Website Security: How to Keep Your Business Safe Online
From fresh startups to big brands, the threat of cyberattacks looms large for online businesses. Cybercriminals are getting smarter — often targeting websites in ways that small businesses struggle to spot or stop. You may not realise what’s happened until it’s too late. When it comes to online security, taking action early is the best way to stay ahead. Simple steps, like setting up an SSL certificate or using a firewall, can help to protect your site and customer data. A small investment now could save lots of stress in the long run. The importance of website security | What is website security? | Why website security matters | Why hackers target small businesses | Top 10 security threats to your online business | Tips to help defend your online business The importance of website security Suppose you’re the proud owner of a successful online business — or perhaps you’re already there. An established name in your area, you’re trusted by customers for great products and friendly service. Your business thrives on the customer data built up through online orders. You’ve even got customer details saved in a loyalty program to keep them coming back. One day, disaster strikes: You log in to find an online attack has put a lock on your system. Your website goes down. Customer info vanishes. You can no longer take online orders. Without your usual tools for success, you struggle to keep up. Sales plummet. Customers worry about their data. And on top of it all, the attackers demand a hefty ransom for the return of your files. This all goes to show just how much a cyberattack can shake up a small business, and how it’s so important to stay secure. What is website security? Website security is about keeping your website safe from online threats. The aim is to lock your website down so that nobody out there can sneak in, swipe data, wreak havoc, or otherwise throw a spanner in the works. In short, it’s about protecting both your business and your customers — keeping your online brand and all its data safe and secure. Why does website security matter? Websites hold valuable data — customer details, payment info, personal records. Without strong security, they’re vulnerable to malware, hacking, and spam, making it easy for data to fall into the wrong hands. The government’s 2024 Cyber security breaches survey found that nearly half of UK businesses experienced at least one cyberattack in the past year, costing businesses over £30 billion. That’s an average of £10,000 per company. Ransomware remains one of the biggest threats. According to latest Sophos State of Ransomware Report, 59% of organisations were hit in the past year. 70% of attacks then led to data being encrypted, making it inaccessible. The security of a website plays a huge role in the reputation of the business itself. Poor security can make customers think twice before doing business with you. 41% of UK consumers say they’d stop spending money with a company that’s suffered a data breach. To sum it up, here’s why website security is a big deal: Protecting information: Websites store lots of important data. Strong security stops hackers from swiping or misusing that data. Keeping the business running: A hacked website can lead to downtime, lost sales, and a damaged reputation. Good security keeps things running smoothly and minimises risks. Building consumer trust: People want to know their data to be safe. A secure website gives them peace of mind, making them more likely to do business with you. Added to this, poor security can even hurt your search engine rankings. Google favours secure websites, so if yours isn’t up to scratch, it could get pushed down the results or even flagged as unsafe. Fewer visitors, fewer customers. See also: How Can I Get My Business Found on Google? Why hackers target small businesses While attacks on big businesses often make the news, it’s smaller companies that are hit the hardest. For many hackers, smaller business sites are low-hanging fruit — an easier proposition than the big corporations. Big companies have cybersecurity teams and big budgets to protect their systems. Smaller businesses usually don’t have the same level of protection, making them an easier target. A successful attack can steal customer data, lock you out of your systems, or shut your website down altogether. Recovery isn’t just costly — it takes time. Some businesses take weeks to bounce back, and even then, the damage to customer trust can be hard to fix. For small businesses, it can be a nightmare. With that, let’s look at some of the tricks these cybercriminals get up to. 10 security threats to online business 1: Phishing Phishing is when scammers impersonate trusted sources to steal sensitive information like credit card details. The word comes from the idea of casting a wide net to catch unsuspecting victims. This is a form of social engineering, where attackers use fake scenarios or rewards to trick people. These scams existed before the internet but have become far more common online. Chances are you’ve encountered a phishing email — perhaps even today. It’s the most common form of cyberattack, which is why all 123 Reg Professional Email plans feature built-in spam protection. 2: Credential Theft Credential theft happens when hackers steal login details to access a company’s system. Unlike a data breach, which exploits system weaknesses, credential theft relies on stolen usernames and passwords. Brute force attacks use automated tools to guess passwords, often targeting weak or reused ones. It’s not just about the system being hacked — if employees use the same password for their phone, home PC, and work accounts, it’s a recipe for disaster. 3: Malware Malware is a catch-all term for harmful software — viruses, worms, trojans, spyware—that steals data, damages systems, or just set out to cause chaos. Be cautious when downloading files or clicking on links from unknown sources. Phishing emails often contain dodgy
