-
Recent Posts
Recent Comments
Archives
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- March 2011
- November 2010
Categories
Meta
Tag Archives: credit-cards
How Hackers Can Use Your Expired Domains to Steal Data
The post How Hackers Can Use Your Expired Domains to Steal Data appeared first on HostGator Blog . When businesses and blogs rename or merge, old domains sometimes get left behind. Security researchers say expired domains can put data at risk. Scammers may set up fake shops on expired domains and use them to steal credit card data from unwary bargain hunters. Or they may target email accounts linked to the domain to scam clients, steal company secrets and break into employees’ shopping and travel accounts. Prevention is as easy as renewing and protecting all your domains—but that’s not always simple, especially if you own a lot of domains. Here’s what you need to know about your risks when a domain expires and how to keep yours current. What Happens When Domains Expire? The first thing you need to know is that when domains expire, they’re available to anyone who wants to pay to register them. They’re also easy to find online, through sites that offer expired domain name searches and lists of recently expired domains to bid on. Some buyers buy expired domains for legitimate projects. Others are not so ethical. Your expired domain could end up as a fake online store Criminal gangs snap up expired domains to turn them into phishing sites. That damages the brands that lose their domains, the brands impersonated by the scammers, and shoppers who fall for the scam. Security blogger Brian Krebs profiled a photographer whose old portfolio domain was turned into a fake athletic shoe store after her registration lapsed . Thieves used it to steal credit card data for resale on the dark web. For the photographer, the damage went beyond the loss of her website. She had no way to access social media accounts that were linked to her domain email address, because the scammers changed her passwords. Now the domain that used to host her portfolio redirects to the official adidas website, after adidas and Reebok sued the scammers who exploited her expired domain along with hundreds of others. Your expired domain could let data thieves into your business Last year, security researchers with Australian cybersecurity firm Iron Bastion proved that registering abandoned business and law firm domains could give criminals access to insider data. By setting up a catch-all email forwarding service for domains they re-register, criminals can access confidential client data and emails. They can run scams using this information or sell it on the dark web. They can also take over former employees’ social media, banking, and professional accounts by changing the passwords linked to the old domain’s email addresses. What should you do with domains you don’t use anymore? Security experts say the best way to safeguard your old domains is to keep renewing them , even if you’re not currently using them. Then you should close the email accounts associated with those domains and unlink those email accounts from alerts sent by banks, airlines, and other services that handle sensitive (and valuable) information. If you must let your old domains go, you’ll need to be thorough about updating any online accounts you and your employees set up using old domain email addresses. Then you’ll need to close those email accounts. In either case, it’s wise to let your customers and vendors know about your change of email address. Give them some advance notice, ask them to whitelist your new email address, and then ask them to delete the old address when you’ve closed that account. For any email account on any domain, it’s always a good idea to set up two-factor authentication (2FA). By requiring a code from an SMS message or an authenticator app, you reduce the risk of someone maliciously changing your password on your email account and other accounts you set up with your email address. And speaking of passwords, don’t make it easy for hackers to guess or brute-force yours. Every email address on your domains should have a strong password that’s not used for any other accounts. How can you keep all your domains current and safe? Follow these recommendations from domain security experts to keep your domains in your possession. Give your domain registrations fewer chances to lapse. Start by registering or renewing for the longest amount of time you can, like three years instead of one. Then set your registrations to auto-renew. Keep your registration information up to date. Update your domain registration accounts when your email address, phone number, or other contact information changes. Changed credit cards or online payment services? Make sure you change your domain payment information, or your auto-renewals will fail. Keep your registration information private. Domain privacy protection costs a few dollars a year, and it’s worth it. If you add domain privacy when you register your domain , your registrar’s contact information is listed in the WHOIS public database. Without domain privacy, your name, email address, and other personal data are on display. That can put you at risk for spam, scams, and harassment. Lock your domains. Domains must be unlocked when you’re transferring them to a new host. Otherwise, lock them to keep scammers from transferring them to a different web host without your consent. In HostGator’s Customer Portal, you can lock your domains for free. Navigate to Domains in the left sidebar. Under Manage Domains , you have the option to lock all your domains at once. You can also click the More button for any of your domains to lock one at a time. Under Domain Overview , click the Change link next to Locking . That takes you to Domain Locking. Then you just move the switch to Locking ON and click Save Domain Locking . Now your domain is protected against theft by unauthorized transfer. And with auto-renew in place and good cybersecurity practices , your domains are safe from expiration and exploitation. Ready for a new domain? HostGator now offers new customers a year of free domain registration with selected hosting packages and top-level domains. Sign up for 12 or more months of hosting, register a .com, .net, or .org top-level domain, and get the first year’s domain registration for free. See complete offer details here . Find the post on the HostGator Blog Continue reading
