What are the Top 14 Myths About Website Security we encounter most often?
Hit-the-Web Marketing is here to dispel fact from fiction.
We’ve been doing our homework, and two things are true about website security awareness.
- It can be very effective at protecting businesses from one of the most common security threats they face. Hackers gain access to unauthorized resources and make changes to sensitive data.
- Companies are of the opinion that Website Security is as easy as a security plugin and a strong password. The FACT is It’s a Process of Early Detection. Prevention. Protect. Performance. Monitor. Response.
It’s continuous Risk Management.
FACT Is 10,000 WordPress websites are under attack each day.
What’s the reason for the reluctance to implement a website security risk management plan?
Myth #1: I don’t need to secure the website. No credit card information is processed on my website.
When we talk about securing the website, we refer to having the website appear as https:// and not http:// in the URL Address of the browser. This requires purchasing an SSL certificate. SSL certificates are $30 – $70 per year depending on your hosting company. The hosting companies that believe SSL is a must automatically include SSL in their hosting fees. WPEngine is a top hosting company, in our opinion.
What happens when a website does not have https://?
The exchange of information between the server and the person viewing a website via the browser can get intercepted by a hacker with malware, a virus, or a trojan. These can infect your visitor and ruin their computer. If your visitors are lucky enough, the hackers won’t have enough time to wreak too much havoc. However, the odds your visitor will come back to your website are slim to none.
Myth #2: We’re good. We have a firewall security plugin.
Website security is more than having a firewall plugin. Hackers still try to guess the usernames you are using to gain administrative access to your WordPress site. Each business must manage the updates to WordPress, themes, plugins, and PHP, and ensure they are the latest version.
Are you managing the user administration? When a subcontractor leaves are you removing their access? Hackers are known to create administrative usernames if you are not paying attention. Even try to hide them.
New vulnerabilities threaten all of our businesses every day: Small business owners need to understand that vulnerability discovery and disclosure are dynamic. Website software that isn’t kept up to date poses new vulnerabilities and threats. In fact, vulnerabilities in existing code are more likely to appear on websites where the software is not up-to-date.
At any given time between 70% and 80% of WordPress users are running an outdated version that can contain critical, and well-documented, vulnerabilities.
FACT Website security is not a one-and-done process. All websites are under attack 24/7.
Myth #3: My business is too small for a cyberattack.
This is one of the most common myths about websites and cyberattacks.
There is no such thing as “too small to hack.” If a business has a website, hackers can and will exploit it. Most small to medium size businesses think they are safe from attack because they are off the radar. This couldn’t be further from the truth. Hackers don’t care about the size of your organization. Most hackers will settle for any size business. It’s that moment when the SMBs think they are safe and don’t invest in a website security system that they get hit.
FACT 58% of data breaches are against small businesses.
Myth #4: My hosting company takes care of our website security.
If you are on a hosting plan that shares hosting space with millions of other websites, your website is vulnerable.
You may select your hosting company because of the inexpensive fees they charge. The reason they are inexpensive is that you are sharing space with hundreds and thousands of other businesses. If one website is hit, the others run a high risk of cyberattack as well.
It’s also inexpensive because they are DIY hosting. You buy their product. You set it up yourself. And the documentation? Forget about it. You’ll likely be on the phone with support for hours to get the product set up properly.
FACT One very popular hosting company’s idea of security is to run an analysis of your website and email you if they find any issues. Then you are responsible for submitting a ticket to request for them to remove the malware found. You have to set up an FTP user for them to access your website to clean up the malware. That makes no sense when they have access to their own servers and all of our information on the servers.
It’s easier to hire us to take care of removing the malware. There is no unforeseen charges. It’s a part of our service plan. No Surprises. You don’t have to ask us to do it. In fact, we are acting on it before you even know there is a problem with your website.
Myth #5: My IT department will take care of it
Information Technology guys usually implement and manage the internet, LAN networks, and hardware and software of a company. They many create Websites. But website security? Not necessarily.
Myth #6: Why would anyone attack us? We’re not a bank and we don’t store credit card data.
While most hackers would like to go after banks, the truth is hackers are happy to go after any business they find vulnerable. Every industry is prone to website attacks. Any application with an internet connection is vulnerable.
Dick Cheney’s heart pace-maker was disconnected from WiFi so no one could hack in and kill him.
The content you create for your website is an asset. It takes time, energy, and money to write good content and optimize it for search engines. Once search engines index your pages, this content is getting you in front of your best customer. No matter if it includes customer information or not. How much time and money would it cost to recreate?
Redirects to other websites will deter visitors from working with you. Losing customers. We have restored plenty of websites that were redirected to viagra, porn or just other websites.
Retail, fast-food chains, anyone with an internet-based business is under attack.
Myth #7: We have an SSL Certificate. We are good.
An SSL certificate is good because it encrypts the information passes between the hosting company computer and the website visitor’s browser. However, SSL does not protect your website from hackers and malware. That’s an additional part of the security plan.
