A website serves as a central hub for communication and commerce, making it vital for any business. Protecting your website from cybercriminals is essential to secure your business information.
Cybercriminals may target your website for a variety of reasons. Some common motivations include financial gain, political motives, hacktivists or thrill seeking. The following advice will help you to secure your website from these threats.
Understand the threats
It is important to understand the major threats you may face as a website owner or manager. Understanding these threats can help you be more prepared for a cyberattack.
Malware
Cybercriminals use malware (short for 'malicious software') to gain access to your data. You might open a link or attachment that downloads malware without you knowing. Some malware may even pose as antivirus or security products.
Learn more about malware.
Website defacement
Defacement is when a cybercriminal changes your website without you knowing. They can change its appearance and content, which may compromise your data and increase the risk of further attacks. They can even infect your website with malware, putting your visitors at risk.
Cybercriminals will use various tactics to access and deface your website. They may be able to gain unauthorised access to the back end, exploit a vulnerability or use malware.
Data breach
A data breach happens when a cybercriminal is able to access and export your data for personal gain. This may include sensitive data such as personal and financial details.
Learn more about data breaches.
Denial-of-service (DoS) attacks
A DoS attack is when a cybercriminal directs large volumes of traffic to your website. It overloads available resources and prevents users from accessing your website. This can lead to significant disruptions to your business.
Learn more about DoS attacks.
Strengthen your website security
Without strong security, your website is likely to become a target for cybercriminals. Make your website secure to help prevent malicious attacks.
Multi-factor authentication (MFA) is one of the best ways to protect your accounts from cybercriminals.
MFA adds an extra layer of security. It is when you need 2 or more steps to verify your identity before you can log in. For example, using your login details as well as an authentication code.
Turn on MFA for all accounts with administration privileges for your website. For example, people with access to your content management system (CMS).
Learn more about multi-factor authentication.
If MFA is not an option, use a strong passphrase to secure your CMS account where possible. A passphrase is a more secure version of a password. They have 4 or more random words like ‘crystal onion clay pretzel’. Passphrases are easy to remember but hard for a cybercriminal to guess.
Don’t include personal details in your passphrases or share them with anyone.
Secure your website account(s) with a passphrase. This will make it harder for cybercriminals to gain access without you knowing.
Learn more about passphrases.
Renew your domain before it expires. This can stop someone such as a cybercriminal from taking control of your website. Turn on auto renewal or make sure you are notified when your domain is about to expire. It’s best to include more than one staff member listed for renewal notifications. That way if someone leaves or changes roles, there is more than one person who can start the renewal process.
Hypertext Transfer Protocol Secure (HTTPS) is an encrypted and more secure version of HTTP. It provides security for sensitive information such as passwords and credit card details. It also helps to keep your data private, making it hard for cybercriminals to read if they intercept it.
To check if your website is secure, look for ‘https’ at the start of the URL:
- https://example.com (secure)
- http://example.com (not secure)
If your website is not currently using HTTPS, ask your website host or developer to set it up.
Refer to our advice on implementing certificates, TLS, HTTPS and opportunistic TLS.
Limit website admin access to those who need it, and only give users the privileges they need for their role. For example, developers can update the site configuration with admin access, while marketing staff can only publish web pages.
Review user access often and remove it when no longer needed. If staff change roles or leave, it can put your data and website at risk.
Learn more about restricting administrative privileges.
Choose a secure hosting service
Understanding the security features provided by your web hosting service is crucial. These features may be what stands between your website and any malicious attacks.
Read reviews and choose larger, reputable companies. Browse their website to understand what features and security options they offer.
Here are some important things to consider when looking for a service provider.
Check if the provider performs data backups, and how often. Storing backups offsite is a more secure method. Make sure you know where and how they store backups.
Check if the provider offers malware detection tools, such as scanning and antivirus software. They should also use preventative technology such as firewalls and encryption.
Check if the provider offers integrated security features like MFA and DoS protection. Also look for security against DNS spoofing. This is an attack that redirects users to a fake website that resembles the legitimate one.
Features such as a login activity panel and password-protected pages are also desirable.
Confirm where they are located and the security and privacy standards they adhere to. Note that providers outside Australia may be subject to different legal obligations.
Practice secure habits
You can reduce the risk of cybersecurity incidents by developing secure habits. This will make it more difficult for cybercriminals to target and attack your website.
A backup is a digital copy of your website. If you lose your website data, you can use a backup to restore it.
You can create backups using the cloud or an external hard drive. Without a backup, you may not be able to recover your data if you fall victim to a cyberattack.
Regularly back up data that is essential for maintaining your website, including all media and content. If available, turn on automatic backups to reduce the risk.
Learn more about backups.
Keeping your software and devices up to date is essential for a secure website. Cybercriminals exploit weaknesses in software to gain access to your network. Updates contain fixes for these weaknesses.
Learn more about updating your devices and software.
One of the best ways to identify any unauthorised or malicious activity on your website is to review it often. Be on the lookout for any unauthorised changes or access. The sooner you notice it, the quicker you can intervene and restore your website.
It is important to be aware of any website security vulnerabilities. This will help you identify and fix issues before a cybercriminal can exploit them. Check our latest alerts and advisories.
You can also use online tools to scan for vulnerabilities, or seek help from an IT professional.
Report and recover
If your website is compromised, we provide advice on what to do. You should also report all cybercrimes, incidents and vulnerabilities to help other businesses. Visit report and recover.
More information
Small business cybersecurity guide
This guide includes basic security measures to help protect your business against common cyberthreats.
Securing customer personal data
This guide is focused specifically on the protection of customers’ personal data. Guidance on general cybersecurity for businesses can be found in the Small business cybersecurity guide and the Strategies to mitigate cybersecurity incidents published by ASD’s ACSC.
Domain Name System security for domain owners
This publication provides information on DNS security for domain owners. It also shared helpful strategies to reduce the risk of domain misuse.