacks. Set aside time on your calendar to run updates, maybe check for them every morning during that first cup of coffee. Or sign up for an affordable maintenance package with a professional web firm.

Step 3 – Run security programs.

If you’re on WordPress there are several security plugins available. Most are free, but some offer premium services for a charge. We recommend Wordfence. But again, if you don’t keep your security plugins updated, it can’t keep you safe from new vulnerabilities.

Step 4 – Watch for signs of website issues.

If your website is broadcasting “Error connecting to database” or general “Error” messages there may be something going on behind the scenes. Perhaps your website is running slower than normal. It may be time to call in a website professional to take a look at website logs from the back end. Brute force login attacks sometimes go undetected until they kick in the door or a website professional spots them in a log and bolts the door shut.

Step 5 – Choose a good website host.

Shared website hosting is the cheapest hosting out there, but sometimes it’s like living in an old apartment building with a fire in one apartment. If one site gets hacked, all sites are now vulnerable. Read the reviews on your webhost, check their Twitter and Facebook accounts for real user comments. Cloud hosting has been all the talk over the last couple of years, but with the latest “cloudbleed” blunder even cloud hosting is being questioned. Dedicated website hosting is a little more expensive, but depending on the type of information you’re storing about your users, its likely worth the cost.

Step 6 – Keep an eye on who has access.

Limit not only the user accounts that have access your website, but also the programs that interact with your website. Apps that allow remote access to your website are easy targets for website hacking. These API programs allow for other programs such as social media to add content to your website. Unfortunately, they seldom encrypt your stored website login and password. This open door gets ignored by most website security programs because you granted access on purpose.

Step 7 – Update your computer.

If you don’t keep your computer updated and always run antivirus software with updated virus definitions as well as a good spyware program and malware program then you’ve left the keys in the car to be stolen. If your computer has been compromised, a keystroke logger could be recording all of your passwords.

Step 8 – Don’t use the same password.

It may be easy and convenient to remember one password for everything. However, if that password gets compromised on one service, it can be used to access your other services. You’d be surprised how many website databases do not store passwords as encrypted. Lax industry standards like this may leave your password open to prying eyes without you ever being aware.

Step 9 – Don’t store your passwords in browsers.

Your internet browser seems so helpful when it offers to remember a website password for you, but those passwords are stored in your browser unencrypted and are easy to access if your computer itself is compromised. Use a program that encrypts passwords and stores them safely. We recommend LastPass. It also recalls those password for you when you visit a website but stores them behind the scenes in a fully secured, encrypted way.

Step 10 – Scan your computer periodically.

Schedule a morning or afternoon every week to scan your computer for viruses and malware. Since this can take upwards of an hour maybe let it run during your phone calls for that day. If your software finds something, clean it up and scan again until all scans come back clean.