When it comes to understanding better how to make a website, its security should be top on your list of priorities.
As the number of websites globally grows—to a record 1.86 billion websites in the first half of 2021 alone—the number of cyber attacks increases in tandem. Attacks on websites in the United States have increased almost 400% since 2020, with the FBI reporting up to 4,000 cyber attacks a day. It’s also estimated that by 2023 the total number of global DDoS (distributed denial of service) attacks will number over 15.4 million.
The increasing sophistication of cyber attacks makes all websites vulnerable to security and privacy breaches. Knowing how to secure your site against these attacks is crucial in order to protect your data and that of your users. In this article, we’ll discuss website security in-depth, going over ways to ensure cyber protection—from choosing the right website builder, to the steps you can take to improve your website security, and protect your business.
What is website security?
Website security is the protection of your site and your site's infrastructure from malicious online attackers that can access, alter and steal your site’s content and data. It should also protect the personal data and privacy of your site's users. Every individual or business with a website should have a comprehensive understanding of cybersecurity basics to ensure they're website is safe from attacks.
You need to trust that your site and its data is secure. Cyber attacks are on the rise and growing increasingly more sophisticated. This makes them difficult for security professionals to spot, let alone website creators. The right website builder will prioritize security, so you can focus on your business.
Website security threat examples
There are a number of ways in which a site’s security may be broached. We’re going to explain some of the most frequently occurring ones and the potential threats they pose to your site here:
SQL injections
SQL injections involve the use of search query language (a type of computer code) to take control of a database and extract sensitive information. Such an attack can also be used to edit, modify or delete information within a database, and may even be used to retrieve passwords or user information. According to Akamai's State of the Internet/Security Report, there were 6.2 billion attempted SQL injections between January 2020 and June 2021, placing them at the top of most common web attacks.
SQL attacks pose a real threat to keeping both your site and its data safe. These cyber attacks can impact your site's functionality, and lead to the loss of sensitive user data. For example, passwords retrieved from your site might be used to hack your users’ accounts across multiple online platforms.
Ransomware
Ransomware is a form of malicious software used to infect computers. Once uploaded it can block access to files, systems, software and applications. Hackers then demand a ransom from the affected user, and once paid, the computer and related files are decrypted and the ransomware removed.
In 2021 organizations, from public hospitals to government bodies, to large corporations, were victims of ransomware attacks. The majority of these ransomware attacks were the result of phishing— computers and systems became infected when employees received a phishing email and then clicked on a malicious link within it.
Ransomware attacks are on the rise and 2021 was a particularly busy year with 37% of corporate organizations reported being the victims of a ransomware attack. In the first half of 2021 alone, the FBI reported a 62% year-on-year increase of such attacks.
Cross-site scripting (XSS)
A cross-site scripting attack occurs when malicious javascript code is injected through a trusted website into a user's browser. This type of attack works similarly to an SQL injection attack and preys on the inability of browsers to differentiate between malicious and harmless markup text. Browsers simply render whatever text they receive, regardless of its intent.
Cross-site scripting is often used to steal a user's cookies (stored information) and pose as them online. It can also be used to edit websites, collect secure user credentials (e.g. passwords or credit card numbers). Between January 2020 and June 2021, there were an estimated 1.019 billion such attacks, so it goes without saying that protecting against cross-site scripting is an important part of website security.
Credential reuse
When user credentials are stolen, it can impact more than just your website. They can be used to access multiple sites where the same credentials apply and create damage that extends across many websites at once.
Credential reuse attacks are one of the most common threats to site security, in part because users commonly repeat their credentials over multiple sites and online platforms. Therefore, hacking just one of these gives access to more than just the site they were stolen from.
DoS/DDoS attacks
DoS (denial of service) attacks aim to interrupt the functionality and usability of a website. One of the most common forms is a “distributed denial of service” (DDoS) attack. This is when a bot sends huge amounts of fake traffic to a website from multiple sources in an attempt to overload the server.
DoS attacks cause server time out, and will render the attacked website inaccessible. This can be incredibly harmful for websites of all sizes, negatively impacting website performance.
