Having your website hacked will cause you to lose time, money and reputation.
It would be terrible for your new business.
It’s really difficult for startup businesses to ensure they have a secure website from the start.
However, it is possible to decrease the likelihood of being exposed to hackers.
1. Protect your accounts easily with miniOrange 2FA
Why is 2FA important for start-ups?
Most of you will have experienced 2 factor authentication when logging into applications.
But, did you know you can install a 2FA on your WordPress website to protect your website data, even if a hacker manages to get your account login credentials?
As you can see year by year the adoption of the authentication is increasing.
This doesn’t happen for no reason.
Security researchers, companies and governments are advising or enforcing people to take up 2FA on their accounts because it is one of the quickest security measures to implement and it is highly effective.
How to install 2FA on WordPress
It takes minutes to setup the 2FA and you should start by installing the WordPress plugin.
Once installed you can run through the setup wizard.
One amazing feature of miniOrange’s 2FA is that you have flexibility with how you authenticate your login request.
You can use any TOTP-based/OTP Login 2FA authenticators, such as Google, DUO, Microsoft.
This helps to integrate your website 2FA into your other 2FA apps.
Nobody likes to have separate apps for each 2FA instance, so this is a great feature.
There is the obvious negative is having to verify every time you want to login to your website.
But, this is a worthy sacrifice compared to the endless amount of stress and damage caused if you didn’t have a 2FA enabled and a hacker managed to get into your account.
You don’t want your new start-up business to be plagued with your account credentials being stolen.
2. Stop leaving your passwords insecure, setup a password manager
Why do you need a password manager?
Are you prone to using a text document or a sticky note to store your passwords?
Would you trust a sticky note to store a password to a bank account with £32k?
No? That’s the average cost to a start-up business that a cyber-attack causes.
That’s if your business even survives the cyber-attack, you could lose much more.
If that doesn’t sound too inviting, we have the perfect solution to all your pad of insecure sticky note passwords.
You need a central place to store your business passwords that is secure from malicious threats.
The good news is there are lots of password managers to choose from to meet your needs.
Password managers can make your life so much easier and it allows you to store long, secure passwords much easier than keeping them in a text file.
This is because most password managers can auto fill your password when it detects you are on your website’s login page.
Which password manager should you choose?
You could Google “Password manager for start-up business” and find one very quickly.
But, it is a pain to transfer your passwords over to a new manager, so we’d advise doing some research beforehand.
There are enough free options to choose from, but if you are looking for an application full of features it might be best to pay a little.
Bare in mind that your password security should be the same no matter what plan you’re on.
Our recommendation is Bitwarden because they have the best value on the free option, which is obviously a great selling point for start-ups with a low budget.
3. Prevent the top 10 cyber-attacks with Cloudflare
What is Cloudflare?
79.7% of websites that rely on content delivery networks use Cloudflare, so you’re basically guaranteed to have used a website that utilises Cloudflare and chances are the website speed was faster and more secure because of Cloudflare.
Cloudflare is most commonly known for the security it provides to websites, that’s why it is on this list.
Why Cloudflare is the best in the industry
It has unrivaled DDoS support that can protect your website from the largest DDoS attacks.
This will help to prevent competitors, disgruntled employees or customers from taking your website down.
In their pro plan they also offer a web application firewall which prevents malicious requests on your website.
Thus, making a large majority of cyber-attacks redundant because the firewall will pick up on the malicious request and block it before it gets remotely close to your web server.
The discussion around the benefits and drawbacks of Cloudflare for a start-up business mainly comes down to whether you are willing to pay for a monthly subscription.
If you are needing a paid solution there may be other alternatives that are better for your business, but if you just need a free solution to protect your website from harmful attacks Cloudflare is the one for you.
For a start-up business we recommend that you opt for the free plan of Cloudflare to get some protection on your website without breaking the bank.
4. Ensure your data stays safe today by scheduling daily backups
How backups will benefit your business
Backups are essential.
As our friends over at Stellarinfo have stated, backups prevent “inevitable data loss situations” that would massively disrupt a start-up business.
They don’t help to protect your website from malicious people directly.
But, they serve to restore your website to how it was before the malicious attack occurred.
