Dave Braun: My 3 Important Steps to Secure Your Website
I’m sure you’ve heard the many stories of cyber hacking that have occurred in recent months and years, and sadly, that’s the new normal for life in the technology age.
Nearly every day I come across a new, cleverer attempt to get into someone’s account or take control of their web hosting account. It’s a constant game of cat-and-mouse with those wishing to exploit YOU for their own purposes; whether for money, recognition, or to simply prove to themselves that they can do it.
Surprisingly, I also hear of stories where an old hacking method still works. Why? Because too many of us don’t take the necessary steps to stay safe in our online world.
When we drive our cars, we take several safety precautions each time; some are constant and some are one time
- we put on our seat belts
- we look around us before backing out
- we check our gauges constantly as we drive
- we regularly check our mirrors as we drive
- we DON’T text as we drive (OK, I hope that isn’t you!)
We do these things because it’s been proven to help keep us as safe as possible.
So with all of the pain, sadness and potential loss of income that can occur when someone hacks your website or steals your personal data, why don’t we put in the effort to avoid these troubles?
It really comes down to believe it only happens to the other guy, and will never happen to us.
But, deep down, you know it can. So why not take a few simple precautions that really don’t take much time or effort?
The best way to accomplish these simple steps is to make them a habit in your online life. (How to form a habit is for another article.)
3 Steps to secure your website
1. Have unique Passwords for everything
This means that each and every one of your logins for your own website and hosting accounts, as well as ALL online accounts, are different. For the best protection, you should have unique usernames, but you MUST have unique passwords. And not the most common password of “password” or “123password” or “12345678”. The main reason is that if someone does get access to your login credentials (and it’s very possible they will), you can limit the damage to just that one account.
Of course, you’ll never remember all those unique usernames and passwords (please don’t write them down somewhere for a cyberpunk to find), so you’ll need some type of password manager to assist. You can search online for articles rating them, but most should work just fine. If you’re not familiar with them, the premise is that you have just ONE password that you won’t forget (that’s a little complex), to access to an encrypted database that has all your other passwords in it.
I’ve experimented with LastPass and my web coach recommends it, and it is a good solution, but I currently use KeePass and keep my encrypted database synced across multiple devices. I use Dropbox for this, but you can use Google Drive or anything similar.
2. Keep all software patched and up-to-date on all your devices
On Your Website: this means themes, plugins, the core files of the software on which your website is based (such as WordPress). Just about ANY software will have “holes” in the security because humans aren’t perfect
You’ll also want to make sure the version of the basic language on which your website is running is, at a minimum, a supported version. For example, WordPress is based on PHP, and the lowest numbered version that is still supported (bugs and security fixes) is 5.6. Use that one for sure (even better, use 7.0).
On Your Mobile Phone and Tablet: Most updates you get not only have new features but will fix some security issues that can range from REALLY serious to only the most sophisticated hackers being able to take advantage of it. Just read the release notes as any security patch info will be noted at the beginning.
On Your Computer: Keep the Operating System up-to-date, especially when you get security notices. If possible, enable auto-update for these types of fixes as the risk of something breaking is minimal and you’ll narrow your vulnerability window to as small as possible.
Side Note: For all the above, my normal personal and business practice is to wait to update major releases on my website, phone/tablet, or computer, for at least one week, and possibly a month or more, so that others can find the bugs in the release and get major ones resolved within that timeframe.
I’d wait even longer to make updates when it’s an almost entire re-write of the software. For example, going from Mac El Capitan to High Sierra is not a security decision UNLESS El Capitan is not supported anymore from a security perspective. Once that happens, you’ve gotta update! For the PC, you’d better not still be running Windows Vista, and really should be on Windows 8 or 10.
3. Run “Security” Software
I. On Your Computer
For a PC, having antivirus software running is a must-have. For Apple computers, you really should but it’s not quite as necessary. Why? For two reasons:
- Microsoft-based PCs are 90% or more of the market, and thus hackers target that larger share since most of the time their goal is to make money OR take control of computer resources to run their own software.
- The Mac operating system is UNIX-based which means programs get their own “sandbox” of resources and don’t have access to the core operating system.
There are several great free and paid antivirus programs available. Which company has the best changes over time, so please do a search online and read a recent rating article.
See discussion below on backup solutions.
II. On your website
A. Within WordPress (and likely other Content Management Systems), there are plugins that provide software protection against scammers and nasty folk trying to hack in. For example, this software will detect if someone tries to log in multiple times with the same username in too short a period of time, indicating someone is trying to guess a password. Once this is detected, the software will “lock out” that username for a specified period of time.
It’s quite possible the server on which your site is running also has protection, but it’s a great idea to include an extra layer.
B. Include an SSL certificate. This is a MUST HAVE today as search engines will penalize you for not having one. To know if you have one, you can type in “https://” instead of “http://“ ahead of your website address in the browser address bar. If successful, you’ll see some type of a secure indication as shown in the below picture.
Having the SSL certificate allows any information shared between your website and a potential client browsing your site to be encrypted. This is especially important if you’re exchanging emails, names, or even passwords between your website and the client.
C. Backup solutions. You should have multiple backup solutions for everything you have electronic, including your website.
To quickly determine if you have adequate backups, think about if someone took your computer, your phone, or anything electronic you’re using, broke into your house, and stole it; or if you had a fire in your house that burned everything to the ground (including a fireproof safe which can be stolen); or if the company that is backing your stuff up online got hacked and your data disappeared. Thinking about it this way, it’s important to have a local and remote backup.
For my MacBook Pro, I keep important items in Dropbox that’s synced to the cloud, I also use Backblaze for everything else, and then I use Time Machine with a local USB hard drive that I update a couple times a week (and ideally, it should be encrypted).
For your website, it’s a similar consideration; there are local resources and remote resources. Local is the place where your website resides, on a server somewhere. And a remote resource might be Amazon S3 backups or equivalent. If you have backups going to both places, and with the right frequency, in case something does happen, your site can get restored.
Oh, and be VERY careful of the language in the terms of service of your hosting provider. Often, they don’t guarantee anything or only keep one or two backups, and those might only be run at their discretion.
I hope this information helps you ensure you’ve got adequate security for your website or at least makes you know enough to ask good questions.
Remember, your website is a 24 hour 7-day-a-week salesperson for your company. Keeping it looking good and up as much as possible is simply smart business.
Dave is Larry’s partner in FLASHPOINTS and yoogozi.com (type Braun in the search bar to see what else he’s written). He’s a certified John Maxwell speaker/trainer/coach, works with a marriage ministry at onefleshawakening.com, and does freelance website design, almost always in conjunction with Wordflirt.com. He previously worked in the corporate world for 30 years as a leader of diverse teams at a semiconductor company. Dave can be reached at dave[at]flashpointsdaily.com and occasionally tweets as @thedavebraun.