7 Reasons Why SSL Certificates are Essential for Websites
We’ve all seen that little padlock icon when shopping online — sat reassuringly close to the web address. As we’ll discover, this symbol offers much more than just a sense of safety. SSL Certificates play a huge role in protecting our personal data on the net. They help all kinds of website owners to build a trustworthy and credible online presence. And if your plan is to sell products or services online, there are few better ways to tell customers: I mean business. How the web learned to protect itself Cast your mind back to the early days of the internet, if you can — Windows 95 booting up on a chunky CRT monitor, 56k modem chirping down your only telephone line. The mid-1990s marked the first time many of us ever sent an email across the world. Perhaps it was the first time you added an item to your digital basket and paid for it online. Oh, how we marvelled at our new global connectivity. Yet, there was one major snag: online security. Or rather, the lack of it. The problem lay in how browsers and servers very casually moved our data around. For the most part, it was all exchanged in simple plain text. Like an open book. Sensitive data was out there to be picked up by anyone with ill intentions. Imagine scribbling credit card numbers on a napkin every time you go to buy a coffee. Everyone wants to keep their data safe. For the internet to become a place where people could shop, share, and interact with confidence, there had to be a better way to protect the information passing through. What was needed was a kind of secure courier service — a private envelope that could be signed, sealed, delivered. This is where SSL Certificates come in. What do SSL Certificates do? SSL Certificates are a clever way to protect user information and defend against hackers. The initials stand for Secure Sockets Layer, though don’t let that put you off. In a nutshell, SSL is there to establish a trusted and secure link between your browser and the website you’re on. Like two people meeting for the first time, browsers and servers want to say “Hello” and have a good handshake. But your browser is rightly suspicious when meeting new people. It needs to know strangers really are who they say they are. It asks: “Can I see some ID, please?” With that, it’s then up to the server to come up with the credentials: its SSL Certificate. If the details check out with the browser (both valid and in date) then it forms the beginnings of a trustworthy relationship. SSL Certificates are like passports, in this sense. Crucially, each SSL Certificate is issued and regulated by a third party, known as a Certificate Authority (CA). It’s the job of a CA to check that a website is indeed owned by the entity that claims it, ensuring, for example, that an online shop is connected to a real company. In fact, 96.3% of all SSL certificates online are issued by just 9 Certificate Authorities. There are more than 2.5 million SSL Certificates on the internet, according to BuildWith, which empower security for the majority of the top million most-visited websites out there. Approximately 4% of traffic the moves across Google Search is encrypted, ensuring a secure experience for users. HTTP vs., HTTPS Have you ever noticed how some URLs start with “http:” while others start with “https”? The S stands for “secure” and this goes to show that the website has its own SSL. Most browsers actually hide that part of the address these days, instead opting for some variation on the little padlock icon. Just be sure the padlock is displayed within the browser’s interface — an image of a padlock on a webpage is no guarantee of security. Like this: Encryption SSL Certificates make use of sophisticated keys and algorithms to encrypt data. That is to say: scrambling up the information so that it can be safely unscrambled again later. The level of sophistication can be described in “bits”. As a reference, a sheet hidden with 128-bit encryption would take the most powerful supercomputer billions of years to decode. 256-bit is better than that. But the really smart thing is that there are two different keys involved. When you send data, it’s locked using a public key. And when it gets to where it’s going, it’s unlocked with the private key. Nobody has access to both keys. Therefore, nobody can take a direct sneak peak, no matter how hard they try. Key elements of SSL Certificates SSL certificates rely on a system of trust established by Certificate Authorities (CAs). Root certificates, acting like the CA’s ID, are at the top and validate the CA’s legitimacy. You can identify them by matching “Issued to” and “Issued by” fields. Intermediate certificates act as intermediaries between the highly secure root certificate and your website’s SSL certificate. Every SSL certificate has at least one to create a chain of trust. A PFX file is a special format that combines your private key and SSL certificate. This is only necessary if you want to use the same certificate on multiple servers. When you create an SSL certificate, a unique code called a private key is generated on your server. This key is essential for installation and must be kept confidential. If it’s lost, a new SSL certificate will be required. From SSL to TSL Just as the internet has developed over the years, so have SSL Certificates. Over time, SSL became what is (technically) known as “Transport Layer Security” or TLS — but most people stick with the original expression when speaking broadly about these security tools. Almost two-thirds of sites support the latest TLS 1.3 protocol. The importance of SSL Certificates has only grown. Whether you’re running a small online shop or a big corporate platform, writing a blog
Celebrating 2FA Day!
