FAQ on website security Updated
During the pandemic, when businesses and schools and really everything moved online, there was a significant increase in Cyber Crime. While you may think your website is too small to be a target, you might be wrong. Small business websites are the lowest hanging fruit for hackers because so many owners ignore security and the upkeep of their website. With an easy target, hackers are free to cause havoc and destroy your online reputation.
What security could it mean to you?
For most businesses, the best case scenario from a security breach is that you have to pay to either clean up your website or restore the website from a backup. This scenario usually means only a small impact to your business and a short outage for customers.
The worst case scenario is seeing your website go down, or worse, taken over by a criminal group that’s also stealing customer data. This could represent a total loss of your website or even lawsuits should a data breach result in harm to your customers. Many website owners remain unaware that their website is hacked, leaving their company open to further data breaches and potential lawsuits and fines.
It’s the business owner’s responsibility to guard against hackers and keep your website secure.
What are the chances my site will be hacked?
Your chances aren’t good if your security is poor. More than 70% of WordPress installations are vulnerable to hacker attacks, according to the hosting company Alexa.
Many website owners leave their software unpatched and unmanaged. Leaving an older version of WordPress active or leaving abandoned plugins on websites means your website has security holes and is open to exploitation. Even if your WordPress core files are up-to-date, your theme and plugins may become stagnant and an opportunity for hackers.
Defence is the best protection. Harden your site to make it harder for hackers to attack. Low security websites are like leaving the door closed but unlocked. Lock it to make it harder for the hackers to attack.
How to Tell If Your Website has been Hacked
One of the easiest ways to check a website is to register it with Google Console. Console includes a service that scans websites for signs of being hacked and reports those on the “Security Issues” section in Console. In the week or so after registering the site, Google will record what pages appear to have problems.
Google’s Console is especially helpful when content is hidden using a method called “cloaking”. To users, cloaked pages appear blank but Google will be able to see the malware content and flag it. For more information about Google’s tool, see their website.
Other indications that your site has been hacked include:
- Slow website speed;
- Website emails going right to spam when they previously didn’t;
- The browser is alerting users to a problem when your pages load;
- And users are reporting unwanted ads or redirects.
Any of these indicators should trigger an immediate review.
How to Keep Your Website Healthy
Besides patching your website on a regular basis and being very careful about who logs into your website and how, you should also ensure that your website is compliant with any major standards. For instance, if you’re dealing with credit cards, ensure your website follows PCI standards or if it handles medical patient information, be sure that it handles HIPAA standards correctly.
PCI Compliance for credit card processing
PCI Compliance is the set of requirements created by credit card providers (Visa, MasterCard, etc.) to protect customer information online. If you are handling credit card information, you will need to meet this standard; however, by doing so, it will greatly increase your website security.
In WordPress, most providers use shopping cart plugins like WooCommerce to handle online sales. The good news is that this plugin and its payment processors, such as Paypal, meet PCI compliance already. Thus, your responsibility is keeping your cart software patched and protecting your website with a secure certificate (HTTPS).
The bad news is WooCommerce, like all software, has bugs that affect security. For instance, it just announced a security vulnerability in July 2021, asking all their software users to upgrade immediately. Bugs are normal in any software, so patching is still the best way to protect your company liability claims from your website.
We highly recommend a periodic review for eCommerce software like this. If credit card companies detect you’re out of compliance, they can shut your site down by not allowing you to accept credit cards. Small companies with few IT resources are an easy target for hackers.
To be fully PCI compliant, there are some additional requirements that you’ll need to meet that go beyond just patching software. For a full list, see the PCI compliance website.
HIPAA Compliance
Another compliance area is for medical information. Following HIPAA, or the Portability and Accountability Act of 1996, means your website protects the health information that a customer enters through it. Failure to follow HIPAA compliance standards means huge fines for both your company and your web development firm. HIPAA is serious stuff.
WordPress can be HIPPA compliant, but it takes work. Websites and their hosting environments need to be monitored and patched as quickly as the patches come out. There are also documentation requirements and requirements for backups and server security that must be maintained as well.
Once a site is deemed HIPAA compliance, the best protection is constant monitoring, virus scanning and periodic review.
Is WordPress more prone to hackers?
Yes and no. WordPress isn’t more prone than any other software to being hacked; however, because it is the most popular open source platform for websites, hackers target WordPress sites more than other sites.
On the positive side, WordPress has a committed army of people defending WordPress. They look for weaknesses and provide insights, patches and plugin updates. That’s the benefit of open source software: more hands make for more secure solutions.
WordFence, our partner company for website security, is a great example. Their solution provides an inexpensive software firewall to block bad traffic, along with tools that alert us to software patches and alert us to attempts to harm our client websites.
Finally, Server Security
Finally, make sure that your host server’s software and hardware is up to date. A secret in the hosting world is that customers are often not migrated to the newest servers. When newer servers go online, hosting companies often keep the older servers up, leaving their established customers on the older hardware or software. An occasional look at your hosting company’s advertisements should tell you that they’ve installed newer equipment.
To take advantage of the newer servers, along with their security, you may need to request to migrate to the newer equipment. Many hosting companies will provide free migration service within their own company.
Think Your Website Has Been Hacked?
Contact us anytime! Visual String is experienced in keeping WordPress websites secure and recovering websites that have been hacked. We’re here for you.