Website Security: How to protect your website from hackers?
Usually, website security only comes into focus when it is already too late and hackers have penetrated a website. We therefore want to focus more on the topic of website hacking. In this article, we present measures that, in our experience, help to better protect your website from hackers.
There’s been a lot of discussion lately over IT-security in critical infrastructure. Examples of hacked hospitals or traffic systems make us aware how vulnerable the digital system is. Even if your website isn’t part of a critical infrastructure, it may be enormously interesting for hackers. Not only to steal sensitive data, but also to send thousands of spam mails through your account or inject malicious code. Therefore, we recommend: make it a priority to protect your website from hackers.
For example, denial-of-service (DoS) attacks are booming. A total of around 50 million DDoS attacks have taken place in 2020. For this and many other reasons why websites are being hacked it’s essential to protect your online presence and brand reputation from being compromised.
The costs of website hacking: financial and reputational consequences
If your website falls victim to a cyber attack, the consequences can be severe. As a result of it, financial loss is probably one of the biggest risks associated with website hacking. Decide if you want to prioritize protecting your online presence. The following points might make you aware of possible consequences:
- Website access: Hackers can gain access to your website through vulnerabilities in the code or through social engineering.
- Theft of data: Once hackers have gained access, they can steal your customer data, passwords, and financial information.
- Resulting costs: Hiring help at short notice or paying a ransom will result in significant costs and does not guarantee surviving the hacker attack unscathed.
- Affected people: If personal data has been stored on the website, all potentially affected persons must be informed for reasons of data protection and privacy.
- Brand reputation: A hacked website can also damage your company’s reputation and cause customers to lose faith in your brand.
- Search engine rankings: The hacked content on your website can harm your rankings and damage your professional credibility.
How do you know if your website has been hacked?
Hacks can be obviously recognizable, for example, by a warning message in the browser. However, some hacks cause damage without being noticed because they are not immediately visible.
Here are 8 indicators:
- Your homepage looks different.
- You can’t login into your website.
- Admin users are removed or unknown users are added.
- Your website is redirecting to another website.
- A Google warning in Chrome appears.
- Your hosting company disabled your website.
- The website contains unsolicited content and spam pop-up ads.
- The website speed slows down noticeably.
How can you prevent website hacking?
There are many methods to protect your website from hackers. In the following, we will not only go through the – from our point of view – most important measures, but also discuss their benefits.
Keep in mind that none of the preventive measures give you the guarantee that your website is safe from hacks. Hackers always searching for new ways to gain access, but with some basic steps you can prevent the worst from happening.
1. Make the login more secure
There are a few methods you can implement to make website access harder. So let’s dig deeper and find out pros and cons:
Use strong passwords and change them regularly
Oldie but Goldie – we can’t highlight enough how crucial strong passwords are. Why? Have a look at the top popular passwords:
Ouch! To avoid this and secure your website, have a strong password policy in your company in place. Passwords of all users should be unique and complex, and users should be required to change their passwords regularly. Additionally, a password should be used only once per account. You don’t need to remember them: for managing and creating PWs there are some very good password managers like KeePassXC or 1Password.
Bleech-Tip: Check here if your passwords are exposed.
Force a minimum password strength
It’s not a bad idea to force users to use strong and complex passwords. You can force a minimum password strength and combination with the help of plugins.
Limit the number of login attempts
Limiting login attempts with a plugin can help prevent brute force attacks. For WordPress websites we recommend a Web Application Firewall like Ninjafirewall or Wordfence (see security method 4). Alternatively it’s possible to implement a Captcha infront of the login area, that will do the same job. We wouldn’t recommend reCaptcha for GDPR-reasons, and to use a privacy friendly alternative instead.
Changing the WordPress admin username
By default a username should never be admin. But a unique username doesn’t prevent hackers to figure out users of a website. Just by adding ?rest_route=/wp/v2/users after the main URL of a WordPress-Website user names of everybody who created a page or an article are revealed.
Change default login path
Limiting access to your wp-admin directory is another common method. Most web application firewalls have this features included.
Use a 2-factor Authentication (2FA)
The 2FA does make it harder to login for hackers, even if the password is compromised. The disadvantage of a 2FA is that it is more difficult for the actual user to gain access to their account. And it is not the cheapest security method. There are cases when it makes sense to implement it, but you should check if it’s worth the investment.
