Creating your business’ website is an important step whether you plan to sell online or simply point prospective customers toward your brick and mortar location. It’s a platform—one that’s entirely under your own control—for helping customers to discover both your brand promise and what you offer.
The Ecommerce Foundation reports that 88 percent of consumers research products online before making a purchase. Having a website means your product or service is in front of more eyes, leading to more potential sales.
If you’re like most small business owners, you probably relied on an open-source content management system (CMS) like WordPress to build your website.
If you have little to no developer experience, starting this way is appealing because of their relative ease of use and ability to create beautiful and functional sites that can be easily updated. Plus, building your own site is an easy way to get your business off the ground—particularly when you don’t have the budget to hire a developer to build a fully customized site.
That said, there are a couple of security-related concerns all startups and small businesses should know about when using a CMS to build their websites.
What puts a CMS website at risk?
Because a CMS is open source, it’s difficult to effectively manage the code you used to build your site. In effect, you’re relying on features such as plug-ins and themes; they have to be updated regularly, or you risk security vulnerabilities.
If they’re vulnerable, you can bet that attackers are going to find ways to exploit these vulnerabilities. More than 27 percent of the internet is powered by WordPress. It’s by far the most popular CMS, but that also means it’s the most popular target for hackers.
Plug-ins allow the customization and ease of use that WordPress is known for, but they can also be risky. According to research my company conducted, sites with 20 or more plug-ins are 3.6 times more likely to become compromised, and the administrative dashboards on an open-source CMS like WordPress are easily accessible to attackers if site owners leave them open and unencrypted.
What is a malware attack?
Malware attacks can be damaging to both your profitability and your reputation—especially if your site is taken offline or removed from search results. It can be difficult to keep an invisible threat top of mind, but we found that websites are subject to an average of 63 attacks per day.
Many small business owners mistakenly assume they’re safe because of their size. Unfortunately, you’re never too small to be hacked, and half of the 28 million small businesses in the United States have been victims of a data breach. All it takes is one successful attack to compromise your site, and the road to recovery is even tougher on a tight budget.
How to improve website security for your startup in 5 easy steps
When my company surveyed website owners, we discovered that nearly half were under the impression their hosting providers included security measures. In reality, securing your website is your responsibility. Thankfully, taking basic steps to secure your site doesn’t have to break the budget. Start with the below tips to protect your website from malware.
1. Be thoughtful about which plug-ins you use
Do you really need that plug-in that counts the number of visitors to your site? Maybe—or maybe not. Stick to the plug-ins that you truly need to build out your website, and splurge on one or two premium ones if they’re vital to your site. Plugins aren’t inherently bad or to be avoided, just don’t go overboard. The more you use, the more you need to update.
Some website owners resort to WordPress piracy, downloading bootleg versions of premium plug-ins, but that’s not a good idea. The distributors of these stolen plug-ins don’t make their money by giving value away for free; they make it by spreading malware that can be difficult to get rid of.
2. Keep your CMS, plug-ins, and themes updated
Keeping your CMS updated is one of the most basic defense measures you can take to improve website security. Our research found that the majority of malware-infected WordPress sites weren’t running the latest security patches when the security breach occurred.
And even with an updated CMS, only rely on plug-ins that are properly maintained, and avoid the 44 percent that haven’t been updated in more than a year.
3. Ensure submission forms include a CAPTCHA
Not only can CAPTCHA save you from going through hundreds of spam submissions, but it can also block bots looking for vulnerabilities or entry points into your site. All it takes is an unprotected contact form for a bot to inject code that allows hackers to access your customer info or even hijack your website entirely.
The best part: You don’t need a full IT team to add a CAPTCHA. For a CMS like WordPress, it’s as easy as downloading and installing a plug-in.
4. Use a website malware scanner
Website malware scanners help you find and fix malicious software and patch vulnerabilities.
The best ones are automated, allowing them to regularly perform their functions without the need for human intervention. They’ll protect your website from malware by scanning for threats and removing them, ensuring your visitors aren’t interrupted by a crashing site, slow speeds, or an alarming message from Google explaining that the site is infected and blacklisted.
5. Install an SSL certificate
You can recognize sites with an SSL certificate because the URL has a lock logo followed by “https.” These certificates don’t provide website protection themselves, but they do encrypt information that’s sent from the website to the server.
For example, let’s say one of your customers enters a credit card number and submits his or her order. If a cybercriminal intercepts that payment information while processing, it will be indecipherable thanks to the SSL encryption. If you accept payment on your website, an SSL certificate is an absolute must.
Small business website security shouldn’t be an afterthought. Malware attacks are cheap to conduct, and cybercriminals frequently go after easy targets. Your business may be small—but don’t make the mistake of assuming that excludes it from cyber attacks. Protect your website from malware and protect the reputation of your business by following the above steps to build a strong defense.