How to actively protect your website from cyberattacks

22 Oct 2018

Image: © kieferpix/

Glen Jackson of DreamHost shares some important website protection tips during European Cyber Security Month.

All too often, websites are vulnerable to cyberattacks because site owners aren’t sure how to protect themselves against today’s biggest security threats. Some basic precautions and common-sense web practices can help you both improve your security and avoid leaving your site exploitable by a malicious attacker.

Even many of the worst threats, it turns out, can be prevented if site owners would change their mindset. Don’t be afraid of these attacks – instead, be confident and prepared so you can overcome them when they happen. Malicious cyberattacks are becoming a fact of life.

For site owners who are prepared to overcome attacks as soon as they happen, though, being exploited is simply not a big deal. Being prepared can help you get your website back up and running quickly. By following these tips, you can minimise the damage or even prevent it completely.

Update frequently

The biggest challenge for site owners is keeping their web applications updated to the latest versions. Keep in mind that all of your themes, plugins and other pieces of software need to be updated. This is one of the biggest things you can do to keep your website secure in case you need to recover from an incident. Without updates, you miss out completely on any new security patches and features that were added after installation.

Updating your base WordPress installation is typically left up to your web host, but all website owners should learn how to update their themes and plugins to keep their websites maintained. There is no such thing as being too diligent when it comes to keeping web applications updated to their latest secure version.

Back up your site

The rise of cryptocurrency has invigorated websites attackers with newfound motivation. Malware attacks have always been about making money. Attackers have discovered that locking you out of your website or computer system in order to extort money is awfully profitable compared to traditional attack payloads such as spamming, ad injection and password extraction. Cryptocurrency, because of the difficulty to trace it back to an attacker, has made this method of extortion extremely popular.

The simplest preparation for a possible malware attack is being devout in backing up your site. This allows you to revert your website to the state it was in before the attack. Be sure afterwards to patch any vulnerabilities that made the attack possible. The same is true about ransomware and any other harmful software. If you’re prepared with a reliable backup, there’s very little that can actually hurt you. This is the best way to be prepared for any eventuality.

Use plugins wisely

Plugins bring amazing additional functionality to your web application. Unfortunately, many are developed by individuals or small teams that may have very limited time to put towards them. The unfortunate side effect is that secure coding practices and penetration testing against the code may not have occurred in full due to the time or talent constraints.

Furthermore, once security concerns are discovered, they may have already abandoned working on that particular project. This leaves users of these plugins vulnerable to attack by hackers.

Choose plugins that are regularly maintained by their developers. If a plugin stops being maintained over a period of years or there is an unpatched known vulnerability, it’s time to look for alternatives. Actively maintained plugins are generally more secure because someone is available to patch vulnerabilities as soon as they’ve been reported.

Don’t pay ransom

It’s never a net win. Sometimes, you’ll end up losing a lot more than just cash or cryptocurrency in the process.

There is simply no reason to play ball with malicious attackers by paying their ransom. A lot of victims will try to negotiate or will outright pay the ransom in an attempt to get access to their encrypted data or website, but this can backfire. Even paying in full may not get your site back to the way it was because commonly the attacker doesn’t even really have a working decryption key. They walk away with your money and your data.

Prevention is key here, so back up your data. If you’ve been attacked, your best option is to wipe your website, restore it and ensure all aspects are updated to the latest secure versions. Always be prepared to revert back to a previous point. This will keep your site secure from the dire consequences of a malicious cyberattack.

Choose the right web host

As you choose a web hosting provider, look for a service that provides frequent backups and is constantly monitoring logs for access from known malicious actors. Your provider will need to make you aware of cyberattacks or be ready to respond when one inevitably happens. Unfortunately, in this day and age, web application attacks happen incessantly. The right hosting provider will partner with you to filter out malicious traffic to keep it from permanently harming your site’s files and reputation.

Attackers can commonly expand their foothold beyond the specific website. Often, all sites that are hosted under the same user, and sometimes even server, can suffer the ill effects of a malicious attack on a single website. Sharing a server with other websites may spell trouble under the right circumstances. If this is a concern to you, it’s a good idea to consider having your website on a privately hosted server. Private hosting on a dedicated server or VPS can help protect you from attacks that spread across multiple accounts.

Don’t be afraid of cyberattacks

A lot of website owners panic at the thought of an attack. And, really, who wouldn’t? It’s human nature. But, in order to win against the malicious actors, we have to be prepared to fight back with rapid recovery and mitigation. You don’t have to become a victim or be afraid of hackers. Even if you’re targeted, having a sensible plan can get you back on track.

By Glen Jackson

Glen Jackson is head of security engineering and trust at DreamHost, a company offering web hosting and managed WordPress services.