DOMAIN ADMIN TOOLS

Tips and tutorials for webmasters and domain administrators

is Email Secure?

is Email Secure?

Yes and No. Email is a highly valuable tool that has evolved to be more secure, but there are still ways to exploit email for nefarious purposes. Email users should be careful with how they use email and the emails they respond to. Let’s look at email security in more detail.

A Little History

Electronic mail originated on the early experimental Arpanet, the precursor to the Internet. At that point, all the interconnected servers were within high-security facilities. Since the security was on the outside, researchers did not consider protocol security; everything was sent in clear text – HTTP for browsing documents, FTP for sharing data files, and SMTP for electronic communications. When the Arpanet opened up to universities and then to businesses and private users, those same protocols were still transmitting data and passwords in clear text. Unfortunately, clear text communications are susceptible to man-in-the-middle attacks – corrupted computers or routers between the two computers in communication.

The early Internet was not secure, so new technologies were developed to improve security:

  • HTTPS to secure online transactions involving credit cards
  • SFTP to secure file transfers (now replace by HTTPS in many cases)
  • TLS to encrypt email communications between email servers

With the adoption of TLS, Transport Layer Security, email was secured from potential man-in-the-middle attacks. However, there are other ways to exploit email.

Alternate Technologies

There were other technologies that attempted to “secure” email communications, all had various degrees of success, but none of them have really gone mainstream.

  • PGP, or Pretty Good Privacy, used a Public-Private encryption key system to encrypt and decrypt email. Email was completely secure in transit, and from administrators, but unfortunately, PGP was bulky to use. TLS solved the problem of securing communication between servers without the user needing to do anything.
  • “Secure” Email Servers are web servers where communication could be secured behind a password protected web login. It was not really email but a way to communicate in an email-like fashion. You often see these secure communications websites with Legal and Medical professions, but they suffer from bulky interfaces and the inconvenience of going somewhere other than your normal email applications to view the communication.
  • Sender Verification Services respond to an unsolicited email with an email demanding the sender verify their identity. The goal here is to reduce the potential for spam and phishing attempts by creating a hurdle for senders to jump. The inbox provider then only passes on “verified” email to the user. This technique essentially removes any automated email, including newsletters, as marketing teams are unable to monitor the verification email. The downside is that a legitimate sender may not register so you miss important email.

The Threat of Spam and Phishing

Email is the #1 preferred method for perpetrating online scams. The marginal cost of sending an email is negligible and the rewards for a successful scam can be thousands or millions of dollars. According to Cisco, approximately 84% of all email is spam, much of which is phishing scams and much also escaping spam filters. By that measure, email is not “secure”.

“Securing” Email

Improving email security is not a single technology or vendor but involves changing business processes, adopting new standards and continuously adapting to the ever-evolving landscape of email scams. Some recommendations:

  • Stop hosting your own email – Inbox providers like Google Workspace, Microsoft 365, Yahoo!, etc. have dedicated teams to managing and blocking spam and phishing. Most businesses would benefit by leveraging these external experts and outsourcing email inbox services.
  • Turn on 2-factor authentication – Securing email communication, both sending and receiving, means securing access to email accounts. 2-Factor Authentication helps make email more secure.
  • Invest in Spam and Phishing Awareness Training – Email scams exploit human weakness through social engineering to gain access to your email, bank accounts and secure data. Training your team to recognize these scams will improve your email security.
  • Leverage DMARC and supporting technologies – SPF, DKIM, DMARC and BIMI work hand-in-hand to 1) declare who can send email on behalf of a domain, 2) digitally sign email from that domain, 3) report compliance to the sending domain, and 4) apply a corporate logo to compliant email. When a domain leverages these technologies, it is secured against being used in spam and phishing attempts and gives the recipients peace-of-mind that the email is genuine.