Tech geeks and security-conscious business owners, rejoice! It’s 2-Factor Authentication Day! In an age where digital security is paramount, this really is something to be celebrated. Let’s double down on the vital role 2FA plays in safeguarding our online data, how it all works, and why it’s such a big deal for cybersecurity. What is Two-Factor Authentication (2FA)? Two-Factor Authentication is all about adding an extra layer of protection. The idea is simple, but effective: You enter your password, as usual, but instead of being granted access right away, 2FA asks for something unique that only you have – such as a special code on your mobile phone. This extra step ensures that even if someone guesses your password, it’s near-impossible to access your account without access to both the password and the unique code. Statistics suggest that 2FA can block 99.9% of attempted account entry attacks. It’s an indispensable security tool for our online services and accounts and keep us all that bit safer online. How does 2FA work? As the name suggests, 2FA is based on the concept of using two (or more) “factors”. A factor is something — that is, a piece of information — that can be relied on to be sure it’s really you who’s logging in. Authentication depends on users having two of the following verification methods: ✔️ What You Know: This includes things like passwords or PINs ✔️ What You Have: This is physical items like phones or apps that generate special codes. ✔️ What You Are: This refers to unique biological features like fingerprints or one’s face. 2FA has been around for quite a while now. Conceived in the 80s, it started to gain widespread recognition and use from the mid-2000s. Before it came along we relied solely on singular our passwords to protect our online accounts. You’d enter your password, and if it was correct, you’d get right in. If someone were to correctly guess or steal your password they’d have immediate access to everything. You might feel like the extra factor takes up too much time. But more often than not, it takes seconds, and when you think about the risks, this little extra step is more than worth it. As well as 2-Factor Authentication, you’ll also come across the term ‘Multi-Factor Authentication’ (MFA). They’re essentially the same thing. 2FA is just a form of MFA — though, it’s true that MFA could potentially refer to three (or more) Factors. There are a few different ways to add an extra layer of protection to your accounts. After you enter your username and password, the second step is where the magic happens. Each option has its own pros and cons: ☒ SMS Token: A unique code is sent via text message to your mobile phone. 77% of accounts now use texting as their method for two-factor authentication, making it a popular and widely trusted choice. ☒ Phone Call: After attempting to log in, you receive a phone call that provides a code verbally. ☒ Email Token: A unique code is sent to your registered email address, similar to SMS. This method is useful for access on devices where you’re already logged into your email account. ☒ Software Token: Involves installing a specialised application on your device, such as Google Authenticator or Authy. These apps generate time-sensitive codes, offering a secure and portable solution for authentication that doesn’t rely on SMS or network connectivity. ☒ Hardware Token: Using a tangible device like a key fob or a USB token to generates codes for authentication. ☒ Biometric Verification: Making use of unique characteristics like fingerprints for identity verification. Once a bit futuristic, this method has become mainstream in the last ten years with the introduction of fingerprint and facial recognition scanners in smartphones. Even with this added security, always stay sharp. Scammers might still try to get your password and second guess. Don’t share the information and make sure your main password is solid and unguessable. So, what is 2FA Day? 2FA Day is a sacred day when tech enthusiasts worldwide throw wild, lavish parties in celebration of the latest developments in online security. The entry code? You guessed it — an exclusive two-factor authentication token. Okay, not really, but 2FA Day does say something about the importance of that extra security step in our digital lives. 