How to check how secure my site is
There are a number of ways to keep ahead of potential online security threats when it comes to protecting your website. The best option is to choose a secure website builder, like Wix which comes with robust and secure security infrastructure, including 24/7 monitoring. But you can also:
Use CISA's cybersecurity advisories: Subscribe to their alerts and regularly check their website for updates to be aware of.
Web application firewalls (WAF): Tools like Cloudflare, Sucuri or AWS WAF can protect against common threats like SQL injection and cross-site scripting (XSS).
Vulnerability scanners: Regularly scan your website for vulnerabilities using tools like Nessus, OpenVAS or Acunetix.
Intrusion detection systems (IDS): IDS solutions such as Snort or OSSEC can be used to monitor and analyze incoming traffic for suspicious activities.
How to secure your website
Making sure your site is secure starts with choosing the right website builder. Opt for one that prioritizes website security, leaving you free to focus on managing your site. Here’s a run down of the 7 steps both you and your website builder should take to protect your site:
01. Core platform and 3rd party updates
Despite the known risks from cyber attacks, your site's security should be something you can take for granted. This might sound counterintuitive but hear us out.
Building your website from scratch on a platform that’s monitored 24/7 means complete peace of mind when it comes to the security of your site, and by extension—your business. A platform that scans for vulnerabilities, includes auto software security patches and makes updates in response to these is ahead of the game when it comes to securing your site.
Third party apps can be a major source of site security breaches, with the potential to harm millions of sites at once. To avoid this happening, we recommend choosing a website builder that contains as many built-in features as you need to run your business. Leaving you less dependent on third party apps, and more focused on your business.
02. SSL and https protocols
A secure website will include a SSL (Secure Sockets Layer) protocol (or SSL certificate), which can be spotted by the https at the front of a domain name within a site’s url. SSL protocol protects communication between the website and server by encrypting it. This prevents hackers from reading or interfering with the information passed from one to the other. A SSL protocol should be standard on any new site created, but is especially important on those that perform online transactions and sales. Recently, SSL protocols have been updated to handle more sophisticated attempts to breach its encryption.
When choosing a website builder like Wix, you’ll automatically create a site with extra layers of protection, using the most updated and secure protocol: TLS 1.2. You can create and manage any type of site you need—from a personal website, to an eCommerce site—rest assured that your data, and that of your customers, is protected in line with the highest industry standards. Choose a builder that prioritizes website security. To learn more about how Wix protects your site, visit our Security Hub.
03. Secure web hosting
There are many layers of protection necessary to secure a site, and reliable web hosting is an integral part of this. Secure web hosting is a must, and will prevent attacks on your website through your server. It’s also important that your cloud hosting is screened regularly to ensure it’s prepared for any threats, including DDoS, that comes its way. For a detailed look at cloud hosting vs. shared hosting, check out our guide.
Ideally, secure hosting should involve continual testing, a bug bounty program and 24/7 monitoring to guarantee it can withstand even the most advanced cyber threats. It should also be GDPR compliant and adhere to international standards regarding online web privacy and security.
Even better if it also uses Content Delivery Network (CDN) to distributes your website's content across multiple servers globally, improving loading speed and performance. When it comes to building a Wix website, you can rest assured your site's performance and reliability is bolstered by its network of global CDN's.
Learn more: How to host a website
04. Established and restricted admin privileges
Large sites especially need a team of people to manage them, and each will require varying degrees of access. Make sure to think carefully about just how much access a website manager needs to do their job, then award admin access to your site accordingly. Blindly granting full access to everyone who works on your site will leave it more vulnerable to attacks.
We also recommend writing a security policy that applies to all site admins. This should include: choosing a password, third party app downloads, and other important site management tasks to make sure your entire team has your site's security as their number one priority.
05. Site backup
While the best website security methods involve pre-empting attacks, in the event of a security breach, quick recovery will depend on your site being backed up. This means saving a version of your site separately, and making sure it can be restored should the original be attacked in any way.
Many website builders, Wix included, automatically backup all their sites. You don’t need to do anything, but rest assured that your site is saved. If you’re not sure that your site is automatically backed up, we recommend checking with your website builder or your site developer from the get-go, to make sure.
06. Change default CMS settings
Your site is easier to hack if your default CMS (content management system) settings haven’t been changed. Make sure to alter these when making your site. For example, you can start by changing your comments and user settings — one way to do this is by assigning different privilege roles to each of your site's admin.
Changes to these default settings make it more difficult for hackers to understand your system, leaving it less vulnerable to attacks. Increasing numbers of cyber attacks are automated, executed by bots who understand and can breach the default settings of many CMS. Changing these settings makes it more difficult for these bots to read, and attack your platform.
07. Follow password best practices
Changing your site password regularly can protect your website against credential attacks. Opt for strong, complex passwords—making sure to use a mix of numbers, letters and characters (pro tip: the longer, the safer.) Other important credential practices include: never share your password or save it on your browser. Always avoid using the same one across different sites. Make sure everyone who has access to your site knows how to keep their login credentials safe.
It’s also highly recommended to set up multi-factor authentication (MFA). This makes it more difficult for potential hackers to access your site. MFA will involve adding another level of login authentication, such as a push notification from a mobile device.
Why is website security important?
Website security is important for a number of reasons, including:
To protect your customers' personal and financial information
If your website is hacked, attackers could steal customer data such as names, addresses, credit card numbers and Social Security numbers. This information could then be used to commit identity theft or other crimes.
To protect your business reputation
A website hack can damage your business reputation and erode customer trust. If customers believe that their information is not safe on your website, they are less likely to do business with you.
To avoid financial losses
A website hack can lead to a number of financial losses, such as the cost of cleaning up the infection, paying for legal and regulatory compliance and compensating customers for damages.
To prevent malware attacks from spreading to your other systems
If your website is hacked, attackers could use it to spread malware to your other computer systems, including your servers and databases. This could cripple your business operations and lead to even more financial losses.
Website security is also important for specific types of websites, such as eCommerce websites and healthcare websites. eCommerce websites store sensitive customer data and financial information, so it's especially important to protect them from attack. Healthcare websites store sensitive patient data, which is also a valuable target for hackers.
Impact of website security breaches
Cyber attacks can have significant, lasting effects on the functionality and performance of your site. In the short term, they can limit traffic growth and conversions. In the long term, they can damage your brand identity and business reputation. Some of the most significant impacts of security breaches include:
Customer churn
Users need to know their data is safe in order to trust and use your website, and come back as repeating customers. It is important users trust your site, in order to click on a CTA or make a purchase. Malicious attacks which lead to the loss of customer’s credentials and sensitive information will undoubtedly affect how your site and business are perceived. This will unfortunately have consequences beyond just your website, affecting your brand reputation and customer service as well.
Search engine blacklisting
Search engine blacklisting can be a very harmful consequence of a site security breach. If Google crawls a website and finds malware or malicious code, it may decide to black list the affected site, making it more difficult to find in search. In turn this can also lead to dramatic traffic drops, and have a negative impact on a site's ability to generate and retain customers.
Likewise, websites that suffer from regular downtime and server errors often experience page indexing issues. If Google crawls a page and comes across a server down error (usually a 500 error), they can decide not to crawl the page again. This has a dramatic impact on a site's visibility in search and on its ability to attract new visitors.
You can learn more in our guide to website security and SEO.
Site suspension
Security attacks can suspend crucial site services, such as login, signups and shopping functions. Consequently, this can make it difficult for users to interact with your site. Since malware is costly to remove and time consuming to fix, it’s much better to pre-empt security attacks with a strong website security plan, than to deal with their aftermath.
Website security checklist
Does my site have HTTPS as standard?
Are all my plugins and add-ons up to date as they can be?
Do I have strong passwords across all users who access my website?
Did I implement two or multi factor authentication for users?
Have I assigned user roles within my site carefully? Not everyone needs admin access
Is my website backed up regularly, either by me or automatically?
Is my server secure?
Is my site scanned regularly for irregularities or attempted attacks?
Do I have processes in place to monitor my site regularly for any suspicious activity?
Website security FAQ
How can I know if my website is secure?
Firstly, if you build your site with a website builder like Wix, you can be rest assured that your site is secure from the second it goes live. This is because of our robust security infrastructure, including 24/7 monitoring. If you're not sure about how secure your site is, you should check with your website builder or the web developer who created it.