To maintain the highest levels of email deliverability using DMARC, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

  • Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
  • Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.
  • Manage the on-going requirements of maintaining high levels of email deliverability

On-Premise Email Security Best Practices

If your company strategy requires on-premise email management, then there are some best practices you can adopt:

  • Use Inbound Email filtering gateways – Out of the box inbound filtering either software or hardware will block most threats using threat detection algorithms. Basic gateways block blacklisted senders. More advanced options allow you to write your own acceptance policies.
  • Create Advanced Acceptance Policies – Your business is unique. Threats come in many forms. Maybe you want to filter all incoming image files or executables or maybe eliminate objectionable terms associated with risks. Sophisticated algorithms might help protect your business.
  • Accept only DMARC compliant email – One great idea that Google has pioneered is prioritizing DMARC compliant email. If you do the same, you dramatically reduce the potential for fraud and phishing emails making it to your users.
  • Setup Outbound Email filters – You do not want to become a source of spam, so setting up filters to control outbound email will reduce the risk of being blacklisted or of sending spam emails within your network.
  • Setup Advanced Outbound Policies – Advanced policies could include forcing the legal team to encrypt all outbound email or prevent emailing large files, executables, etc. Leveraging advanced policies will help make using email more secure.
  • Setup DMARC for all outbound email sources – Adopting DMARC for all your outbound email sources will help you protect your sending reputation and reduce the risk of your domain names being used in spam.
  • Invest in Spam and Phishing Awareness Training – As mentioned above, when employees are trained to recognize spam and phishing attempts, they are less likely to click on dubious links in spam and phishing attempts or click on and install malware.

While email was not initially designed with security in mind, new technologies are improving the security posture of email. Adopting these as they arise makes your business more secure and protects your users, clients and partners.

What is the biggest threat to cybersecurity?

What is the biggest threat to cybersecurity?

What is the biggest threat to cybersecurity or IT infrastructure right now? According to one of Canada’s premier cybersecurity experts, if you answered malware or ransomware or crypto, you’d be wrong.

According to Calgary-based cybersecurity leader Sonya Goulet, the most significant risk is the end user. A team of hackers can unleash the most potent cocktail of malware on a system, but if no one opens it up, the attack is rendered useless. Or, another threat, she says, are weak passwords. A hacker may have the intent to deploy the most destructive malware on a system, but if the password is almost impenetrable, then the attack is neutralized.

“All cyber threats evolve quickly and often, yet the end user is still disregarding simple tips to keep an enterprise safe, for example, using proper passwords,” Goulet points out. Smarter MSP caught up with her to ask her about the most significant threats today and what MSPs can do to mitigate them.

Goulet advises that MSPs and CISOs should be focusing on proper password hygiene. She says a good password should follow guidelines set by the National Institute of Standards and Technology (NIST).

“I also recommend making a password a meaningful passphrase, at least ten complex characters long. My second piece of advice is to use a Password Manager, like LastPass,” Goulet says. But having an enterprise get to a point where everyone is on board takes time and training, she adds.

She goes on to point out that staff can let the password manager create passwords for the sites they visit, so they don’t have to think or remember any of the hundreds of passwords needed in their day-to-day life.

“They feel positive knowing they only have one password to remember going forward, and that password is to access their password manager account,” Goulet offers, adding that most people are relieved by the simplicity of it.

In Goulet’s work with companies to beef up their best practices, she finds that weak passwords are a prolific problem.

“I found that while I work with staff on cybersecurity practices, they all admit to me that they keep the same simple password and use that one password across all of their online websites. They also admit to never changing their passwords,” Goulet states.

This is a big problem

A recent study by ID Agent illustrates the size of the problem:

  • At least 65 percent of people reuse passwords across multiple sites.
  • Around 13 percent of people use the same password for all accounts and devices.
  • About 80 percent of data breaches in 2019 were caused by password compromise.
  • Compromised passwords are responsible for 81 percent of hacking breaches.
  • The average person reuses each password 14 times!
  • An estimated 49 percent of employees only add a digit or change a character in their password when they’re required to update it.
  •  Passwords were leaked in about 65 percent of the breaches that happened in 2019.

In today’s evolving and dynamic threat landscape, carelessness when it comes to passwords is a gaping hole in an organization’s defenses.

Passwords, however, are just one aspect of how an end user can compromise a network. Other problems can occur with improper data hygiene and becoming complacent with clicking links in emails. Such sloppy clicking can lead to the deployment of all sorts of malware. To head off some of these, Goulet recommends MSPs do the following:

Create easy steps to follow

Examples, Goulet says, include teaching staff what data is vital to protect, and showing staff how to look for phishing or vishing attempts, teach or review with staff to scan everything in emails and verify by a phone call if needed (using the old President Reagan phrase of “Trust, but verify”).