2FA Day is celebrated on February 2nd. The date reflects the idea of adding a second security layer, adding a number 2 February. See what they’ve done, there? It encourages us to reinforce that first line of defence with a robust second check. We might owe it a birthday present or two, given how effective 2FA is against financial fraud. National Password Day, by the way, is on the first Thursday of May… So as the day comes around, remember, it’s more than just a clever date. It’s a reminder to fortify your digital life, making it a bit more secure and smarter . As we celebrate 2FA Day on February 2nd, let it serve as a reminder that securing our own data and that of our customers and teammates online is not an option but a necessity. Amen. 2FA with 123 Reg At 123 Reg, we include 2FA as part of Domain Ownership Protection (DOP). When a domain is secured with DOP, two-factor authentication is required for every important change or transfer requested for that domain. Domain Ownership Protection also includes… ✔️ Additional domain privacy on the WHOIS database ✔️ A 90-day holding period with the Ultimate package Keep your personal details private with Domain Ownership Protection All yell for SSL! SSL Certificates are just as important a security product as 2FA or DOP. If you have a website, an SSL can help keep your visitors secure and protect hackers accessing your what’s yours. When visitors see a website has an SSL certificate, it’s a sign they are on a legit site and not a fake one. SSL Certificates are issued and regulated by Certificate Authorities (CAs) to ensure they are genuine. SSLs are so
Security Essentials Unpacked: A Guide to SSL and SSH
The world revolves around data — each and every click a piece of information. Security of that information is paramount. SSL and SSH are two of the most important weapons in the arsenal when it comes to keeping data secure on the web. While both work for our protection, they do so in very different ways. The tech industry loves its acronyms and initials. So, let’s get this out the way to begin with: SSL stands for “Secure Socket Layer”, while the second set of letters — being the favourite of systems administrators and turtles alike — stand for “Secure Shell”. Each one plays a huge role in keeping our data secure and making sure that people are who they say they are, online. But what exactly is the difference between the two? Well, at a glance: ➤ SSL is used to: establish a secure connection between your web browsers and the websites you’re visiting. Specifically, we need to talk something called an SSL Certificate. These credentials are rather like digital passports, serving to confirm the identity of a website owner. Once checked, SSL Certificates go to work to hide data that’s being exchanged. This is important whenever we share sensitive info, such as credit card numbers. SSL Certificates are absolutely essential for all sorts of websites owners. ➤ SSH is used to: access and manage computers remotely. It offers a secure way to interact with servers so that a user can log in and executive commands from anywhere. This might also involve sensitive data, if not sensitive commands. Put simply, Secure Shell is a way for turtles — sorry, systems administrators — to securely access and manage systems from afar. And if you had to ask, you probably needn’t worry about it. Key Similarities: Encryption SSL and SSH both use encryption to keep information safe. That is, they both use algorithms to scramble up data so that it can’t be read by outsiders. SSL makes use of encryption to protect the data you share with websites. SSH uses encryption to be sure that when someone is accessing a computer or server from far away, no one else can take a look or interfere with what’s going on. SSL and SSH both make use of “public” and “private” keys. That’s the key point (if you’ll excuse the pun): data is scrambled in such a way that’s impossible to decode given that nobody has access to both sets. Needless to say, data without encryption is compromised more often. Only 56% of businesses fully encrypted their internet traffic in 2020. According to The World in Data Breaches Report by Varonis, as many as 7 million unencrypted data records are compromised every day. SSL What do SSL Certificates do? You’ve surely seen it before — that little padlock symbol hanging out beside the address bar. If so, you probably have some vague sense of what SSL Certificates are about. Imagine you’re doing some online shopping. With a basketful of items, you move on to the checkout page. There’s that padlock symbol. You may also notice that the “HTTP” part of a web address has changed to “HTTPS”. That extra ‘S’ stands for “Secure”. Users encounter SSL Certificates on a daily basis when browsing the web. SSL Certificates establish a secure and encrypted connection between a client (like your web browser) and a server. Though digital, you can think of an SSL certificate much like you would a real paper credential, like a passport or an ID card, but for website owners. It all ensures the website you’re visiting is what it claims to be and not some fake site trying to trick you. You can shop in confidence because a safe connection has been established. These certificates are controlled by a limited number of third parties. Known as Certificate Authorities, they work to make sure website owners’ details are legit. In fact, 96.3% of all SSL certificates online are issued by only 9 Certificate Authorities. SSL Certificates