Protection against cyberattacks: How to secure your website
Author: Elias Rendón Benger, Head of product management 1&1 MyWebsite
The website is your organization’s most powerful digital touchpoint: You can be found online, can present ideas and offers, provide contact information or sell products. However, in addition to all the benefits, an online presence can also be a risk – for you and for your visitors. We will show you why you should take the protection of your site seriously and what simple precautionary measures you can take.
If a website is target of a cyberattack, it can be completely shut down by the attack. In this case, you lose website visitors or potential customers who are unable to access your site until the problem has been solved. Much more devastating however is the theft of sensitive data or an attack of your website with viruses that automatically install on the PCs of your site’s visitors. In the worst case, this results in a loss of confidence of customers and suppliers, or even in a loss of revenue or penalties.
You wonder why your website would be hacked? Websites of small and medium sized businesses are particularly vulnerable to cyberattacks. Attackers exploit the fact that smaller companies often cannot afford own IT experts and their systems are hence often not protected professionally. Therefore, the lack of expertise may cause vulnerabilities and criminals have an easy job.
Whether you run your website yourself or have an external service provider take care of the administration – we will give you ten tips which you can simply implement and thus actively contribute to the security of your website.
- Use solutions from trustworthy vendors
Sounds simple, but it is not easy to gain an overview within the variety of different offers. When looking for a trustworthy provider, watch out for tests, customer ratings and received awards for products or customer service. The PC Magazine for example annually awards an IT reader’s choice award in 18 different categories.
- Make a security check
To find out if your website has already been infected with malicious software (malware), a site-check is recommended. The Association of the Internet Industry “eco” offers free examination (see www.initiative-s.de). After registering with their internet address and a valid e-mail adress, companies can start the check. If an attack of the website is found, the company gets instructions via e-mail in order to remove the identified malware. A similar check is offered by VirusTotal. Users of WordPress can use the WordPress Security Scan, which was especially developed for the most popular content management system.
- Encrypt your site with SSL
Have you ever wondered why some Internet addresses begin with “http://” and others with “https://”? The extra “s” stands for “secure” and refers to a protected site. The most important way to protect the exchange of data on a website is the protection by an SSL certificate. SSL stands for “Secure Socket Layer” and describes a network protocol for secure transmission of data. This technology encrypts the transfer of data on a website so that unauthorized person cannot follow it. Especially when querying sensitive information such as passwords, e-mail addresses or bank details you can thus protect the privacy of your site visitors. You can demonstrate this by displaying the logo of your SSL provider on your website.
- Use secure login information
It sounds simple but still many people use weak passwords. The world’s most widely used password is the simple key sequence “123456”.
The main rules for a strong password are:
– It cannot be found in any dictionary
– It doesn’t consist of number or letter combinations that represent repetitions (111aaa) or keyboard sequences (qwerty)
– It is at least eight characters long, including special characters and numbers as well as uppercase and lowercase letters
– It is only used once
Tools such as 1Password and LastPass help to generate and manage strong passwords. In addition, it is recommended to change the system’s default usernames such as “admin” or “user”.
- Use the latest versions of WordPress and Co.
You can simply ignore this point when you are using a website builder or any other solution that is fully managed and updated by your provider. However, if you run your website yourself, you should always use the latest version of your content management system like WordPress, Joomla or TYPO3. You should also keep all plug-ins and other expansion modules up to date at all times. In this way you avoid that vulnerabilities in outdated versions offer a target for hackers.
- Keep browsers and programs up to date
Not only your website itself, but also local PC applications can become a target for criminals. Always keep your browser (Mozilla Firefox, Internet Explorer, Google Chrome, etc.) up to date by downloading updates regularly. The easiest way do this is via the automatic update feature of the respective program, which can be found in the settings.
- Integrate a captcha
In order to prevent attackers from flooding your site with spam, you should protect sensitive website elements such as contact forms or guestbooks with captchas. These small modules test whether a real person or a computer attempts to transmit data via the website. Users need to solve a small task and fill in the result before they can proceed. Typical captcha tasks consist of reading blurred character strings or solving simple math problems. These tests are no problem for humans but are difficult to manage for computers. Many website builders allow simple captcha integration. In addition, tools like reCapture help you produce these simple modules by yourself, if necessary.
- Provide a legal notice
Besides the protection of your website against hostile attacks, you, as a site operator, should also make sure that legal requirements are fulfilled. As an entrepreneur you are legally obliged to provide an imprint on your website. This must include at least the official company name, postal address and an email address. Furthermore, it is required to mention an authorized representative and the commercial register including your register number. Trusted Shops or eRecht24 offer free imprint texts that are created based on your company data.
- Protect subpages with passwords
Many website tools provide the opportunity to protect individual subpages with individual passwords. If you deploy sensitive information on your website that you only want to make accessible to a limited group of people, page-related password protection is a handy solution. In this way, you can conveniently provide files or account information for partners and suppliers, which are not intended to be seen by your customers.
- Handle e-mails carefully
This tip does not directly apply to websites. However, the way you use your e-mails can also significantly contribute to the vulnerability of your website. Never open e-mails, links or attachments from unknown, dubious senders. Such content may include viruses that are transmitted to your PC once you open it and grant attackers access to personal data and systems – and thus also to your website. In addition, you can prevent third parties from reading sensitive information by encrypting your emails. The Federal Ministry of the Interior provides guidelines for secure email communication with additional tips.
As you see, protecting your website against attacks doesn’t have to be complicated. Also ask your website provider what kind of security measures they provide and what you can do additionally to protect your website.