“In order for staff to care about what they are protecting, leadership has to guide them,” Goulet advises. That means making workers feel invested in the company or enterprise so that everyone has a stake in its survival. Show staff what the fallout could be from clicking a bad link. Businesses have had to shutter because of malware, and that should make everyone shudder.”

I found that most staff don’t care enough with what link they click, or what password they use, or what data they share with other staff members. All of those issues are an evident need for improved policies and procedures,” Goulet concludes.

Generate strong passwords for sending to clients

Generate strong passwords for sending to clients

There are loads of password generator out there which will generate strong passwords for you, this is nothing new, but I came across this very handy tool today called “Hardest PW” which does something else useful.

Aside from generating a strong password, it will also generate a one-time link to that password which stays active for 7 days or until the link is clicked on, and will then reveal the password to the person who clicked the link.

In case you do not know why this is useful, let me explain.

One of the biggest security dilemmas of all time when it comes to passwords is how to securely deliver it to the end user without creating a potential security risk / easy access point for criminals.

Sending passwords out via email has always been the norm, but the problem is when the recipient of that email then leaves it in their inbox and uses that email as their permanent reference to that password instead of writing it down somewhere safe or using a password manager and then deleting the email.

Thankfully, this practice has finally started to change and a lot of sites now ask the user to choose a password during the signup process and do not send it out via email, so the user is expected to write it down or remember it. But the majority of sites are still doing things the old/insecure way.

One of the primary targets for cyber criminals and hackers is a users email account. This is because once they get into your email, they can pretty much access everything. If you have emails in your inbox with passwords in them, you have just handed it to the criminals on a platter.

For everything else, the hacker can perform a password reset request on any website, which will send a password reset link to your email address, which the hacker now has access to. They will then click the link, and reset your password and then delete the email and all evidence of their actions. This is why it is critical to also use a password manager along with 2 factor authentication.

So by using this one-time link you can at least avoid the issue of the password sitting around in someone’s inbox for eternity waiting for someone to find it. Just generate a password and send the link to your client, advising them to store it securely in a password manager.

7 Tips to make your website secure

7 Tips to make your website secure

A hacker attack occurs every 39 seconds in the US, affecting one in three Americans every year.

Don’t leave the front door of your site wide open! You need to secure your website, which means putting protection in place to keep out hackers, bugs, and other online nasties. Otherwise, your data could be at risk, your site could crash, or you could even lose money.

Here’s 7 Tips to make your website secure:

  1. Install SSL – buying a simple Secure Sockets Layer certificate is a crucial first step.
  2. Use anti-malware software – to scan for and prevent malicious attacks.
  3. Make your passwords un-crackable – 123456 won’t cut it!
  4. Keep your website up to date – using out-of-date software is like leaving your back door unlocked.
  5. Don’t help the hackers – look out for phishing emails and other scams.
  6. Manually accept on-site comments – keep control over potentially dodgy comments.
  7. Run regular backups – to prepare for the worst case scenario.

Security is important for everyone…

…and our research confirms that. We spoke to 425 users, some choosing their first web host and others switching providers, about which features they value the most. 25% of all respondents named security as their number one priority.

But I’m not even making money through my website. It’s just a small blog. Why would anyone hack me? Why does it even matter if a hacker gets in anyway? 

Apart from losing money, hacking can result in huge losses in traffic, your site being suspended or crashing, and even identity theft. Your personal data, and that of your visitors, could be at risk.

But how am I supposed to fight off hackers? I’m not that technically skilled! 

This is another common worry, but luckily, you don’t need fearsome tech skills in order to secure your website. All of these steps are simple to implement, and we’ll walk you through each part of the process.

How Do Websites Get Hacked?

Before we get into the details of how to prevent your website getting hacked, we should probably talk about what a hacked website looks like.

