If you’re running a website, it’s important to make sure that you’re doing everything you can to protect it from hackers and malware. Unfortunately, these threats are becoming more and more common, and they can do a lot of damage to your business if you’re not prepared. In this blog post, we’ll discuss some tips on how to protect your website from hackers and malware. We’ll also talk about some of the most common threats that you need to be aware of. So don’t wait – read on for information that could save your website!
The operators usually only notice that their own website is infected with malware when it is too late and search engines such as Google are already threatening sanctions or affected website visitors are complaining. As a website operator, you must expect attacks from hackers at any time. But instead of waiting and hoping that your website will not be attacked, you can take simple measures to prevent the danger.
As a website operator, you are fundamentally responsible for your own web applications. If your system is reported as hacked, you must close the security holes immediately. If you do not react or if you react too late, your website may be blocked by your hosting provider for security reasons. Protect yourself and make your web presence more secure – we’ll show you how it’s done!
The times when websites had to be laboriously programmed are long gone. Most websites today are based on web applications that you can easily paste the content into. These programs – also commonly called web apps – are tailored for specific areas of application: There are content management systems, blog and forum software, e-commerce solutions, image galleries, wikis, groupware, calendars, social networking, and much more. The range of functions of the respective web app can be individually expanded using expansion options such as plug-ins or components.
Many web apps and extension options are also available as free open source solutions and are in use by millions. But it is precisely this popularity that makes them a preferred target for hacker attacks, which exploit vulnerabilities in a targeted manner.
For example:
- Smuggling in phishing sites through which one wants to obtain access data/banking data
- trick website visitors into downloading hidden viruses and trojans (drive-by download)
- abuse a site to send spam, with the result that the IP could land this site on a blacklist
- etc.
The developers take countermeasures and regularly publish updates in order to be able to close known vulnerabilities immediately.
What is malware?
Malware is malicious software. The term is made up of the English words malicious (harmful) and software. There are many different types of malware, but the most common are viruses, worms, Trojans, and spyware.
Almost all of us come into contact with malware on a daily basis. When surfing the Internet, checking e-mails, or testing a new program – the danger of falling victim to a hacker attack and infecting your computer with malware can lurk everywhere and viruses, Trojans and the like can enter a system unnoticed penetration. In principle, every website on the Internet is a potential target for hacker attacks.
Even small homepages that deal with niche topics and only have a few visitors can be targeted by hackers. Cyber attacks are a major problem for companies in particular. Even a small data leak can have serious consequences, damage the image, lead to loss of sales, and possibly even to civil lawsuits. Because many companies, especially online shops, enjoy the trust of countless customers who entrust them with personal data, account, and credit card information.
Why are websites hacked?
As a rule, hackers do not target individual websites. They use special tools to identify as many sites as possible that have certain security gaps at the same time. Hackers attack websites to get usernames, passwords, or other information about the webserver – data that in most cases also allows access to other systems.
Another motive for hackers is to gain access to third-party platforms in order to misuse them for their own purposes. Hacked websites are used as distributors for SPAM or illegal content or serve as a basis for further attacks. This makes it extremely difficult to trace the hackers.
How can I protect my website from cyber-attacks?
As a website operator, you are responsible for the security of your systems. A large number of attacks succeed through insecure FTP passwords or so-called script injections, in which malicious scripts are integrated into the original code of the website.
In general, dynamic websites built with popular content management systems such as WordPress or Joomla are at higher risk. Thanks to their extensive and complex program code, these pages offer hackers a larger attack surface than static HTML websites.
In order to keep the risk of a cyber attack on your own site as low as possible, here are the 10 most important tips:
Tip 1: Always keep your web applications up to date
Two of the most popular open-source applications are WordPress and Joomla. If you look at the installations, the numbers are alarming. For example, 3 out of 4 WordPress installations are outdated. With Joomla, it is even more dramatic: In some cases over 90% of all Joomla websites run with an outdated Joomla version.
So keep your web applications up to date! From WordPress 3.7. Is it possible to run updates automatically in the background? If you have this feature disabled, you should continuously check and update your WordPress version manually. With Joomla, it is a little more complicated, but there are also ways to update the software automatically.
Tip: Update your WordPress and Joomla websites regularly to protect against hackers and malware. Install updates as soon as they are available, and consider using automatic update features if possible. Also, keep an eye on your website’s security features and make sure they are up to date. Regular backups of your website’s data are also important in case of an attack. Thanks for reading! Stay safe out there!
Tip 2: Regular updates of plug-ins and extension components
Plug-ins and other extension modules are usually independent programs. This means: An update of the web application does not automatically update it. Hackers know this and often target security gaps in plug-ins and add-on modules for their attacks.
In the middle of the year, for example, the popular WordPress plug-in All in One SEO was affected. These and other weak points have of course been eliminated in the meantime.
But All One SEO is by no means the only WordPress plugin that has become a security risk: whether contact forms, comment functions, newsletters, etc., practically every plugin can become a target for hackers.
The extensions – called components – are also popular points of attack for the content management system Joomla, which is also widespread. In the past, for example, security gaps in the file manager explorer and the content editor JCE had to be closed through updates. The list of affected Joomla components could be extended indefinitely.
Therefore, update your plug-ins and extension components regularly! With WordPress and Joomla, you can conveniently run these updates from the dashboard.
Tip 3: Back up data, databases, and system files
If your website has been hacked, it is usually too late. This can irretrievably destroy important data and settings that were on the affected system. System files are also partially overwritten by updates. This is particularly annoying if, for example, you have made individual theme or template adjustments. In the case of WordPress, this mainly affects the following files: index.php, style.css, and wp-config.php, while Joomla template changes mainly affect the index.php, template.css, and template_rtl.css files.