Posted in HostGator, Hosting, VodaHost
Tagged auto, credit-cards, expired, expired-domain, registration, scammers, social-media, vodahost, your-domains
Comments Off on How Hackers Can Use Your Expired Domains to Steal Data
How to Secure a Website from Hackers [10 Step Guide]
The post How to Secure a Website from Hackers [10 Step Guide] appeared first on HostGator Blog . As a website owner, is there anything more terrifying than the thought of seeing all of your work altered or entirely wiped out by a nefarious hacker? We see data breaches and hacks in the news all the time. And you may think, why would someone come after my small business website? But hacks don’t just happen to the big guys. One report found that small businesses were the victims of 43% of all data breaches. You’ve worked hard on your website (and your brand) – so it’s important to take the time to protect it with these basic hacker protection tips. 5 Easy Steps to Secure Your Website from Hackers You may have worried when starting this post that it would be full of technical jargon that your average website owner would find baffling. Some of our tips further down do get technical, and you may want to bring in your developer for those. But there are a few things you can do on your own first that don’t involve that much technical know-how. Step #1: Install security plugins. If you built your website with a content management system (CMS) , you can enhance your website security with plugins that actively prevent website hacking attempts. Each of the main CMS options have security plugins available, many of them for free. Security plugins for WordPress: iThemes Security Bulletproof Security Sucuri Wordfence fail2Ban Security options for Magento: Amasty Watchlog Pro MageFence Security extensions for Joomla: JHackGuard jomDefender RSFirewall Antivirus Website Protection These options address the security vulnerabilities that are inherent in each platform, foiling additional types of hacking attempts that could threaten your website. In addition, all websites – whether you’re running a CMS-managed site or HTML pages – can benefit from considering SiteLock . SiteLock goes above and beyond simply closing site security loopholes by providing daily monitoring for everything from malware detection to vulnerability identification to active virus scanning and more. If your business relies on its website, SiteLock is definitely an investment worth considering. Note: Our Managed WordPress hosting plan has SiteLock built in, along with other features to help secure your site. Step #2: Use HTTPS As a consumer, you may already know to always look for the green lock image and https in your browser bar any time you provide sensitive information to a website. Those five little letters are an important shorthand for hacker security: they signal that it’s safe to provide financial information on that particular webpage. An SSL certificate is important because it secures the transfer of information – such as credit cards, personal data, and contact information – between your website and the server. While an SSL certificate has always been essential for ecommerce websites, having one has recently become important for all websites. In July 2018, Google Chrome released a security update that alerts website visitors if your website doesn’t have an SSL certificate installed. That makes visitors more likely to bounce, even if your website doesn’t collect sensitive information. Search engines are taking website security more seriously than ever because they want users to have a positive and safe experience browsing the web. Taking the commitment to security further, a search engine may rank your website lower in search results if you don’t have an SSL certificate. What does that mean for you? If you want people to trust your brand, you need to invest in an SSL certificate . The cost of an SSL certificate is minimal, but the extra level of encryption it offers to your customers goes a long way to making your website more secure and trustworthy. At HostGator, we also take website security seriously, but most importantly, we want to make it easy for you to be secure. All HostGator web hosting packages come with a free SSL certificate. The SSL certificate will be automatically applied to your account, but you do need to take a few steps to install the free SSL certificate on your website. Step #3: Keep your website platform and software up-to-date Using a CMS with various useful plugins and extensions offers a lot of benefits, but it also brings risk. The leading cause of website infections is vulnerabilities in a content management system’s extensible components. Because many of these tools are created as open-source software programs, their code is easily accessible – to both good-intentioned developers as well as malicious hackers. Hackers can pore over this code, looking for security vulnerabilities that allow them to take control of your website by exploiting any platform or script weaknesses. To protect your website from being hacked, always make sure your content management system, plugins, apps, and any scripts you’ve installed are up-to-date. If you’re running a website built on WordPress, you can check whether you’re up to date quickly when logging into your WordPress dashboard. Look for the update icon in the top left corner next to your site name. Click the number to access your WordPress