They work like a very useful undo button.
A good backup provider will ensure that your data is backed up everyday.
This means that in the worst case scenario you will only lose a days work if an attack occurs.
Some providers may charge for more frequent backups because backups use computing power to copy the new data from your web server to a safe backup space.
In 2022 a large majority of website hosts provide daily backups of your web server included in your web hosting package.
For example, the image below is of the cPanel dashboard which provides backup functionality and is a very common web server management tool that’s installed with a lot of web hosts.
How you can implement this to your website
You can also consider a WordPress plugin for your backup solution.
This will prevent any issues with your hosting provider, or not being able to access your wp-admin page from affecting your ability to restore your website data.
We recommend that you at least backup your website daily.
It is arguably the most important action we have covered so far to ensure your website doesn’t have any downtime in the case of a cyberattack.
As a start-up if your budget doesn’t cover daily backups, you may want to consider reallocating some of your costs because we would highly recommend it.
Server performance should be a lower priority than backups.
It really is a bare minimum for security.
5. Take 2 minutes and install the Sucuri WordPress plugin to protect your site
What is the need for a security plugin?
Although Cloudflare can be useful to protect your website using its firewall and other security features. It will be beneficial to implement security monitoring directly on your website.
These security applications sit on your web server and actively scan for malware and any threats.
Once identified they can quarantine the threat to prevent it from causing any damage to your website.
They include the latest security definitions, so your website is never caught out by new vulnerabilities exploited by hackers.
WordPress makes implementing the security applications easy because of the simple WordPress plugin install process.
There’s one version that fits all, the only potentially tricky part is going through the setup once the plugin is installed onto your website.
What is Securi security?
One of the leading security software solutions for start-up websites is Sucuri Security.
It includes the following features:
- Security Activity Auditing
- File Integrity Monitoring
- Remote Malware Scanning
- Blocklist Monitoring
- Effective Security Hardening
- Post-Hack Security Actions
- Security Notifications
These will help to ensure that threats are mitigated on your web server before they affect your customer’s experience.
6. Don’t fall victim to an attack by using the username “admin”
How your username can be used in cyber-attacks
The username is just as important when managing your account security.
It is your first layer of defense against brute force attacks.
Your account username is used to test password combinations to find a successful match.
So, if the attacker doesn’t have your username they can’t begin to crack your account.
A good way to protect your username is to treat it like a password.
Where possible try hide it from your website users and the public.
As you can see from the table below these are the usernames you most certainly don’t want to be using.
These are ranked as the most used usernames.
Hackers will have an extensive list of the top usernames to try guess what your account username is.
How you can prevent this cyber-attack
By keeping your username at something generic, such as “admin” will put your account at great risk.
It’s a simple change and can make a vast difference.
This change should not only be implemented to your website login, but your website hosting account too.
If any account associated with your business has a weak password it can be an easy route to a cyber-attack.
7. Upgrade your personal computer’s security to prevent attacks on your site
Hackers will use your PC to exploit your website
Your personal computer can be a weak point for your website security and it isn’t often spoke about enough in the cyber security space.
Key loggers can be installed onto your computer without you knowing and will send your username and passwords to the attacker.
There are ways to prevent such malware being installed on your computer which we will discuss.
Any device that you log into your website on should be secured.
Your website login credentials are valuable and you shouldn’t risk them getting into the wrong hands.
Tips to keep your PC safe
To start off with your computer should have an anti virus software.
This will help to prevent malware from getting onto your computer and putting your website at risk.
Remember to keep your anti virus software up to date because hackers are constantly finding new ways to exploit security and you wouldn’t want a new vulnerability impacting your website.
As a start-up you can’t afford to splash the cash on an enterprise level anti virus for multiple devices.
There are some good free alternatives that get the job done and will provide a reasonable amount of protection for your needs.
Avast is a good antivirus that offers strong protection without a paid license being needed.
8. Public WiFi is stealing your website credentials
How do hackers gain your details through WiFi?
Public WiFi is not secure and could impact your website security.
Despite places like coffee shops and communal places offering free WiFi it is not a great place to keep your data secure.
