Whether you’re running a huge ecommerce site or a small personal blog, your website means a lot to you.
After all you’ve spent time, effort and money getting it set up, and of course your site means a great deal to you – either because it earns you your living and/or because it (and its contents) has sentimental value.
For that reason it makes sense to protect your website as much as possible. But the world of website security can feel confusing and intimidating.
In this guide, we’ll walk you through the threats you face and everything you need to know to keep your site safe. (And we’ll try to avoid overly technical language wherever possible.)
What is website security?
Website security is any action taken to defend your site against hackers and other cybercriminals.
This can include installing security apps to protect your site, using strong passwords and educating yourself about potential hazards such as phishing emails.
Website security can also refer to steps taken to protect your website and business from harm that isn’t deliberately malicious, such as accidentally deleting important files.
What can website security protect my website from?
Comprehensive website security should protect your website from the following threats:
Malware – Malware (which is short for malicious software) can take many forms and can be incredibly hard to detect. Recent high-profile malware attacks include the “cryptojacking” outbreak which affected the NHS in 2017, in which data was encrypted and held to ransom. Other forms of malware can sit on a site unnoticed and steal your visitor’s data, or even infect their device with malware.
DDoS attacks – DDoS (or distributed denial of service) attacks might sound complicated, but the idea is simple. In such an attack, cybercriminals overwhelm a website by flooding it with automated traffic which in turn stops real visitors from access the website. Sometimes the criminals demand payment in exchange for ending the attack.
Vandalism – If a hacker can access you site, they can make changes to it. Sometimes that might include injecting malware, on other occasion it might mean displaying a message of some kind. Either way, it will stop you site functioning as intended.
Accidental data loss – Sometimes your website or business can be hit by actions that aren’t malicious but are still deeply damaging. Accidental data loss can take down a website in the same way as a cyberattack, so good website security will help against both eventualities.
What are the potential consequences of a cyberattack?
Financial loss – If you’re website is a source of income and it’s taken down by hackers, you’ll lose money every day until your site is up and running again. Additionally, in a worst-case data loss scenario you may face fines (see below.)
Data loss – A hacking attack has the potential to wipe out your site. If you’re running a personal blog, that could mean losing precious memories. If you’re running a business website, it could mean you’re offline while you rebuild your site.
Data theft – If your website is compromised by malware, then there’s a chance that the cybercriminals responsible are stealing customer data (such as passwords, and even payment data) that is stored or entered on your website. The hackers might even set up phishing pages on your site which look legitimate, but are designed to steal data. You could also be targeted by phishing emails, which are designed to steal sensitive information or install malware. Not only will your reputation suffer if data theft takes place, but you could also get a fine for breaching GDPR. You can learn more about GDPR in this guide.
Malicious redirects and links – Hackers can also redirect visitors away from the site they wanted to visit (in this case yours) and to a malicious site where they run the risk of being hacked themselves. Additionally, hackers can add links to your site with the aim of boosting that site’s search engine rankings, often these links point at malicious or untrustworthy sites.
Search engine blacklisting – Google aims to keep people safe and for that reason it blacklists unsafe websites. In practice, this means that if your website is hacked it could be removed from search results and potential visitors will see a warning that your site may be unsafe.
Why should I implement website security measures?
If the above points haven’t persuaded you that good website security is a must, then here are a few more points to remember.
A cyberattack will hurt your reputation – Research by KPMG shows that 58% of consumers and 86% of procurement managers would avoid using a firm that had experienced a cybersecurity breach.
It will cost you money – Small businesses hit by a cyberattack spend an average of £25,700 in direct costs to clean up after the attack, according to research by Hiscox. That doesn’t include potential additional costs such as reduced sales in future because of reputational damage, or fines from regulators.
Cybercriminals target small businesses – You may think that big businesses are the main target for cybercriminals, but in reality smaller businesses are seen as an easy target because they’re less likely to have solid website security. Research by the Federation of Small Businesses shows that 66% of its members were targeted by online criminals over a two year period.
Hacking attacks can be very hard to spot – You may think that it will be easy to tell if your site has been hacked, by cybercriminals go to great lengths to cover their tracks and you may only discover a problem after significant damage has been done. Good website security will proactively monitor your site, meaning attacks can be stopped right away.
What do I need to do to make sure my website is secure?
Install an SSL certificate
When someone enters data on your website (including things like email addresses and credit card details), that data can be accessed by a third-party (a hacker for example) unless steps are taken to protect it. Installing a SSL certificate on your website ensures that any data entered is encrypted, meaning that even if it is intercepted by a hacker they won’t be able to view it.
You can learn more about SSL certificates and why they matter in this guide.
Use malware monitoring
Because malware is so sneaky, it’s advisable to use a malware monitoring tool for your website. A good malware monitoring tool should be able to detect malware on your site and remove it. GoDaddy Website security offers malware monitoring and removal as standard.
Use a web application firewall
Malware monitoring is good enough for basic sites such as simple blogs, but for business sites you should consider using a web application firewall (WAF) as well. A WAF will actually prevent malware being installed on your site in the first place, making it even more secure. GoDaddy Website Security offers a WAF in the deluxe and ultimate packages.
Use DDoS protection
DDoS protection isn’t really required for a personal blog, but if your site generates income then it’s a potential target for a DDoS attack. GoDaddy’s WAF protects against this kind of cybersecurity threat, ensuring that your site stays up and open for business.
Update all software as soon as you can
Cybercriminals target out of date software, because it usually has security flaws they can exploit. So update everything as soon as possible, including your operating system, anti-virus software, WordPress plugins if you have a WordPress site and any other software you use.
Understand how to detect phishing emails
Learning to spot phishing emails will help make sure you never put data at risk by clicking on something you shouldn’t. You can learn how to spot phishing emails in this guide.
Make regular backups
If your site is attacked, a backup can help make sure you get up and running again quickly and easily. GoDaddy offers a backup service as part of its deluxe website security package, and a standalone Website Backup product.
You should also ensure you backup any business critical data that is kept elsewhere, such as on your laptop.
Use strong passwords
All the website security in the world won’t do you any good if your password can be easily guessed. Make sure you use strong, unique passwords for every online account you have, including anything related to your website. You can learn how to create strong passwords in this guide. You should also consider using a password vault such as LastPass.
Password protect and encrypt all sensitive data stored offline
So far we’ve mainly focused on keeping your website safe, but the chances are you also have important and sensitive business data stored offline, on a laptop or memory sticks. You should always password protect and encrypt this information (especially if it contains personal information such as card details or names and addresses) that way, if the information does fall into the wrong hands it will be inaccessible. The alternative is having to admit to your customers that someone could have their sensitive personal information because you left your laptop on a train, followed by an investigation by the Information Commissioner’s Office.
Make a disaster recovery plan
No matter what steps you take, you can never be 100% protected against cybersecurity threats. For that reason it’s important to draw up a disaster recovery plan. The plan should detail the threats your business faces, the steps you’ve taken to mitigate these threats and what you’ll do to get your business back on track after a problem strikes. You can read more about creating a disaster recovery plan in this guide