How does SSL protect a website?
SSL is a secure certificate that offers two layers of protection. The first layer is encryption. Encryption protects all the data that is sent between a browser (client) and a website (server) so that even if data is stolen or intercepted a hacker won’t be able to decrypt them. The second layer is data integrity. Data integrity guarantees a hacker cannot modify your data.
Myth #8: I’ve been under the radar for many years. Why would they bother with my site?
Awesome! You’ve been very lucky.
FACT It’s only a matter of time when a website is hacked.
Myth #9: Our business is too small for a cyberattack.
FACT One in five small businesses falls victim to a cyberattack. Of those, 60 percent go out of business in six months. And the data show that most small business owners don’t have a plan for responding if they’re hit.
Myth #10: We have Anti-virus or Anti-malware. That is good enough.
Protecting your site from malware is a must. The fact is, that nearly 17% of all infected websites wind up on a search engine blacklist. It goes without saying that if your site is on a blacklist, it has a negative impact on your business; your reputation, your finances, and so much more.
FACT ZDNet research shows pirated Themes and Plugins (free) are the most common source of malware infections on WordPress sites in 2020, according to Wordfence, a provider of website application firewalls (WAF) solutions for WordPress sites.
The security firm says its malware scanner detects more than 70 million malicious files on more than 1.2 million WordPress sites in 2020.
FACT#2 Software cannot protect against all cyber attacks.
Myth #11: Our passwords are strong.
It’s important that you understand and teach your students, employees, subcontractors, the value of good password management. Create strong passwords and DO not write them down on paper. Teach them how to spot suspicious emails and that it’s essential not to click on links that don’t look right.
One very clever way hackers trick people into revealing their passwords is by social engineering techniques. They have you fill out polls that reveal your personal information on social media. What’s your pet’s name? What’s your, daughter, son, husband’s, best friend’s birthday? What zodiac sign are you? What’s your mother’s maiden name? What’s your home town? Don’t respond to them.
Don’t store your passwords in nonsecure places can be stolen – this includes handwritten passwords hidden close to the devices. Close files on your computer when you leave your computer connected to the internet. Especially in public places.
Strong password requirements
Create passwords that are 16 characters or more; our password-related research has found that 45 percent of Americans use passwords of eight characters or less. These are not as secure as longer passwords. In your password include a combination of letters, numbers, and characters.
FACT What’s your guess on how many data breaches occur in 2019 due to compromised passwords? 80 percent! It’s resulting in financial losses for both businesses and consumers.
We use a strong random password generator that makes creating a strong password easier.
Myth #12: A Strong Password is enough to keep our business safe.
The reality is two-factor authentication and data monitoring are also necessary.
FACT According to the Verizon 2021 Data Breach Investigations Report, credentials are the primary means by which a bad actor hacks into an organization, with 61 percent of breaches attribute to leveraging credentials. Passwords, especially passwords with privileged access to organizational systems and networks, are targets for hackers since they’re able to get so much information from just one singular source.
Myth #13: Bringing your own device is safe.
Bringing your own device to a coffee shop or educational institute is safe is true if you connect to your own private WiFi. All or most smartphones have hotspot capability. If you pick up one of the free WiFi’s, you could easily be manipulated by a hacker. This is how they track your keystrokes while you login to your financial institutions.
Myth 14: We update the website software maybe once per month or as we see fit
WordPress websites, like all websites, are built with software. Software is prone to hacking. As soon as a hacker finds a way to penetrate, the developers must update the software to close the security gap. This is an ongoing problem that is never going away.
Our experience is we were .1 version outdated for PHP. This is one reason our website was left vulnerable to attack in 2018. We update our software – WordPress, Themes, Plugins, PHP as soon as a new release comes out. Now that we have a risk management plan in place, we deflect any attack attempts. Not one of our customers on our Website Security and Risk Management Plan has been compromised.
The idea that employees and business owners continue to believe these cybersecurity myths makes cyber hackers happy because it makes their job easy. It’s time to step up your cyber defenses. Otherwise, you are always at the risk of being attacked in the digital realm.
Website Security is not a one-and-done process. All websites are under attack 24/7. It’s not just SSL or virus & malware checker. It’s not just a plugin that keeps hackers from logging into your website. It’s not just one scan for malware, virus, trojan. You can scan your site today and tomorrow extraneous files exist within the files on the hosting server.
There are many moving parts to website security. It is a series of risk management processes involving securing the files and folders at the hosting level, especially certain files that run WordPress. And there are steps to maintain at the Website level. Download our Website Security checklist.
The internet is a fantastic place for online learning. It’s also a dangerous place. It’s important that educators understand the biggest cybersecurity threats they and their students face, and that you put measures in place that help mitigate them.
Then, make sure to keep checking up on the latest advancements in website security so that you stay one step ahead of the cybercriminals.
Website Security is more than a security plugin and a strong password.
It’s a Process. Early Detection. Prevention. Protect. Performance. Monitor. Response.
It’s continuous Risk Management.