You should therefore regularly back up the data, databases, and system files of your web application. For WordPress installations, for example, there is the free BackupWordPress plug-in or the fee-based tool Backwpup-Pro. Popular backup tools for Joomla are: Akeeba Backup, Easy Joomla Backup, and – especially for Joomla databases – LazyDbBackup.
Many hosting customers with a shared hosting product (web hosting, web server) also have the option of performing a free backup using the administration tool (CPanel).
Tip 4: Use strong passwords
So much has been written about password security that using strong, complex passwords should be a given. In practice, however, passwords that are easy to crack for hackers are often still used. A secure password should contain at least 8 characters or more. Use a mix of lower and upper case letters, numbers, and special characters and avoid expressions that can be found in a dictionary. You can also use a tool to generate a secure password, such as GaiJin’s free password generator.
Tip: If you use WordPress, you can also secure the login process with two-factor authentication.
Tip 5: Avoid typical user names
In addition to a secure password, you should also choose a username that is not easy to guess. Instead of the standard “Administrator”, “admin” or your real name, use more complex user names, e.g. by adding years or additional abbreviations, etc. This way you make it twice as difficult for hackers to penetrate your system.
Tip: If possible, do not use the “admin” user name at all!
Tip 6: Secure contact forms and guest books with Captcha queries
Extremely popular targets for automated attacks on your website are contact forms and guest books. You should therefore protect them in particular. A simple and practical way to protect yourself from automated requests is Captchas (Completely Automated Public Turing test to tell Computers and Humans Apart.) When researching expansion options, it is best to check directly whether they already contain a Captcha or not whether a suitable Captcha plug-in is available.
For WordPress, for example, the following plugins are available: Captcha by BestWebSoft, reCAPTCHA by Google, Advanced noCaptcha & invisible Captcha (ancient).
For Joomla extensions with Captcha functionality we recommend: RSForm!Pro (commercial), AIO ReCAPTCHA (free), or reCaptcha by Google (free).
Tip: If you use a Captcha on your website, make sure that it is also accessible to people with disabilities. The best way to do this is to use an audible or visual Captcha.
When using contact forms and guest books, you should also pay attention to the data security of the transmitted data. If the data is not encrypted, it can be read by “eavesdroppers” during transmission.
Tip: Use SSL encryption for data transmission! This is particularly important if you run an online shop or a website with a login area.
You can recognize an encrypted connection in the browser address bar – it starts with “HTTPS://” instead of “HTTP://”.
If you want to set up SSL encryption for your website, please contact your web hosting provider. Many providers offer this service free of charge or for a small additional fee. If you have any questions, our support team will be happy to help!
Tip 7.-9: Advanced security precautions for experts
In addition to the basic tips presented, there are of course other precautions that you can take to prevent hacking and the infiltration of malware.
- Create your own access protection for the administration area using .htaccess or use an administration tool such as Host Europe’s Customer Information System (KIS) for access management – only for Host Europe customers with a shared hosting product (web hosting, web server, web server, blog hosting) possible
- Optimize the assignment of rights for your files and directories
- Prevent execution of PHP files in specific directories using an .htaccess directive
Restrict access to wp-config.php and htaccess file
If you implement these tips, you will have taken some important steps to protect your website from hackers and malware. Of course, there is no such thing as 100% security on the internet – but you can at least make it much more difficult for attackers to penetrate your system.
10. Check regularly whether your site has been hacked
As you can see, there is a lot you can do to protect your website. But even the best precautions cannot give you 100% security against hacking. As a website operator, you often do not notice at all or too late that your website has been hacked. That’s why you should check your website regularly. There is a whole range of free tools online that you can use to check your website for manipulation or to register your website directly for regular reviews. These include, for example:
- Website Check by Sucuri
- Unmask Parasites
- Quttera Web Malware Scanner
- Virus Total (also checks files)
- Google Safe Browsing Diagnostic Tool
With these tips, you can significantly increase the security of your website and protect it from malware. Nevertheless, you should always keep an eye on your website and, if necessary, install additional security measures.
What do I do if my website has been hacked?
If it’s already too late and you’ve noticed that your site has been attacked, you need to act quickly. Because with a hacked website you not only harm yourself but also endanger the visitors of your site. If you do nothing, your hosting provider may block your site; in the worst case, there may even be legal consequences.
Deactivate your website
If you don’t know exactly what the hacker did to your site, you should first take it offline. In order not to disturb the site visitors and not to damage your reputation, it is advisable to create a maintenance page.
Backup your databases
Back up your databases to gather evidence that an insurance company or law enforcement agency may request. The material can also help you subsequently determine the exact cause of the attack.
Update software and passwords
Immediately install any security updates available for your software and change any passwords.
Find and close the vulnerability
Finding the vulnerability and malicious code that infected your site requires extensive HTML knowledge, time, and patience. If you don’t have the necessary expertise yourself, it’s better to play it safe and leave the cleaning of your systems to an expert.
Conclusion
The best way to protect your website is to take preventive measures. By following the tips above, you can make it much more difficult for hackers to attack your site. If you do find yourself the victim of a hacking attempt, act quickly and contact a professional if necessary. Remember, your website is not only a reflection of your business – it is your business. Protect it accordingly.
If you have any questions about website security or if you would like help securing your site, please contact us. We are happy to help you make sure your website is as safe as possible.