What is website security and how can you protect your site?
Whether you’re running a huge ecommerce site or a small personal blog, your website means a lot to you.
After all you’ve spent time, effort and money getting it set up, and of course your site means a great deal to you – either because it earns you your living and/or because it (and its contents) has sentimental value.
For that reason, it makes sense to protect your website as much as possible. But the world of website security can feel confusing and intimidating.
In this guide, we’ll walk you through the threats you face and everything you need to know about how to protect your website. (And we’ll try to avoid overly technical language wherever possible.)
What is website security and how can you protect your website?
- Install an SSL certificate
- Use malware monitoring
- Use a web application firewall
- Use DDoS protection
- Update all software as soon as you can
- Understand how to detect phishing emails
- Make regular backups
- Use strong passwords
- Password-protect and encrypt all sensitive data stored offline
- Make a disaster recovery plan
1. What is website security?
Website security is any action taken to defend your site against hackers and other cybercriminals.
This can include installing security apps to protect your site, using strong passwords and educating yourself about potential hazards such as phishing emails.
Website security can also refer to steps taken to protect your website and business from harm that isn’t deliberately malicious, such as accidentally deleting important files.
2. What can website security protect my website from?
Comprehensive website security should protect your website from the following threats:
Malware (which is short for malicious software) can take many forms and can be incredibly hard to detect. High-profile malware attacks include the “cryptojacking” outbreak which affected the NHS in 2017, in which data was encrypted and held to ransom. Other forms of malware can sit on a site unnoticed and steal your visitor’s data, or even infect their device with malware.
DDoS (or distributed denial of service) attacks might sound complicated, but the idea is simple. In such an attack, cybercriminals overwhelm a website by flooding it with automated traffic which in turn stops real visitors from accessing the website. Sometimes the criminals demand payment in exchange for ending the attack.
If a hacker can access you site, they can make changes to it. Sometimes that might include injecting malware, on other occasions it might mean displaying a message of some kind. Either way, it will stop you site functioning as intended.
If your website isn’t secure, it may be possible for hackers to access it and steal sensitive information such as customer details.
Accidental data loss
Sometimes your website or business can be hit by actions that aren’t malicious but are still deeply damaging. Accidental data loss can take down a website in the same way as a cyberattack, so good website security will help guard against both eventualities.
3. What are the potential consequences of a cyberattack?
If you’re website is a source of income and it’s taken down by hackers, you’ll lose money every day until your site is up and running again. Additionally, in a worst-case data loss scenario you may face fines (see below.)
A hacking attack has the potential to wipe out your site. If you’re running a personal blog, that could mean losing precious memories. If you’re running a business website, it could mean you’re offline while you rebuild your site.
If your website is compromised by malware, then there’s a chance that the cybercriminals responsible are stealing customer data (such as passwords, and even payment data) that is stored or entered on your website. The hackers might even set up phishing pages on your site which look legitimate but are designed to steal data. You could also be targeted by phishing emails, which are designed to steal sensitive information or install malware. Not only will your reputation suffer if data theft takes place, but you could also get a fine for breaching GDPR. You can learn more about GDPR in this guide.
Malicious redirects and links
Hackers can also redirect visitors away from the website they wanted to visit (in this case yours) and to a malicious site where they run the risk of being hacked themselves. Additionally, hackers can add links to your website with the aim of boosting the link-to site’s search engine rankings, often these links point at malicious or untrustworthy websites.
Search engine blacklisting
Google aims to keep people safe and for that reason it blacklists unsafe websites. In practice, this means that if your website is hacked it could be removed from search results and potential visitors will see a warning that your site may be unsafe.
4. Why should I implement website security measures?
If the above points haven’t persuaded you that you need to secure your website from hackers, then here are a few more points to remember.
A cyberattack will hurt your reputation
Research by KPMG shows that 58% of consumers and 86% of procurement managers would avoid using a firm that had experienced a cybersecurity breach.
It will cost you money
Small businesses hit by a cyberattack spend an average of £25,700 in direct costs to clean up after the attack, according to research by Hiscox. That doesn’t include potential additional costs such as reduced sales in future because of reputational damage, or fines from regulators.