While there’s no set way that a website will look after being hacked, there are patterns. And we should tell you now, if your site has been hacked, you’ll be in no doubt about it because something will be very wrong. Here are some common ways hacking presents itself:

  • Ransomware. The hacker will threaten to publish your data and/or withhold access to your site unless a ransom sum is paid.
  • Gibberish hack. You’ll spot loads of auto-created pages filled with keywords and gibberish, with the aim of getting them to rank on Google for key terms. When clicked on, they’ll redirect to a dodgy site.
  • Cloaked keywords hack. As above, but slightly more sophisticated – at first glance, these will look like your site’s pages, as only the written content is altered.
  • Japanese keywords hack. Creates random pages in Japanese full of affiliate links to stores selling fake merchandise.
  • Malicious code/viruses. If malicious code or a virus is inserted into your site, your site may well go down, or you could be unable to access it. You may find that all your hardware is also affected.
  • Denial of Service (DoS). Hackers use bots to overload a website with requests and crash the server it’s on.
  • Phishing. Scammers contact your clients pretending to be part of your business and using your branding in the hope of finding personal information.

“Outdated software. Website owners need to stay on top of updates to WordPress and other CMS’, plugins, and anything else that requires an update. In addition to fixing bugs or glitches, software updates typically include security improvements or patches. Hackers will always be searching for ways to capitalize on software vulnerabilities. These days, many cyber attacks are automated. Criminals use bots to scan websites that are vulnerable. So, if you’re not staying up to date on the latest software versions, it will be easy for hackers to identify your website before you can do anything about it.”

So now you know what a hacked website looks like, it’s time to look at the seven ways to prevent yours becoming one:Go to the top 

Install SSL

Go to the top 

One of the easiest things you can do to protect your website, yourself, and your users, is to install an SSL (Secure Sockets Layer) certificate. You may not realize it, but you come across SSL all the time when you browse the web – it’s the reason for the “s” in “https”, and the padlock in the address bar.

securing a website https

Good to know…

SSL stands for Secure Sockets Layer. You install an SSL certificate on your website, and it encrypts data (such as login details) passing between your site and your visitors. There are different levels of SSL – ecommecre sites processing payment details, for example, should use a more advanced version.

SSL encrypts information passing between your website and your visitors. Google now warns visitors when they’re entering a site without SSL, and even “discriminates” against those sites in its search results.

It’s especially important to have SSL security if you’re accepting payments through your site, asking for login details, or transferring files. Without it, the data is unprotected, and vulnerable to hackers. 

Krys Lambiase emphasizes the importance of SSL for securing websites – especially online stores:

“An SSL certificate is a must-have if you run an eCommerce store or collect visitor information, like emails, on your site. In addition to boosting SEO, SSL certificates prove that any data your visitors send to your site is using an encrypted channel, so hackers can’t see it while it’s in transit.”

how to secure a website hostgator free ssl
The hosting provider HostGator includes free SSL security on all its plans. Here, it shows the importance of SSL.

It’s not important for you to know the technical ins and outs of SSL security, so don’t worry if you don’t really get how it works. The most important thing is to know that your site needs SSL, and how to go about getting it.

There are multiple ways to install SSL. The three main ways we suggest are:

  1. Choose a good quality website builder that includes SSL for free
  2. Choose a hosting provider (such as GURU) that provides a free SSL with all plans (if you’re building your site with a content management system, such as WordPress.org)
  3. Install a basic Let’s Encrypt SSL for free yourself

If you want a much higher level of security, you’ll need to pay for an advanced SSL certificate. These vary in price, and you can buy them from hosting providers, or registrars such as GURU. Unless you’re running a large online store, or handling large amounts of sensitive data, the free version of SSL will probably be sufficient.Did you know? 

Hacking is the number one method of data breaches online, accounting for 61.9% of lost information. More than 8 billion records have been lost because of hacking.

Further Information

Go to the top 

Use Anti-Malware Software

Go to the top 

“Anti-malware software” might sound like a lot of jargon, but the good news is that anti-malware software actually does the hard work for you – so you don’t need to worry about any of the technical stuff.

There are plenty of different anti-malware options out there. Some have free plans – like Bitdefender – while others you have to pay for, such as SiteLock or Sucuri.

SiteLock is used by over 12 million websites, and offers different packages that provide varying levels of protection. This means you can tailor your security to your site’s needs, as well as your budget. Some of the security services it provides include:

  • Web scanning
  • Malware detection and removal 
  • Web application firewall
  • Vulnerability patching
  • DDoS protection 
  • PCI compliance

If you don’t know what all this means, that’s okay – that’s what anti-malware software is there for!

how to secure a website sitelock anti-malware software
SiteLock is the global leader in website security, and is a popular anti-malware software that often comes included in hosting plans.

