I have clients whose websites got hacked. Both lost HEAPS OF time and money to deal with it. How can you protect your website from hackers?
One of them lost his entire website and had to rebuild from scratch. His website was offline for a couple of months as he had to go through the entire web design process again. It goes without say, it cost him BIG money and he had to divert LOTS OF time to deal with it.
The other client was hacked by someone from Russia. Fortunately, he had backups. But unfortunately, his backups were not up to date. He was able to get back most of his website. But the hacker left behind a trail of destruction which he had to spend money to pay someone to clean up.
So, the question is, have you taken any preventative measures to protect your website from being hacked? Sometimes, despite the best of your efforts, it is still possible for your website to get hacked. In that case, do you have any contingency plans to deal with it?
Here are some of the issues you have to think about. As the old adage says, prevention is better than cure. Both of my clients lost a huge amount of time and money to deal with the hack after the fact. Had they taken preventative measures and had contingency plans in place, they could have saved that time and money.
First, if you are using a shared web hosting service to power your website, know that not all of them takes cybersecurity seriously.
One of my client’s web-hosting provider was using an old version of PHP backend on their web server which had lots of known security holes. They were slow in upgrading the software on their web server. I shook my head when I discovered that. It is only a matter of time before their webserver will be hacked. And when that happens, all their customers’ websites will be affected with this one single attack.
Mind you, that web-hosting provider is one of the top 20 web hosting service provider. I will let this company remain unnamed.
Personally, more than a decade ago, my website was hosted by another top 20 web hosting service provider. They were very slow in upgrading the software on their webserver backend. Needless to say, I switched away from them.
So, the lesson is clear. Just because a company is a big-brand-name web hosting service provider does not mean they take cybersecurity seriously.
Updating your content management system (CMS)
Most of you will be using WordPress as your CMS. Others may be using Drupal. Whichever CMS you use, you have to be on the ball to update your CMS whenever they issue a software update. Each update will patch security holes as they are discovered so that hackers cannot get in.
Again, a good web hosting service provider can do that automatically for you. If not, you have to do it yourself proactively.
Watch your plugins
Most CMS allows you to extend its functionality with extensions called “plugins”. One of the most common ways for hackers to get in is via vulnerable plugins.
In fact, I would argue that it is easier for hackers to get in from vulnerable plugins than from vulnerable CMS. CMS like WordPress have the resources of a large corporation to fix and patch security holes as they are discovered. On the other hand, plugins are usually created by individuals and small companies, who may not have the resources to secure and patch their plugins.
My client’s website was hacked through a vulnerable plugin. Fortunately, he was able to restore his website from backups. However, because the plugin in the backup was still vulnerable, the hacker got in again.
That happened until the offending plugin was identified and patched with an update from the plugin creator.
Therefore, the general rule of thumb are:
- Use as little plugins as possible. The fewer plugins you use, the smaller your attack surface area and hence, the less likelihood for hackers to get in.
- Be on the ball to update your plugins. Again, a good web hosting service provider can do that automatically for you. If not, you have to do it yourself proactively.
Boost with security plugins
In WordPress, there are some security plugins that harden your website against hackers. Some of them prevent hackers from brute-force guessing your passwords. Some scan your website regularly for malware. Some provide a 2nd-factor authentication (2FA) security feature, which is basically a second password that changes every 30 seconds.
If you need any advice in this area, come speak to us.
You can have all the security you want, but if you practice poor password hygiene, all your security will come to nothing.
You have to make sure that your passwords are secure in these levels:
- Web hosting service provider account– This is the most important. If the hacker steals this password, he can do anything he wants, including stealing your entire website domain!
- CPanel– this is the ‘control panel’ of your web-hosting service. Again, a hacker steals this password, he can do a tremendous amount of damage.
- CMS (e.g. WordPress) account– If a hacker steals this password, he can deface and vandalised your website.
Unfortunately, in all my years in this industry, I still see people engaging in poor password practice. Sadly, some of them got hacked and had their lives and businesses severely disrupted, with financial and psychological implications.
So, what do you need to do to manage your passwords securely?
For starters, read Chapter 3 of my book, Digital Security & Privacy for Dummies. It will have all the information you need on password best practice. As I wrote earlier in If you don’t use a password manager, you will EVENTUALLY be hacked, if you do not do that, you will EVENTUALLY be hacked. It is a matter of time.
Backup! Backup! Backup!
You need to ensure that your website is backed up regularly! Very often, when hackers get into your website, they vandalise it and leave behind a trail of destruction. Getting cybersecurity professionals to secure your website is the first thing that needs to be done. But they cannot clean up and repair the trail of destruction that the hackers left behind. If your website is backed up, then it is a simple matter of restoring it. If not, then you have to pay big money for someone to repair the damage.
Not all web-hosting service providers back up your website. At least a big-brand-name service provider (which will remain unnamed) does not do that by default unless you pay extra. Sadly, a lot of business owners take up the default option and do not ensure that their website is regularly backed up.
So, what if you do not have a system of backing up your website regularly? In the worst case, my above-mentioned client had to rebuild his website from scratch after hackers trashed it completely. He had NO BACKUPS! Obviously, he suffered serious financial loss because of that.
The other client, fortunately, had backups. But it was not regular enough. Parts of his website remained affected, which he had to pay someone to fix. Again, this is a financial loss.
Having a backup system is one thing. Making sure it works when it comes to restoring your website is another. For example, one of my clients had a WordPress plugin that performed regular backups of his website. This plugin can only work if WordPress itself is running smoothly. Unfortunately for my client, hackers had damaged his WordPress website to the point that it could not run properly. Consequently, the plugin could not work. So, although he made regular backups, he had no means to restore his website when he needed it to be done.
One web hosting service provider I recommend is Stratigus, which is my other business. This website itself is hosted and managed by them. They are a personalised boutique service provider who takes care of their clients. I use them because:
- Their clients’ websites are hosted in Australia (Melbourne and Sydney), which will have a faster response time for Australian website visitors than if they are hosted in the US.
- They provide hourly time-machine backups of their clients’ websites. That means I can roll-back my website anytime back into the past by the hour. Most web hosting service providers provide daily backup. If you have customers interacting with your website throughout the day, a daily backup will not be able to capture the changes that happen through the course of the day. This can be a serious problem for eCommerce website because you may lose an entire’s day worth of orders.
- They provide secondary cloud storage backups. They have a facility to backup your website to another cloud storage location, just in case the primary hourly time-machine backup fails.
- They can automatically update your CMS and its plugins for you to ensure that you will always be running the latest version. This saves me lots of time.
- They provide standard SSL security for all their clients’ website.
- Most important of all, they take cybersecurity seriously and personally make it easy and hassle-free for their clients!