How poor website security can harm your business (and ways to fix it)
Is there anything more terrifying than the thought of having your website hacked?
Being a small business owner, you may think your site has nothing worth being hacked for. Because hackers go for Fortune 500 companies’ sites, so yours has zero chances of being compromised. Wrong!
Hackers can compromise your website for a number of reasons. Some may want to steal your customer data like credit card and personal information. Others may just be in it for the thrill.
Is this a risk you’re willing to take considering that:
- Hacked sites rose by a third in 2016 and the trend won’t be slowing down any time soon, according to Google’s State of Website Security report for 2016.
- More than 75% of all legitimate websites have unpatched vulnerabilities. 15% of legitimate websites have vulnerabilities deemed ‘critical,’ meaning it takes almost no effort for cybercriminals to gain access and manipulate these sites for their own purposes.
In other words, no website, big or small, is without risk.
Why should you care?
It’s not easy to build customers’ trust and confidence in a business. But if you’ve managed to do so, you also have to retain it. That means constant care and attention when it comes to your website security.
Act like “this won’t happen to me” and you’re leaving the door wide open for cybercriminals who can ruin your reputation and the business you’ve worked so hard to build.
Here’s what can happen if your site gets hacked:
- Your customers will no longer feel safe being on your site, which will prevent them and other prospects from visiting your site or buying from you.
When Google finds a site that has been hacked or injected with malware, it can either remove it from the search results or flag it with a message like this:
This warning basically tells users that the site isn’t safe and that they should stay away.
Now, if a user does click through to the site using Chrome, they’ll see another warning that looks like this:
Or like this:
That’s enough to scare visitors away.
- Your rankings will drop, which means prospects will have a harder time finding your site in the search results. And if they can’t find you, they can’t buy from you.
According to the results of a survey on hacked websites performed at Wordfence, a popular WordPress security plugin, 45% of sites saw search traffic impacted by a hack and 9% saw a traffic drop of over 75%.
But you know what’s even more terrifying than having your website hacked? Not even knowing about it. Google’s report also revealed that “61% of webmasters who were hacked never received a notification from Google that their site was infected because their sites weren’t verified in Search Console.”
How long does it take to recover?
7.49 days is the average time to recover from a hacked site, according to the Wordfence survey results.
So ask yourself this: can your business afford to lose 25% of organic traffic for an entire week, or more? We think not.
To keep an eye out for issues, verify your website in Google Search Console. It’s free and useful, and if your site ever gets hacked, Google will notify you so you can take immediate action. Warnings about your site are displayed in the “Security Issues” panel in your account.
Search Console can also email you alerts about your site if it finds that your site has been compromised in any way. Simply go to “Search Console Preferences” to enable email alerts.
But how does a website get hacked?
Websites get hacked because they have vulnerabilities. Here are the most common ones:
- Compromised passwords. If you’re using a common password like “123456”, “password123”, attackers won’t have to put too much effort to guess it and log into your website. So when choosing a password, make sure it’s a strong one that includes at least one number and an uppercase letter.
- Missing security updates. Older versions of software can have vulnerabilities so make sure to keep everything updated to the latest version. This includes your Content Management System and all the plugins and add-ons you use on your site.
- Insecure Themes and Plugins. If a plugin or a site theme is free, it doesn’t mean it’s also safe to use. So be cautious of free plugins or themes from untrusted sites, or outdated ones that are no longer maintained by their developers.
- Social engineering. Anytime you receive an email asking you to confirm your identity or to share sensitive information, stop to think whether the sender is legitimate or someone pretending to be. Phishing campaigns are so effective that they have a 45% success rate! This means most of the time people can’t tell the difference between a real and a fake Amazon recovery email. So never give out confidential information like passwords, credit card numbers, or even your birth date.
- Security policy holes. Are you allowing just any user to upload files to your site, or giving admin access to those who don’t require it? And are you letting users sign in using HTTP, instead of HTTPS? Then you’re giving attackers an easy way to compromise your site. To improve security on your website, make sure you always use encryption for pages that handle sensitive information, like login pages, and only give admin access to users you can trust.
- Data leaks. Make sure your site never reveals confidential information to unauthorised users. This means running periodic checks and restricting sensitive data to trusted entities only.
What happens if my website is compromised and I get a warning?
So what if that terrifying thing does happen and you get a warning in your Google Search Console letting you know that your site has been hacked?
Google has a helpful guide on the steps to take in the event your site is hacked. Here’s an overview of the steps to follow:
- Inform your hosting provider that your site has been compromised so they can take action, and potentially help recover your site.
- Take your site offline until you can fix the issue. This way you minimise the damage to your rankings in the search results, and you also prevent visitors from being exposed to malicious code or spammy files. Ask for help from your hosting provider if you don’t know how to take your site offline.
- Review your site’s user accounts and change all passwords. Also look at out-of-date software.
- Verify your site ownership on Google Search Console and check all users with access to your site to ensure there’s no unauthorised user.
- Find out more about the nature of the attack. Did the hacker add spammy content to your site or have they attacked it to steal customer data? You’ll find this information in your Search Console account under Security Issues. Knowing the nature of the attack will help you figure out how to fix the issue.
- Once you’ve managed to clean your site, you can request a review from Google so you can get your site back online.
Make a habit out of checking and seeing whether your site is safe (and you should do this often). You can use Google’s Safe Browsing Site Status tool to do this:
Here’s the thing: it only takes one bad experience to tarnish your reputation and lose your customers’ trust and confidence in your business. Why take the risk?
So pay attention to any unusual activity on your website. It’s the only way to catch problems early and fix them before any damage occurs.