Updates. Step #4: Make sure your passwords are secure This one seems simple, but it’s so important. It’s tempting to go with a password you know will always be easy for you to remember. That’s why the #1 most common password is still 123456. You have to do better than that – a lot better than that to prevent login attempts from hackers and other outsiders. Make the effort to figure out a truly secure password (or use HostGator’s password generator). Make it long. Use a mix of special characters, numbers, and letters. And steer clear of potentially easy-to-guess keywords like your birthday or kid’s name. If a hacker somehow gains access to other information about you, they’ll know to guess those first. Holding yourself to a high standard for password security is step one. You also need to make sure everyone who has access to your website has similarly strong passwords. One weak password within your team can make your website susceptible to a data breach , so set expectations with everyone who has access. Institute requirements for all website users in terms of length and types of characters. If your employees want to use easy passwords for their less secure accounts, that’s their business. But when it comes to your website, it’s your business (literally) and you can hold them to a higher standard. Step #5: Invest in automatic backups. Even if you do everything else on this list, you still face some risk. The worst-case scenario of a website hack is to lose everything because you forgot to back your website up. The best way to protect yourself is to make sure you always have a recent backup. While a data breach will be stressful no matter what, when you have a current backup, recovering is much easier. You can make a habit out of manually backing your website up daily or weekly. But if there’s even the slightest chance you’ll forget, invest in automatic backups . It’s a cheap way to buy peace of mind. 5 Advanced Steps to Secure Your Website from Hackers All of the above steps are relatively painless, even for website owners with minimal technical experience. This second half of the list gets a little more complicated, and you may want to call a developer or IT consultant to help you out. Step #6: Take precautions when accepting file uploads through your site. When anyone has the option to upload something to your website, they could abuse the privilege by loading a malicious file, overwriting one of the existing files important to your website, or uploading a file so large it brings your whole website down. If possible, simply don’t accept any file uploads through your website. Many small business websites can get by without offering the option of file uploads at all. If that describes you, you can skip everything else in this step. But eliminating file uploads isn’t an option for all websites. Some types of businesses, like accountants or healthcare providers, need to give customers a way to securely provide documents. If you need to allow file uploads, take a few steps to make sure you protect yourself: Create a whitelist of allowed file extensions. By specifying which types of files you’ll accept, you keep suspicious file types out. Use file type verification. Hackers try to sneakily get around whitelist filters by renaming documents with a different extension than the document type actually is, or adding dots or spaces to the filename. Set a maximum file size. Avoid distributed denial of service (DDoS) attacks by rejecting any files over a certain size. Scan files for malware. Use antivirus software to check all files before opening. Automatically rename files upon upload. Hackers won’t be able to re-access their file if it has a different name when they go looking for it. Keep the upload folder outside of the webroot. This keeps hackers from being able to access your website through the file they upload. These steps can remove most of the vulnerabilities inherent in allowing file uploads to your website. Step #7: Use parameterized queries SQL injections are one of the most common website hacks many sites fall victim to. SQL injections can come into play if you have a web form or URL parameter that allows outside users to supply information. If you leave the parameters of the field too open, someone could insert code into them that allows access to your database. It’s important to protect your site from this because of the amount of sensitive customer information that can be held in your database. There are a number of steps you can take to protect your website from SQL injection hacks; one of the most important and easiest to implement is the use of parameterized queries. Using parameterized queries ensures your code has specific enough parameters so that there’s no room for a hacker to mess with them. Step #8: Use CSP Cross-site scripting (XSS) attacks are another common threat site owners have to be on the lookout for. Hackers find a way to slip malicious JavaScript code onto your pages, which can then infect the device of any website visitors exposed to the code. Part of the fight to protect your site from XSS attacks is similar to the parameterized queries for SQL injections. Make sure any code you use on your website for functions or fields that allow input are as explicit as possible in what’s allowed, so you’re not leaving room for anything to slip in. Content Security Policy (CSP) is another handy tool that can help protect your site from XSS. CSP allows you to specify which domains a browser should consider valid sources of executable scripts when on your page. The browser will then know not to pay attention to any malicious script or malware that might infect your site visitor’s computer. Using CSP involves adding the proper HTTP header to your webpage that provides a string of directives that tells the browser which domains are ok and any exceptions to the rule. You can find details on crafting CSP headers for your website here . