On a daily basis at Sucuri, we hear things like:
“My host takes care of my website security.”
“I have never been hacked, so why should I care?”
Or here’s a personal favorite:
“I’ll take care of it if (when) it happens.”
Let’s be honest, no one wants to think about the possibility of their site being hacked.
I have been in the website security industry for a few years now and have seen so many horror stories it’s unreal. From the newspaper editor who had a Pharma hack (Viagra ads) show up on her site, to the child-clown service with porn site redirects.
Imagine the damage these type of attacks can do to your brand reputation. Think about how long it would take for you to notice it? Do you visit your site daily? Would a person you don’t know be able to contact you if your site maliciously redirected visitors?
The Security of Your Website is Your Responsibility
Hosting Companies and Website Security
The reality here is that hosts are there to display your site (and they are very good at that). However, security is often an afterthought. The hosting market is so competitive that some are even advertising hosting for $1.99. Do you really think that for $1.99 you will have a fully secured site on top of that? I don’t know about you, but I was always told—you get what you pay for.
Some fully managed hosting companies do a pretty good job at securing your site. But even then, it is not their main concern. Only a company which focuses on malware research can keep up with changing hacking trends and attack vectors.
Who Cares More about Your Website?
At the end of the day, who has invested the most in your business success and your website? You, of course. So now that we know why, how about some simple hows.
How to Protect Your Website
You can subscribe to our website security platform and worry no more. However, if you are still not ready to take that step, there are ways to protect your site for free.
Have Website Backups
First, the fall back—backups. Every site should have a backup just in case %#@* hits the fan. The important part here is you should have multiple website backups and they should be off site. Don’t save your backup on the web host.
I mention multiple backups because we have seen malware lay dormant only to pop up after a month later and restore a backup with malware. This can be devastating.
Website Monitoring
Simple website monitoring means looking at file sizes either with a free plugin or on a manual basis. Website monitoring can tell you whether something has changed. For example, if a file has doubled in size and no update has been done, this should be an indicator that something malicious has been added to the file.
Website Protection
You should add protection to your website via a website firewall or rule sets. In short, a basic website firewall is a bunch of rules that define what can and cannot access a site.
You can manually do this. However, setting up rules can be time consuming and if you miss something, it could make the entire effort worthless.
Here are some examples of .htaccess rules you can use to mitigate threats to your website. Though this article is not very recent, it is still relevant and gives you an idea of what you can do given your time availability and technical know-how you might have.
Conclusion
In the end, it is usually easier and (since time is money) cheaper to hire a professional website security company to do it all for you. When you get to that point, let us know because we eat and breath website security and would be happy to take care of you.
Denis Sinegubko
Tony Perez & Daniel Cid
Jose Martinez
Ben Martin
Peter Gramantik
Luke Leal
Pilar Garcia
Antony Garand
Stephen Johnston