If you are running your own blog or website, and possibly making a small income from your website like me, you are most likely a target for unethical hackers. The biggest news of 2020 is how the unethical hackers have broken into various high profile Twitter accounts or lately, how hackers have broken into US governmental agencies, most of who we thought were the most secured! So if such large enterprises could be hacked, small blogs, personal websites and even small business websites like mine are extremely easy for such guys to break into.
For these hackers, small or large businesses do not matter much, since they have the tools to crawl from one site into another easily, and all they look for at the beginning is to break into a few of these and create something like a base site and closely watch for every opportunity to use their base site to get into others.
Preventing Hacks Need Not be Expensive
Securing websites could be a very expensive matter, especially for those who run blogs & sites for hobbies or for those small businesses that do not have all the spare money to invest into their websites. However, there are some simple things we can all do and try to keep our online presence as secure as possible. Most of these do not cost you any money and in some cases, the money seems to be quite reasonable and affordable even to hobbyist and small businesses.
I Learnt from Mistakes & Experience
I have gone through this almost 5 times in the last 10 years and each time my website(s) were hacked, I was able to get them back online in matter of days and having learnt from each mistake, I have added and tweaked my simple techniques to prevent another similar hack. However, there is no end to this. So I am having to do many of these activities almost continuously. The investment for me has mostly been in the form of time and not so much of money.
6 Simple Ways to Secure your Websites & Blogs
- Different Login ID & Password – this is the simplest thing we can control. Many people use the same login ID & the same password for almost all the websites they interact with. If you do that (and I was guilty of this too at the beginning), you are simply giving the hacker an easy access to all your information for all the websites you visit and buy stuff from. Once they manage to get into one of your computers, device or your blogs, they can monitor and gather a lot of information on all the other things you do online!
The fix is to change your online ID & online password for every website where you have a login ID & password created. It is tough, especially because we use ID & password on so many different types of websites, from social networking to grocery shopping to keeping track of our bills and medical information. If it helps, and I do not recommend this, make a note of all your IDs & passwords on a piece of paper and keep track of when you change them. - Don’t use email or easy-to-guess login ID or password – I learnt this the hard way after my bank account was hacked a year back and then made the same mistake again for another website of mine to be hacked in the same way twice!
To keep it simple for our selves and avoid forgetting IDs and passwords, we generally use our email or a common ID for most of our online work. That is a bad mistake! And hackers know of this common behavior of most users and they make the most use of this. By breaking into one of your website or blogs, they have increased their possibility of breaking into other websites or blogs that you own. Now if you are using the same password as well on all your websites or blogs, you just made it real simple for the hackers to break into all of them at once.
I recommend that you create unique login IDs and unique login passwords for individual websites or blogs that you run or maybe host or manage for others. The most common ID is “admin” – avoid that at all cost! - Watch your Saved Passwords – most browsers provide help in remembering your login IDs & passwords for the various websites you visit or browse, including your own blogs & websites.
This is mostly a very secured application and unless your desktop or laptop is badly hacked with malware, these IDs and passwords are quite well protected. But then it leaves an opportunity for anyone else using your laptop or computer to access those websites pretending to be you!
Apart from this one problem, which is a real problem for me because my 6 year old keeps opening up browsers and fiddle with the cursor whenever she gets her hand on my laptop, using this feature has one big advantage. Google Chrome browser for example keeps track of data breaches and often warns you if any of your IDs or passwords have been compromised.
4. Using Google Captcha on your Websites – if you use WordPress, you are in somewhat lucky in this aspect. The WordPress community and the developers always try to keep ahead of the curve when it comes to security. Their plugins are also well tested especially those that are hosted on WordPress.org. There are Google Captcha plugins that you should use for your websites and blogs.
The best way is to register your blog(s) and websites for your personal business on Google Re-Captcha console. However, there are 3 things with Google Re-Captcha that you need to know:
(a) they do have pricing plans that you need to understand. For websites with small traffic, as of 2020, their services are Free up to 1 million Assessments / Month* for the ones you need &
(b) they do not offer any support for anything other than the Enterprise version, so you would have to depend on the Google and WordPress community for any help. They have good documentation to help you and the community if very eager to help users
(c) there are a few versions of Google Re-Captch as of today – V2, V3 & Enterprise. You would possibly choose between V2 & V3. I personally choose V2 since its been very stable and works well for my needs. See examples of V2 Google Re-Captcha:
If you install any such plugin be very sure to test them out before you can rest quietly. I have had numerous issues at the early stages and had been locked out of my own WordPress admin panel because of malfunctioning of the plugins with my websites. In case you face that problem, a quick & dirty fix is to use a FTP client like FileZilla to delete the plugin from the server (although WordPress always says that you should not delete or edit a plugin while its being used!)
5. Using a Secured Certificate – this is important especially if you are exchanging any sort of data with your website visitors or your blog readers. Common examples of data exchange includes submitting email IDs, creating a profile or accepting payments on your websites.
When your blog or website is certified, you should see a “https://” in front of your URL. In case you have hosted your blogs with a SSL certificate but people can still access them using just “http://” then you can either talk to your hosting provider to fix this issue or if you want to do it yourself, use a 301 Permanent Redirect script on your site so that anyone coming in from a “http://” is automatically taken to the secured access path through “https://”.
If you want more security to your websites & protect not only your own credentials but offer a peace of mind to your visitors and buyers on your websites, you can use paid services. There are many to choose from. These services monitor all accesses to your blogs & websites and have intelligent ways, both technically as well as manually to identify potential risks, protect your online properties and consult with you on possible remediation. Such services can be recommended by your hosting service provider – this is the best way to do it since the hosting provider and the security provider has to work closely to keep your blogs & websites secure.
Techradar has a great comparison on their post The best internet security suites and software for 2020 to help you.
6. SignUp for Site Monitoring, 2 Factor Authentication, Blog availability & Critical Changes – this is a breeze if you are using WordPress. I use their Jetpack free services to send an email to me & alert me if my website goes down. Also, you can configure your WordPress administration panel to alert you by email in case anyone tries to create a login Id or tries to change your privileges.
Also try to use 2 factor authentication for some of the core applications most essential for your business. For example, you would want to set up a 2 factor authentication for your hosting provider login, your Google account and email account login. With a 2 factor authentication no one can suddenly disrupt your core business functions without your knowledge.
There are also numerous Google & WordPress default features to alert you of strange user behaviors on your websites including multiple login failures, attempt to create new IDs, attempt to register as your website owners. For example, if you have the Google Authentication code on your domain and someone tries to register themselves as the owner, Google is immediately going to alert you and you can respond appropriately – a very critical feature that has helped me a lot in the past in preventing frauds and hackers from getting into my domains.
There goes the 6 simple and quite easy things under your control that you can do to secure your online websites and blogs. In my subsequent post I will share what I do, and I am getting better at this slowly, when I realize that my website has been affected by malware and hacked. This is the tough part and often requires a lot of experiments and trials but fortunately for me I have been able to recover quite well & get my blogs back online very quickly with little damage.