were introduced in the mid-1990s and marked a real turning point in the history of the internet — especially online shopping. But they’re important for just about any sort of website that deal with sensitive info. Over time, SSL developed into TLS or “Transport Layer Security”. We still use the original expression to discuss the basic idea. Today, there are over 2.5 million SSL/TSL Certificates on the web. Click here to learn more about securing your website with an SSL Certificate from 123 Reg. SSH What does Secure Shell do? Secure Shell is a type of protocol that allows users to access and manage computers remotely and securely over the net. It’s mainly used by IT pros for remote server access, allowing them to login and manage servers from any location. Not everyone’s idea of fun. In fact, most of us will remain blissfully unaware. Imagine, for instance, you’re a systems admin — sitting on a beach in Bali — and you want to access your website through an FTP Client (that’s the software that lets you manage it all from afar). You can use an SSH “tunnel” to established a connection between your local computer and the remote machine. By using SFTP (the secure version of an FTP) you can guarantee your connection is encrypted. You are free to upload new files, carry out maintenance tasks, or perform any other task you please. SSH makes use of certificates of sorts, too, but there are some additional steps involved. The encryption is like an onion with three layers. First, the Transport Layer creates a secure connection between the user and the server, keeping the shared data safe. Next, the Authentication Layer checks the user’s identity to ensure they have permission to access the server. Finally, the Connection Layer manages various types of communications over the secure channel. To be sure, SSH is more than remote access, and it’s more than the VPN you might use to watch Australian reality television. Rather, it’s an uber-secure channel for
Bulletproof WordPress: Surefire Tips to Secure Your Site
WordPress dominates as the world’s go-to content management system — and there are many great reasons for that. Yet, the platform’s popularity alone can make it an obvious target for online attacks. Fear not: there are just a few easy steps you can take to keep that beautiful WordPress site of yours safe. You’ll want to protect all the hard work that’s gone in, after all. Your visitors also need and expect security. So with that, let’s dig into our surefire tips for keeping WordPress under lock and key. Use strong, unique passwords It’s sad but true: 48% of small businsesses are targeted by cyberattacks each year. So, to start with the obvious: you really ought to use strong and unique passwords across all your WordPress accounts. Change your passwords often. This is true for your admin account, FTP and database access, and all other associated accounts. Reused passwords can be compromised. Try your best to make your password over 10 characters long and to include uppercase and lowercase letters, numbers, and special characters. One great tip is to take the first letters of a memorable sentence and put that into a clever password (or a “mnemonic”). For example: “this little piggy went to market” might become “tlpWENT2m”. Password manager tools are also available — both for generating and storing passwords for each account. Change your login URL By default, WordPress login URLs are easy to guess because they’re usually www.example.com/wp-admin or something similar. Hackers know this and will target your login page to attempt brute-force attacks. However, you can protect your website by using a plugin to change your login URL to something unique, making it harder for hackers to find. One of the most popular plugins for changing your login URL is WPS Hide Login, which allows you to change your login URL to anything you want. It’s also easy to use and comes with a simple user interface. Just make sure you keep a record of your new login URL so you don’t lose it and only share it with people who need access to your website. Use an SSL Certificate SSL Certificates are sort of like digital passports and they’re especially important when exchanging sensitive info. Have you ever noticed the padlock icon when shopping? SSL’s work to encrypt the data that transfers between a browser and a web server, making it practically impossible for hackers to intercept. This includes things like credit card details, login credentials, and other personal data. Fortunately, SSL certificates are easy to set up, and you can read more about them here. 123 Reg Managed WordPress actually comes with a free SSL certificate to help keep your website and your user’s data secure. There are all sorts of very good reasons to get an SSL Certificate. In fact, they’re a must-have for any sort of website that deals with transactions or sensitive information. If you’re not