Is your Website Security up to scratch?
Website security is a dry, yet important topic. There are a few different elements required for complete website security.
First up there’s the security of your website itself. This is the layer of protection between your website and anyone trying to access the backend. This is the security protocol that protects you from hackers.
Distributed Denial of Service (DDoS).
A DDOS attack occurs when your website server becomes overloaded due to an extreme volume of requests, beyond what your server can cope with. In case of attack a good security product will block IP addresses to reduce load on your server.
It’s worth noting that DDOS is not always malicious and can result from poor planning on behalf of the business. In 2016 The Australian Government Census site crashed due to load as millions of Australians tried inputting their data. The server just couldn’t cope.
On a smaller scale, in mid 2017, fashion retail brand Gorman offered up a quantity of free limited edition T-shirts in support of marriage equality in Australia. The website crashed under the unusually high load, resulting in a big ouch to their bottom line. I guarantee they lost sales as a result!
This highlights the need for good site security, to fend off malicious attack, and website hosting that’s fit for purpose. You don’t want your site to crash if you get some sudden attention that could lead to new sales or clients. That viral post, destined to make you famous, is no good if it crashes your site when everyone is trying to read it.
Brute Force Attack.
A brute force attack is exactly what it sounds like, someone trying to muscle their way into your website and mess it up or hold it for ransom.
The first line of defence against brute force attack is your username and password.
Avoid using a username like ‘admin’ and ensure your password is strong. I know it’s impossible to remember those long gobbledygook passwords but they’re worthwhile because they’re much harder to hack.
Your website security product will further protect you from brute force attack by locking out IP addresses for multiple failed login attempts and adding user authentication, like recaptcha, to login pages and form submissions. User authentication prevents automated bots from trying to login.
Protecting yourself from website vulnerability
Websites are created with code, no surprises there. As changes and improvements are made to website code weak spots sometimes open up, creating vulnerability. The easiest way to protect yourself against hackers sneaking in through any holes is to ensure updates are completed regularly.
A large percentage of websites are built on content management system (CMS) platforms. When source code, the foundation of your website, is updated you need apply that update to your website. Other, secondary elements, like themes, plug ins and custom code elements, will also need to be updated from time to time. The secondary elements are updated for a variety of reasons including:
- Maintaining compatibility with your CMS
- Addition of new functions
- Improved efficiency
- Code fixes
Website code updates are usually straight forward to manage. In most cases there is some kind of notification when you login to your website dashboard.
For example:
In WordPress it looks like this:
When there are updates pending we recommend completing them in the following order:
- CMS (EG WordPress)
- Theme
- Plugins
Ideally you should also ensure that your site has been backed up prior to running updates. This protects you should any unexpected conflicts occur when you update.
Whilst running updates is an easy process we find that many business owners don’t do them regularly. Sometimes because they haven’t been told they need but, more often it’s because they don’t log into their website regularly.
Website Backups
As for anything important it’s a good idea to keep a copy of your website somewhere safe. Your website should be set up to back up routinely to both the server and somewhere offsite.
Usually website backups to the server are completed more frequently than offsite backups.
The reason for maintaining an offsite back up is to protect you in case your server fails or is hacked. This is rare but it definitely does happen, and I’ve heard horror stories about it happening to very reputable businesses.
Server backups are quick and easy to restore if required, and chances are you’ll need to wind your website back a step at some stage. Ever closed a document without saving and lost all your hard work in the blink of an incorrect mouse click? Me too.
It’s not quite as easy to delete a whole page (or more) of your website but it does happen. A recent server backup allows you to correct that mistake in very quickly by simply restoring the most recent backup.
Without a recent backup fixing up those accidental slips isn’t quite as easy.
Recently a brand-new client managed to accidentally trash their website when setting up our user ID. I logged in for the first time only to find a website that didn’t look anything like the one I’d seen when I quoted the job.
I wanted to cry.
When I discovered that the last backup was more than 12 months old I felt nauseous.
Thankfully the trashed website was sitting in the trash, not permanently deleted but it took the best part of a day to restore the site page by page and image by image, during which time their phones stopped ringing.
What was supposed to be a few hours work turned into a quite a few more.
The morale of the story…make sure you’ve got a good back up system in place. It makes disaster recovery a whole lot easier should an unfortunate event unfold.
If you want a hand to ensure that your updates and backups are routinely completed this is something we can handle for you with our monthly WordPress website management package.
How about Secure Sockets Layer (SSL)?
What is SSL?
SSL is the standard security technology used to establish an encrypted link between the person visiting your website and your web server. It’s an industry standard used by millions of websites to ensure that all data entered remains private, which is obviously a good thing!
Visitors to a website can tell if it’s secure by the green padlock displayed next to the website address (URL) at the top of the webpage.
protect the data associated with their customers’ online transactions with their customers.It
Why is an SSL important?
The primary purpose for SSL is to encrypt information sent across the internet so only the intended recipient can understand it. If data is left unencrypted, without an SSL certificate, any computer in the link between you and the server can see the transferred information.
With an SSL in place data is encrypted, making it unreadable to anyone you don’t want to see it.
In short, dealing only with SSL protected websites protects you from hackers and identity thieves. Likewise, encrypting your website protects your visitors.
Search engines (like Google) and browsers (like Chrome and Safari) provide visual cues to show visitors that a website connection is (or isn’t) secure. Because the expectation is that websites should be protected by an SSL in order to protect visitors they’ll warn them if the appropriate security layer isn’t in place.
Because, Google, and other search engines will consider your website to be more trustworthy if it does have an SSL then you’re likely to rank higher in organic search results than sites that don’t.
Search ranking aside users will trust you more.
Going forward search engines and browsers will issue warnings when people try to navigate to or enter data in websites that aren’t SSL encrypted. The last thing you want to do is turn people away from your business because they don’t trust your website.
How do you add an SSL?
Adding an SSL certificate is a reasonably straightforward process but if all the necessary steps aren’t completed then you can confuse searches and lose ground with your organic ranking. When you add an SSL to your website URL it’s the same as changing your website address completely so there are a couple of important steps you need to take.
When an SSL certificate is added to your site it will change from http://yoursite (without an S) to https://yoursite (with an S).
There are four steps required to complete an upgrade from non-encrypted http to encrypted https.
- Purchase the SSL certificate, the best place to get this is from your current website host provider.
- Apply the SSL certificate to your hosting
- Apply the SSL certificate to your website
- Tell search engines that they should be looking for your http site in preference to your http site and which https pages are equivalent to http.
It’s something that you can do for yourself but it’s also a stand-alone service we provide.
We make sure that when adding an SSL it is not only installed but also configured to ensure the Trust and Authority your existing site has is maintained for the new secure site.
We ensure all the content on your site is delivered securely, so the padlock is green and you don’t have pages with both secure and unsecure content.
Between now and March 2018 we are offering to manage the installation of an SSL for all new Website Maintenance clients who don’t have one in place already.