A good quality website builder or hosting provider should look after your site’s security for you. Hosting providers often include anti-malware software as part of their plans – some even throw in paid services like SiteLock for free!

Other providers include a built-in set of tools – GURU, for example, includes a security suite on even its cheapest plan. This is made up of:

  • Free SSL
  • Hack protection
  • Automatic backups
  • DDoS protection 

These are the security basics for your site, and the features you should look for whenever you’re looking at picking a hosting provider. Whether your provider comes with tools built-in, or offers extra freebies such as SiteLock, anti-malware software gives you a welcome extra layer of protection.

Good website security starts with a good web host, as Krys Lambiase points out:

“Web hosts are the backbone of your website.  They help you get online and often provide additional tools for your website giving you the power to build a website with the look and feel you need. Quality website hosting providers have protocols in place to protect WordPress, and other content management systems, they host such as automatic security patches and updates. It’s the hosting provider’s job to maintain their servers and to implement essential security monitoring.”

Did you know? 

A DDoS attack could cost a small business up to $120, 000 – and if you’re in finance or retail then you’re especially at risk. Nobody is safe, though, with DDoS attacks expected to reach a whopping 14.5 million globally by 2022!

Make Your Passwords Uncrackable

Passwords. They’re so familiar that we can sometimes forget just how important they are. It’s easy to overlook the fact that often, your password is all that’s standing between a hacker and your personal information.

Not only are passwords a vitally important step, but they’re also one of the easiest things you can change to increase the security of your website. Spend just 20 minutes today making your passwords stronger, and you’ll be on your way to a more secure site. Did you know? 

40% of surveyed small business respondents said that their company suffered an attack due to employees’ passwords being compromised. The average cost of each attack was just over $380 thousand!

A survey carried out by the UK’s National Cyber Security Center analyzed the most common passwords used by accounts that had been breached across the world. They then put together a list of the top 10 most hacked passwords – if you’re using any of the following, it’s time to change it (like, right now)!

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 111111
  6. 12345678
  7. abc123
  8. 1234567
  9. password1
  10. 12345

Instead of using easy to guess phrases, here are some things you should do instead:

  • Combine three random, unrelated, but memorable phrases
  • Use a randomly generated sequence of characters
  • Don’t reuse passwords – use a password manager to keep track of them all
  • Make your password long
  • Never use personal information in your password – it’s the first thing hackers will try!

There’s a seemingly endless list of password tips out there, and you should combine a few of these tactics to create uncrackable passwords. Once you’ve got your shiny new bulletproof passwords, be careful with them – do not share them around, even with friends, and do change them regularly (about once every quarter).Go to the top 

Keep Your Website Up to Date

We’re not talking about posting the latest gossip, or keeping your visitors in the loop with your newest product. This is about the importance of keeping your website’s software up to date.

If you use a website builder, you don’t need to worry about this so much, because most builders will handle software updates and security issues for you. However, if you’re using a platform such as WordPress, you need to be totally on top of things and running updates when necessary.

You need to run updates for your WordPress core software, as well as any plugins you’ve installed. If you don’t, then it can all become outdated and vulnerable to bugs, glitches, and – worst of all – hackers wielding malicious code.Did you know?

Cybercrime will cost the world in excess of $6 trillion annually by 2021 – that’s a 100% increase from 2015!

The good news is, you should be able to set these updates to happen automatically in your dashboard – but it’s still worth keeping an eye on and making sure everything is running smoothly. Letting your site become outdated can be a fatal blow in terms of security, so it doesn’t hurt to be vigilant about staying on top of updates.Good to Know… When you’re choosing plugins for your WordPress website, be careful about the quality. Plugins can be built by anyone, and poor quality ones can contain bugs or malicious code. Read reviews, look for trusted developers, and check out the plugin thoroughly before clicking Install.

Find out more

  • If you’re using WordPress, it’s essential to keep your site up to date and secure. Discover the Best WordPress Hosting Providers to give your site the best start in life.
  • Read my detailed hosting Reviews to find out why WordPress itself recommends it for your WordPress website – and why we do, too!

Don’t Help the Hackers

We know, this sounds like a total “duh” moment. Well, obviously I’m not going to hand over my details and let my site get hacked – that’s the whole reason I’m reading this article! The trouble is, people are still – through no fault of their own – falling prey to scammers and unknowingly giving away important information about themselves.

