Website Security: How to Protect Your Site from Hackers

There’s no question that building a website is a lot of work.  You’ve put in tons of effort drafting your content, choosing the right graphics and checking every single link on your site – so why risk having your efforts ruined by hackers or malicious software programs?

Unfortunately, with advances in automated hacking programs, every site is a target.  You don’t have to be a large bank or online retailer to be the target of a cyber-hacking attempt.  Even the smallest website is at risk of falling victim to one of the following types of website attacks:

• Brute-force login attacks – If  your website utilizes any type of site building platform with a back-end login system  (WordPress is an example of this type of site), it is at risk of suffering a brute-force login attack, in which computer programs throw hundreds and thousands of login/password combinations at your site, hoping that one will eventually work.  Once the bot has gained access to your site’s back-end, it can append malicious code to your content without your knowledge.
• SQL database attacks – Similarly, if your site’s platform uses SQL databases to organize content, you could fall victim to computer bots attempting to inject malicious SQL database code into your site through login forms, comment forms and other vulnerable areas.
• Plugin vulnerability attacks – If you use a website building platform that makes use of third-party plugins to add functionality, rest assured that you aren’t the only one researching the different plugins that are available.  Hackers are as well, and once they’ve found a plugin with potential vulnerabilities, they can attack sites with these plugins installed.

Pretty scary, right?!  Well, yes and no.  Just like with home security, the key to preventing website security breaches that result in lost time, money and productivity is to be prepared.

The first step in protecting your site from security breaches is with constant vigilance.  Although there are some tools that are available to monitor your site for any perceived threats, there’s no program that’s 100% accurate.  This is why it’s so important to check the pages on your site regularly for any unexpected code or content you didn’t authorize.

The next step in protecting your site is to utilize whatever features your site’s platform offers for website security.

For example, say you run your website on WordPress – one of the most commonly used website building platforms available today.  Because the out-of-the-box WordPress installation itself has some security flaws, there are a number of actions you’ll want to take in order to “harden” this program.

The first is to make sure your WordPress installation is up-to-date.  The team behind this program is constantly fixing bugs and improving the system, which makes integrating any new releases into your website’s back-end incredibly important.  In most cases, this can be done automatically through the WordPress back-end dashboard, but you’ll want to be sure your existing databases are backed up before proceeding.

It’s also important to install WordPress security plugins that close other weaknesses or access points in the platform code that make your site vulnerable to hackers.  The following are a few free plugins to consider:

• Bulletproof Security – According to its description, this plugin, “Protects уουr website frοm XSS, CSRF, Base64 аnԁ SQL Booster hacking attempts.”  It offers a number of different configuration options that enable you to control how the files on your site are accessed and how your system information is backed up.
• Login Lock-down – This plugin helps to protect against the brute-force login attacks as described above by recording the IP address of every attempted login and shutting down the login form after a specified number of login attempts.
• Secure WordPress – This “all-in-one” plugin combines a number of different security enhancements and vulnerability fixes into one easy to use plugin.  One key feature of the plugin is that it hides information about the version of WordPress that’s currently installed on your site, which can help prevent attacks based on vulnerabilities discovered in individual WordPress releases.

Protecting an HTML website from attack can be a little more difficult than securing a WordPress site, as there are no plugins that can quickly and easily beef up the security of this type of code.  However, there are still a few tweaks that can be made to HTML sites in order to make them as strong as possible.  Here’s what you need to do:

• Check your file permissions – Every file that’s uploaded to your HTML site contains a set CHMOD number, which tells your server who is able to read, access and edit the page.  To secure your site, be sure that these permissions are set to the most stringent settings possible that still allow your site to run normally.
• Keep your email address off the site – Although it’s a little more work to add a contact form to your HTML website than it is to add this feature to a WordPress blog, it’s well worth the added security of keeping your email address of the site, as sharing your contact information in this way is pretty much an open invitation to spam artists to send potentially-malicious content directly to your inbox.
• Protect your source code – One of the reasons it’s so easy for hackers to attack HTML sites is that, in many cases, they’re source code is freely available for the taking.  To lock down your code and prevent spammers from making unauthorized duplicate copies of your website or analyzing your code to exploit any loopholes, consider investing in a script that protects your code.

As an alternative to managing website security on your own HTML site or WordPress site, consider a hosted site provider like the Intuit Small Business Website Services program.  When you work with a major website provider like Intuit, website security can be applied on a much larger scale, with a much greater level of sophistication than you might be able to achieve working on your on as a beginning webmaster.

Consider the following statement on data security from the Intuit Website Services FAQ page:

“As you should expect from a company producing top financial solutions like TurboTax, Quicken, and QuickBooks, data security, particularly over the Internet, is a critical priority at Intuit. We process millions of sensitive tax returns a year, so we know how to keep online data secure. Intuit Websites uses the same SSL data-encryption technology used by leading banks, and our servers are protected by security systems and personnel, firewalls, and intrusion detection software and hardware. And, of course, Intuit Websites is a VeriSign Secured™ product.”

However you choose to manage your website security, the most important thing is to be proactive.  Don’t wait until a security breach causes you to lose money – take the necessary precautions from the start of your website’s life to ensure that it’s safe and secure for your visitors.