using 123 Reg Managed WordPress, you may need to purchase an SSL certificate separately and install it on your server. Once you’ve installed the SSL certificate, you need to configure your WordPress website to use HTTPS instead of HTTP. This is easy to do using a plugin like Really Simple SSL, which automatically redirects all HTTP traffic to HTTPS. Don’t use the default “Admin” username WordPress sets the default username as “Admin,” which is easy for hackers to guess. When creating your WordPress account, always use a unique username. If you’re already using the default “Admin” username, you can easily change it by creating a new user with administrator privileges and then deleting the “Admin” user. To do this, go to Users > Add New in your WordPress dashboard, create a new user with administrator privileges, and then log out. Log back in with the new user account and delete the “Admin” user. Keep WordPress core up to date WordPress regularly releases updates to improve performance, add new features, and patch security vulnerabilities. It’s essential to keep your WordPress core up to date by regularly checking for updates and installing them promptly. 123 Reg Managed WordPress automatically updates your WordPress core to help keep your website secure. If you’re using a WordPress hosting package that doesn’t offer automatic updates, you need to regularly check for updates and install them manually. To check for updates, go to Dashboard > Updates in your WordPress dashboard. If there are any updates available, click on the “Update Now” button to install them. Make sure you backup your website before installing any updates. Keep WordPress plugins and themes up to date, too The average WordPress website has over 23 plugins and themes installed — and over 99% of security vulnerabilites are related to plugins and themes. Just like WordPress core, plugins and themes can also have security vulnerabilities that need patching. In fact, plugins and themes are the sources of the majority of WordPress vulnerabilities. It’s essential to keep your plugins and themes up to date by regularly checking for updates and installing them promptly. Outdated plugins and themes can be a significant security risk, as they can be used to gain unauthorised access to your website. It’s a good idea to test the effect of updating plugins and themes in a staging environment. You can do this from your WordPress Dashboard and looking for the section named (you guessed it) “Updates”. If there are updates available, click on the “Update Now” button to install. It’s also good practice to remove any unused plugins and themes as they can pose a security risk. Back up your website — and do it often Backups are essential to recover your website if it gets hacked, corrupted, or accidentally deleted. It’s essential to have a recent backup of your website stored securely, so you can restore it quickly if something goes wrong. 123 Reg Managed WordPress automatically creates daily backups of your website, so you can easily restore your website to a previous version if necessary. If you’re using a self-hosted WordPress
Suspicious Minds?
A new report from security experts Bullguard suggests that nine out of ten people in Britain don’t trust the internet – that’s despite the fact that 75% of the nation are online and using the internet on a regular basis. Not surprisingly, the biggest caution appears to be around the risk of downloads and using personal and private information. The study saw 2,000 UK adults quizzed by market researchers www.OnePoll.com on their online activity with headline findings including: * One in ten has had their bank details stolen and seen large chunks of money leave their bank account. * Half of Brits are concerned about banking online and the same number is dubious of opening email attachments. Yet despite the caution it appears many just can’t help themselves, even when they know there is some risk. One in twenty respondents admitted to opening up emails or attachments from unknown sources, and an equal number admitted to clicking on pop-up windows. More worryingly still, less than half knew what phishing, cookies or Trojans are with 60% admitting they didn’t know how to protect themselves from those risks. We like to think that via this blog we go someway to educating out audience and helping you identify and minimise online risks but there is probably somebody you know, who is less aware. We wrote about a project by UK registrars Nominet Knowthenet late last year, which aims to educated people in avoiding the most common of online scams. If you’ve not yet checked it out have a look now. Plus with internet trust still a major issues for the majority of would-be online customers to your site, now is a perfect time to invest in a Website Passport which helps build immediate trust with your website visitors and prove you are safe to do business with.