Did you know that 92.4% of malware is delivered via email? That makes it the number one method of attack, and means you should always be on the lookout for anything unusual in your inbox.

There’s always more tech you can put in place to protect your website, but you mustn’t forget that 95% of cybersecurity breaches are due to human error. Protect your website by being on your guard, and being suspicious of texts, emails, or phone calls asking for personal information.

It sounds simple enough, but scams are growing ever-more sophisticated. Here are five things you can do to make sure your website doesn’t open the door to unwelcome visitors: 

  1. Beware of public or open internet connections if you’re working in a shared space like a cafe – they won’t be secure!
  2. Never click on links in emails that seem suspect – delete the email straight away! This is still important if you’re using a professional email connected to your website, rather than a personal one.
  3. Be careful who you grant access to your website – check admins are people you can trust, and make sure they’re security-conscious.
  4. Change the default settings, passwords, and usernames of your site as soon as you’ve set up your account – this is especially important for WordPress sites.
  5. Only trust verified professionals to access your site. For example, scammers sometimes want to take control of your screen under the pretense of fixing a technical issue.

You get the idea. We know this seems like common sense, but phishing emails are becoming increasingly realistic – so stay on high alert!

Manually Accept On-Site Comments

Is there a better feeling than hitting publish on your site and then seeing comments start to roll in? It’s proof that people have actually visited your site – and enjoyed it.

Comments are the perfect way to measure engagement, provide social proof to other visitors, connect with other people in your niche, and even take on constructive feedback. We love receiving comments, and you should too!

However, there are always those comments that aren’t quite so fun. Bots, fake accounts, and trolls are ready and waiting with a silly comment or spammy link. At best, it’s annoying – at worst, it can pose a security risk to you and your users. 

If people can post comments directly to your website, there’s a chance that malicious links might sneak into the comments section. This is particularly dangerous for your website’s visitors, who might click on the link and risk exposing personal data or accidentally install malware.Did you know? 

One in ten URLs are malicious – and this number’s on the up.

To combat this, you can change your site’s settings so that you need to manually approve comments before they appear on your site, giving you the chance to delete any spam. Other ways to reduce these malicious links include:

  • Use an anti-spam software or plugin (such as Akismet for WordPress users)
  • Ask visitors to register before they can start commenting
  • Turn off comments on posts after a month or two

These tactics should keep your comments section a safe, fun, and happy place for both you and your visitors, and keep hackers and their malicious links on the outside.

Run Regular Backups

Following each of the steps we’ve outlined so far will help you to stop hackers in their tracks. But don’t take your site’s security for granted – just like having a safety net beneath you is a good idea when walking a tightrope, running regular backups of your site just makes sense.

Creating backups of your website ensures that if the worst were to happen, you’d still have a recent version of your site stored safe and sound, and ready to be relaunched.

A backup is essentially a copy of your website data – such as files, content, media, and databases. If you have a large or complicated website, you’ll need a larger amount of backup storage to save all of your data.

Krys Lambiase explains why backups are a good idea:

“If your business website site is hacked, you need a way to get up and running again fast so you don’t miss out on customers. Get an automatic site backup service like CodeGuard, and you can quickly restore the most recent uncorrupted version of your site if something goes wrong. Make sure that whichever service you choose runs daily backups, so you don’t have to go back to an out-of-date site version in case of a crash.”

So, how can you go about backing up your site to keep things running smoothly? Well, there are multiple ways to backup your website, including:

  • Use a backup service such as CodeGuard or Sucuri, which does the work for you at a price.
  • Use a web host that includes backups in its plans, like GURU, Kinsta , Hostek or Flywheel. Some hosts have backup software built-in, or available as add-ons. However, these can have limited storage, so we usually recommend not relying on them for all your backup needs.
  • Use a WordPress plugin such as UpdraftPlus or VaultPress. WordPress users can simply install their chosen plugin and manage their own backup preferences.

Using a backup service is usually the safest and most reliable way to go. Still, whichever backup method you choose, there are some important things that you should always look for: 

  1. Off-site backups – this keeps your data far away from hackers in a secure, off-site location rather than in a normal server. This also protects your backups from hardware failure.
  2. Automated backups – remember when we said that 95% of security breaches were through human error? Don’t forget to create backups and pay the price – by automating this process you can simply sit back and relax.
  3. Redundant backups – this means your website’s data is stored in not just one, but multiple server locations. Think of it like having backups or your backups!
  4. Regular backups – it’s no good if you’re only running backups once per year. If a hack attack strikes, you’ll be left with an outdated version of your site. You should aim for weekly backups at the very least. 