Without getting overly technical malicious people can setup fake WiFi networks to mimic the legitimate ones offered by the coffee shop.
The aim for this attack is for you to connect to their WiFi network instead of the legitimate one by accident.
This allows them to easily track all your data going to the internet.
This includes your website credentials.
Even if you connect to the legitimate network there are attacks that can be used to gain some data that could be used in a cyber-attack.
With the main aim of the coffee shop example to make amazing coffee, they won’t put enough time into making a super secure network for their customers.
Prevent your data from being exposed
This is super important for start-ups because when starting up you may not have a dedicated office space, so working in communal areas is more cost effective.
It is not worth the risk of compromising your data.
By downloading a VPN this is a cost effective mitigation strategy that will help to hide your data from malicious people, even when on a public WiFi.
You can learn more about the technical aspects of these attacks here.
9. Upgrade your PHP version to secure vulnerabilities today
What is PHP?
PHP is basically some of the code that helps your website to function correctly.
As with any software it needs to be updated regularly, or hackers will consistently be able to get around outdated security measures.
Most of the time it is your responsibility to update your PHP version.
You may be prompted when you login to your web hosting panel.
It can quite easily be ignored and become a vulnerability to your website.
With being a start-up it may be one step too far out of your current technical experience.
No worries, we will provide you with a guide to check your PHP version.
How to check your PHP version
Login to your WordPress dashboard at yoursite.co.uk/wp-admin
Then, click on tools and site health.
Once on the site health page click on the info tab
Finally, scroll down to the server drop down and you’ll be able to see your PHP version.
Anything lower than 7.4 is not recommended for WordPress and should be updated immediately.
This will patch an extensive amount of security vulnerabilities in one because PHP is the backbone to your website.
If your website is relatively new, you shouldn’t have to worry about this as it often occurs because of the website being old and not updated frequently.
TOP TIP: Remember to update your plugins as well. These will quickly become insecure and should be updated on a weekly basis to maintain the best security practices.
10. Utilise temporary website access to stop insider attacks.
Why this is such a risk
If you are at the stage of granting access to anybody on your website dashboard or hosting panel you need to be careful with the level of access they have.
Granting excessive access or necessary access for a longer timeframe than the person needs can lead them to have the ability to perform an insider attack against your start-up.
Reviewing user access on your website can become a task that is forgotten, so it is important to remove their privileges once they are finished with their work on your website whilst it’s still fresh in your mind.
This is especially important if you have worked with multiple companies to design your website because often they will create user accounts on WordPress, but won’t revoke their access when you go to a new designer.
Access to your website is very powerful and you don’t want someone who you no longer trust to have an account.
There are multiple roles that can be applied to a WordPress account to grant different levels of access, which can be seen below:
For any content creators that are on your website, make sure that you only give them author permissions.
A common misconception is that all users who need to edit content require administrator.
This grants them a lot more power than they need on your website.
BONUS TIP: Audit trails save businesses. Set them up on your WordPress site.
How you start-up can be impacted without an audit trail
Audit logs can be helpful as a start-up because you are only just starting to build business connections and trust.
This leaves the door open for sabotage.
It’s something that no business owner expects, but it happens frequently.
What an Audit trail can provide
An Audit trail provides you with all the actions a user has performed on your website when logged into the admin dashboard.
This alerts you to users performing actions behind your back that can negatively affect your website security.
It is common for software that requires a high level of cyber security to implement an audit trail.
It can prevent a cyber-attack if you catch the first instance of malicious actions quick enough.
If your attacker performs all their malicious actions in one go an audit trail won’t prevent it.
However, it could be used for legal proceedings and play massively in your benefit whilst in the recovery of your cyber-attack.
You will have the knowledge of what caused the cyber-attack, so you can prevent it in the future.
Our recommendation for an audit trail.
Our recommendation for an audit log is WP Activity Log by WP White Security. It allows easy troubleshooting of your website, comprehensive activity logs and improved site security.
That’s a complete list of all the steps you need to complete as a startup to help secure your website.
Now it’s time to implement these changes.
Which of these strategies are you going to try first?
We advise you get started with the basics – Try to install the Securi WordPress plugin to get started.
Reach out on social media and tell us your favourite step from this list.