Cybercriminals target small businesses
You may think that big businesses are the main target for cybercriminals, but smaller businesses are seen as an easy target because they’re less likely to take web security measures. Research by the Federation of Small Businesses shows that 66% of its members were targeted by online criminals over a two-year period.
Hacking attacks can be very hard to spot
You may think that it will be easy to tell if your site has been hacked, but cybercriminals go to great lengths to cover their tracks and you may only discover a problem after significant damage has been done. Good website security will proactively monitor your site, meaning attacks can be stopped sooner.
5. How to protect your website from hackers
Cybercriminals often target low-hanging fruit because it offers them the prospect of returns with the minimal amount of effort. That means putting some simple website security measures in place can significantly reduce your risk of being attacked.
Install an SSL certificate
When someone enters data on your website (including things like email addresses and credit card details), that data can be accessed by a third-party (a hacker for example) unless steps are taken to protect it. Installing an SSL certificate on your website ensures that any data entered is encrypted, meaning that even if it is intercepted by a hacker, they won’t be able to view it.
You can learn more about SSL certificates and why they matter in this guide.
All GoDaddy Website Security packages offer an SSL certificate as standard. Alternatively, you can buy a standalone SSL certificate.
Use malware monitoring
Because malware is so sneaky it’s advisable to use a malware monitoring tool for your website. A good malware monitoring tool should be able to detect malware on your site and remove it. GoDaddy Website Security’s Standard package offer malware scanning and an annual site clean-up, while the Advanced and Premium package offer unlimited clean ups. Make sure any website security system you use covers malware detection at the very least.
Use a web application firewall
Malware monitoring is good enough for basic sites such as simple blogs, but for business sites you should consider using a web application firewall (WAF) as well. A WAF will actually prevent malware being installed on your site in the first place, making it even more secure. GoDaddy Website Security offers a WAF as standard.
Use DDoS protection
If your site generates income, it’s a potential target for a DDoS attack. GoDaddy Website Security’s Advanced and Premium packages offer DDoS protection thought the use of a content delivery network.
Update all software as soon as you can
Cybercriminals target out of date software because it usually has security flaws they can exploit. Update everything as soon as possible, including your operating system, anti-virus software, WordPress plugins if you have a WordPress site and any other software you use. Remember, the security of websites also depends on the security of the devices used to access and update them.
Understand how to detect phishing emails
Learning to spot phishing emails will help make sure you never put data at risk by clicking on something you shouldn’t. You can learn how to spot phishing emails in this guide.
Make regular backups
If your site is attacked, a backup can help make sure you get up and running again quickly and easily. GoDaddy offers a backup service as part of its Advanced and Premium website security packages, and a standalone Website Backup product.
You should also ensure you backup any business-critical data that is kept elsewhere, such as on your laptop.
Use strong passwords
All the website security in the world won’t do you any good if your password can be easily guessed. Make sure you use strong, unique passwords for every online account you have, including anything related to your website. You can learn how to create strong passwords in this guide. You should also consider using a password vault such as LastPass.
Password-protect and encrypt all sensitive data stored offline
So far, we’ve mainly focused on keeping your website safe, but the chances are you also have important and sensitive business data stored offline, on a laptop or on other storage devices. You should always password protect and encrypt this information (especially if it contains personal information such as card details or names and addresses) that way if the information does fall into the wrong hands, it will be inaccessible. The alternative is having to admit to your customers that someone could have their sensitive personal information because you left your laptop on a train, followed by an investigation by the Information Commissioner’s Office.
Make a disaster recovery plan
No matter what steps you take, you can never be 100% protected against cybersecurity threats. For that reason, it’s important to draw up a disaster recovery plan. The plan should detail the threats your business faces, the steps you’ve taken to mitigate these threats and what you’ll do to get your business back on track after a problem strikes. You can read more about creating a disaster recovery plan in this guide.
Website security can seem like an intimidating topic for the layperson, but you don’t have to be an expert to protect your website.
A Website Security package like the ones offered by GoDaddy don’t need any specialist knowledge and will help you keep things safe.
You should also make sure you use strong passwords and keep software up to date.
Confused about website security? Give the GoDaddy Guides a call on 020 7084 1810.