Sometimes it’s really obvious that your website has been hacked, the hacker replaces the front page of your website with their own message stating you’ve been hacked. For a bigger brand this can be very damaging for the brand/business and consumer confidence, for example, if an e-commerce website comes up with ‘hacked’ across the front page, would you ever feel confident when entering your credit card details into that website again? For smaller businesses there is less impact but it’s still something you need to take steps to prevent. Our friends website (which is hosted with another provider) got hacked recently and they were charged $650 to restore the website from a backup, which is enough justification to try and take all preventative measures possible.

So what are the best ways to prevent your website from being hacked?

Website Maintenance and Update Plan

Most websites these days run off of software known as a CMS (Content Management System) such as WordPress or Drupal. As with any software, such as Windows or Android, the CMS software needs updates to keep it secure and compatible with all the latest developments. The updates that get released, fix security vulnerabilities that are exposed in the software after the CMS’ initial release. These security vulnerabilities are discovered and publicised by people on the internet so that the software developers can then fix those problems. The software developers release patches/updates to fix the problem. Here’s where it gets sticky, if you are not updating your website with those security patches then you are leaving holes for hackers to get into your website. The hacker can write a script or robot (code) to probe all websites for the security vulnerability and if the latest patches aren’t applied, then bingo, they are into your website. We would strongly recommend you don’t use a CMS based website without having a security update plan in place. Your website could get hacked multiple times in one year, that’s $650 per rebuild x 2 or 3.

Why don’t these patches get applied automatically?

In some cases you can use automatic patching to keep your website up-to-date, but the problem there is that you need to know what you’re doing and test the website after every patch update, and have the potential to roll back or restore from a backup if the update breaks something on your website. Unless you specifically have a desire to know how to do all that, we would recommend getting someone to do this for you. Patching a CMS website is more involved than patching your phone or laptop.

What is the difference between updating all patches and only security patches?

Updating all the patches on a website would include non-critical security updates. These might contain changes in the way the CMS works, enhancement requests and new features. The risk is that these changes may affect or break your website. Updating only security patches only plugs the security holes, without making too many other changes to the way your website works. If you have a large website and you wanted to be right on the cutting edge (also known as the bleeding edge – for very good reasons) with all the latest features, then potentially you want to install all updates, not just security updates.

How much should a patching plan cost?

It really depends on the size and complexity of your website, but expect to spend anywhere between about $350 for a basic plan on a single website, or up to $2,500 a year for a large website with multiple servers – eg development, staging and live.

Can I live without a patching plan?

You need to do a little maths to figure this out, if your website is down for a day two, how many lost customers is that? If your website gets replaced with a hacked message, what will be the damage to your brand? If you have to recover your website from a backup and then install the patches anyway, what will be the cost of that? If you can live with those costs, then you can live without a patching plan.

Other Tips for Security

  • Do an audit of who has access to your website every few months. Remove old employees and tighten up access.
  • Use a Digital Certificate on your website, check this blog entitled Why Google will display your website as “Not Secure”
  • Use a firewall in your website.
  • Make sure your passwords are strong eg: TYS765_jjesd&^
  • Never write your passwords down except if you are using a password safe app.
  • Update your passwords at regular intervals.
  • Logout!