The more frequently you update your website, the more frequent your backups should be. We recommend erring on the side of caution, though – if you come under attack, you’ll never be sorry that you backed up your site too much!Go to the top 

Why Cybersecurity Is Important – 3 Case Studies

#1. Zynga: 172.9 million records hacked

On September 12th 2019, Zynga – the mobile game producer responsible for “Farmville” – was hacked.

The hacker accessed login details for players of the popular games “Words With Friends” and “Draw Something”, including:

  • Usernames
  • Passwords
  • Log-in and Facebook IDs
  • Phone numbers
  • Zynga account IDs

This hack was originally thought to have affected 218 million people, because of claims by the actual attackers. But the final figure was estimated around 173 million by the breach monitoring site Have I Been Pwned.

In response to the attack, Zynga advised its users not to use the same password for multiple accounts – this reinforces the importance of having unique, secure, and separate passwords for different online accounts.


#2. 7-Eleven, Japan: $500,000 of customers’ money lost

If you think that waiting one day more to sort out your security won’t make a difference, think again. 

7-Eleven Japan introduced a new payment app for its customers, but left a major flaw in the form of an easy password reset that could be requested by just about anyone.

The app was launched on Monday, July 1 2019, and was shut down two days later on July 3 due to customer complaints – it only took hackers this long to break into around 900 accounts and steal ¥55 million ($510, 000).

Hacker attacks are frequent, and if they find a weakness you can bet they won’t hang around to exploit it. Don’t wait to sort out your security – your users’ data is at as much risk as yours if your site comes under attack!


#3. Marriott: 500 million guests’ data exposed

Hotel company Marriott International was compromised by a hack that started as far back as 2014 – and went unnoticed until 2018. It was still hitting headlines last year, as Marriott continued to deal with the fallout.

It was initially thought that around 500 million customers were affected by the hack, which leaked:

  • Names
  • Addresses
  • Phone numbers
  • Email addresses
  • Passport numbers
  • Date of birth
  • Genders
  • Encrypted payment details

Since then it’s been suggested that the number of people affected was actually much lower – around 383 million. Still, with 5.25 million unencrypted passport numbers having been exposed, that’s still a pretty huge cybersecurity fail.

Despite this, one of the main things that Marriott has been criticized for is its response to the attack – mostly due to a lack of communication, as well as further security concerns over its email domain.

If you’re running a business website, or even a personal blog, and it gets hacked, make sure you communicate clearly with your audience. Be quick to fill them in on what’s happened, give them the facts, and also empathize with them about how they might be feeling.

Learn from where businesses like Marriott got it wrong!

How to Secure a Website: Summary

Go to the top 

Good website security starts with you – choosing a reliable website builder or hosting provider, making sensible choices about how you run your site, and putting in the extra effort to make passwords secure.

And we’re here to help you along the way!

Hopefully you’ve learned how to secure a website, and have found it’s not as hard as you first thought. You don’t need tech skills or a huge budget to make your website secure – as our list has shown!

We’ve outlined the seven steps you can take to start securing your website. This is by no means an exhaustive list, however – there are plenty more tips, tricks, and tools you can use to better protect your website.

If you’re a WordPress user, for example, you can find plenty of security tips in WordPress’ support pages. Sucuri is another great resource, with a huge wealth of guides, infographics, and courses to help you confidently secure your website.

For now though, start out by following our simple steps…

How to Secure a Website: 7 Simple Steps

  1. Install SSL. An SSL certificate is an essential for any site. It encrypts information passing between your website and your visitors.
  2. Use anti-malware software. Use a software like SiteLock to scan and protect your site from malicious code.
  3. Make your passwords uncrackable. Use a random combination of letters, numbers and symbols when possible.
  4. Keep your website up to date. Install any software or plugin updates as soon as they become available.
  5. Don’t help the hackers. Watch out for phishing emails.
  6. Manually accept comments. This allows you to trash any that are spam before they go live.
  7. Run regular backups. If your site does get hacked, this way you’ll have a recent version to reinstall.