Nothing pairs quite as well as cybersecurity and Halloween. Prepare for more than trick-or-treaters this spooky season with these 5 wicked Website Security tips.
1 – Make a horcrux ( aka backup your data) –
In Harry Potter, a horcrux lets wizards store a fragment of their soul in different objects as a safeguard against death. Similarly, a backup can restore your site to life after it’s compromised by a cyber attack.
Attackers are always looking to exploit vulnerabilities. The easiest way continues to be through an unsuspecting users’ email inbox. In a Q2 cybersecurity threatscape report it was found that attacks on organizations have gone up 15%. Not only that, but the 2020 Ecological Threat Register from the Institute for Economics & Peace shows that the world has seen a tenfold increase in its number of natural disasters since the1960s.
2 – Keep your software and plugins versions on the bleeding edge
It’s frightening how many components in a website (from the front end to the back) require updating, add in all of the endpoints and it’s a wonder that anyone is ever current. The Cyber and Infrastructure Security Agency (CISA) found that 85% of cyber attacks would be prevented if people just patched their software.
The further away from the latest version of a software you get, the more difficult it is to get adequate support for the program. The priority of developers is often on fixing bugs for the latest versions of software. This leads to slower response times for fixes of older versions, and no support for EOL (end of life) versions.
Opt-in to automatic update options for your website platform like WordPress, your CMS (Content Management System), and your JavaScript library. In our 2019 Website Threat Research Report we found In 2019, over 56% of all CMS applications were out of date at the point of infection.
Staying updated includes addressing both your endpoint security and website security.
- Endpoint security is made up of technologies like antivirus, host-based IPS and firewalls, that protect the endpoints – desktops, mobile devices, and laptops- from malware.
- Website security is made of technologies that protect websites from cyber attack.
However, these securities can intersect. A compromised endpoint could ultimately lead to a website infection. These open-source patch management softwares can do the heavy lifting for your endpoint security. They all include trial periods or free versions, but it’s usually worth it to pay for the extra features like scheduling and email notifications etc.:
PDQ Deploy – Windows only, can script in your own language, PowerShell (.ps1), Visual Basic (.vbs), a registry file (.reg), or a batch file (.bat).
Itarian – works across Windows Linux and Macs, first 50 devices are free
Action1 – Windows only, free version includes 50 devices, automatic patch deployment, reporting and does not expire
SolarWinds – 30 day trial, Windows only, good for physical and virtual machine patching
3 – Remove the dead weight of deactivated plugins
Keeping the ghosts of deactivated plugins on your website can be a danger. Deactivated plugins do not receive the updates needed to stay secure. Even if you plan to reactivate your plugin in the short-term and do not want to redo the settings, keeping them around is a risk. Hackers have scripts designed for deactivated plugins and look for the opportunity to get into your website through an unpatched vulnerability.
4 – Trust the magic of a password manager
Relying on your memory and reusing the same passwords makes it easy for ghost and goblin imposters to steal your passwords. Password Managers allow you to use long, randomly generated passwords without having to remember them. Find out what password manager app best meets your needs by exploring their free versions.
Scary Fact: Infosecurity magazine found that 23.2 million users worldwide use the password 123456. If this is you, we don’t have to talk about it… but get a password manager.
Here are a few that I like (in order) based on what comes in their free offerings. Decide for yourself, they are free, after all.
- Keepass: open source supports Windows but can also support Mac and Linux using Mono or Wine, no paid version – all features completely free
- Cons: UI is a little clunky
- Avira Password Manager: touch and face ID, syncs across multiple devices, creates strong passwords for you
- Cons: no password audit
- Nordpass: syncs across multiple devices, secure notes, multi-factor authentication, unlimited passwords
- Cons: no password audit
- LastPass – offers multi-factor authentication and secure notes, addresses etc.
- Cons: only 1 device, limited data storage
- Roboform – unlimited logins, password auditing and multi-platform support, offers local only storage option
- Cons: only 1 device, does not offer 2-factor authentication
- Dashlane – simple and easy to set up, very user friendly
- Cons: only 1 device, only 50 total passwords, does not offer secure notes
5 – Unmask imposters by using Multi Factor Authentication (MFA)
MFA prompts you with a code that comes through email or text to ensure you are who you say you are and not somebody else masquerading as you. It helps to defend against several different attacks including phishing, brute force attacks, man in the middle, and keyloggers.
Medium Source: Giphy
6 – Don’t be tricked – set a Login Attempt Limit
When cyber criminals use brute force attacks they guess different password combinations based on information they have about you. Limiting login attempts to three before getting locked out of an account, forced to reset, or redirected to contact an administrator, can significantly lower success rates of brute force attacks.
7 – Don’t say no to free goodies – like SSL certifications
Having an SSL certificate is more about consumer protection than website protection, but it is definitely a best practice. Not having one impacts a website’s UX in accessibility and its search ranking.
If you don’t have an SSL certificate your website url will say HTTP instead of HTTPS (Hypertext Transfer Protocol Secure). This means when site visitors enter your url they will see a scary warning box stating that your site is Not Secure with the option to leave. An SSL certificate encrypts the user’s personal information to make sure only the intended recipient sees it.
Additionally, Google confirmed that your page will take a hit in the search algorithm for not having an SSL certificate. Because these are offered for free, including at Sucuri, there is no reason not to take this extra step for your clients, and your business reputation.
This Halloween, don’t let safety stop with reflective vests and candy wrapper checks. Follow our 7 scary good tips and keep your website safe from cyber spooks!