2. Install all latest security updates
To protect your website from hackers always make sure that your website is running the latest version of all software. There is no specific target group in terms of topic, instead outdated software is one of the most common ways that hackers gain access to websites.
For good reasons WordPress is the most popular CMS in the world. However, this makes it interesting for hackers. Regular updates help to keep your website up-to-date. Regardless how and when you do the updates, always make a backup before and recheck your website for errors afterwards.
Before you install a plugin, make research and check how much you can trust its quality. Are they updated regularly and are they compatible with the latest version of WordPress? Keep an extra eye on free plugins, before you install them.
3. Implement TLS encryption
The Transport Layer Security (TLS), successor of the SSL certificate, will protect any sensitive data being transmitted between your website and users, such as login credentials, payment information, and contact forms. Even if no sensitive data is transmitted, this encryption is standard for modern websites.
4. Use a firewall and anti-malware software
All preventative methods to make it harder to login are more or less weak in comparison to a good firewall.
If you’re hosting your website on a professional website host there is no need to install an anti-virus-software as a basic firewall is part of a it. If not, consider to change the host.
You’re running the website on your own server? Then go ahead with a web application firewall to protect your websites. It’s a powerful way to block hacker attacks before they reach your website. We usually work with Wordfence, but we also strongly recommend Ninja. If you wanna use the free version, Ninja provides more up-to-date data.
Tip: Configure Ninja based on the instruction of Daniel Ruf.
5. Back up your website data regularly
Storing backups is a key factor in recovering from a website hack. Not only irreparable damage to your server, but also a hacked website can cause you to lose your data. Make sure to implement regular backups by yourself or hire your agency to take care of security updates.
If malicious code is injected into your website, it can stay there for several weeks until you notice it. To fix the hack as soon as possible, you need to revert to an older backup without this malicious code. We recommend that you keep backups for at least 60 days, and be sure to keep them on a physically separate server. For websites with a lot of code and content changes, it’s best to make a daily backup. If your website doesn’t change much, a weekly backup is sufficient.
Tip: Don’t take it for granted that your web host or agency takes up the responsibility for website backups. Better ask them and check for their conditions.
6. Use professional hosting
A professional hosting service like our favorite All-Inkl will provide you with a solid foundation to protect your website from hackers. It contributes for your website’s security, even if you don’t take measures as described above. Most of them have built-in measures like malware scans, firewall, and regular updates and backups to protect your website. In addition, opt for hosting with 24/7 phone support. If something happens to your website, it is important to act quickly and restore your website with the help of the support team.
Tip: If you are not an expert, don’t experiment with hosting services just because they are cheaper. It might be at the expense of your website’s security.
7. Monitor your website with visual regression testing
Do hackers break into your site and add spam links or images on sub pages, you might not find them immediately. Checking your website for any unexpected visual changes consistently, helps you to spot and address issues before they cause serious damage to your website or its users. While you can manually test your website, we recommend implementing a thorough website monitoring strategy.
Visual regression testing can help you monitor and protect your website from potential hacking attempts. To automate this process we developed the WordPress plugin VRTs – Visual Regression Testing. The plugin creates reference screenshots of pages and compares them with daily comparison screenshots. If the tool spots a difference, you get notified immediately. This way, problems can be quickly detected and fixed.
Conclusion: Protect your website from hackers
WordPress is the most popular CMS in the world. However, this has also made it a popular target for hacker attacks. Hacks are sometimes not obvious to spot. At stake are sensitive customer data, but also the reputation of your company.
To summarize once again:
- Check if your website has been hacked.
- Backup your website data regularly.
- Take measures to avoid hacks.
- Develop an automatic monitoring strategy to spot hacks quickly.
If your website does get hacked, it’s important to take immediate action. Notify the authorities and your customers as soon as possible so that they can take steps to protect themselves. Then, work with a professional to clean up the damage. If you want to protect your website from hackers in the future, we can help you out.
Have you already made sure that your website is safe from hacker attacks? Share the article in your network and discuss the topic with us!
Is my website interesting for hackers?
There is no specific target group in terms of topic or size. The hacker’s motivation is to find a security gap in a plugin, a PHP version or something similar. Then they attack every website with this gap.
How do I make my website more secure?
Our top 5 of tips to protect a website from hackers:
- Use strong passwords
- Run only updated software
- Implement TLS encryption
- Back up your website regularly
- Use professional hosting
What to do when my website is hacked?
Get in touch with professionals immediately! Call your hosting service or web designer. Also notify the authorities and potentially affected customers.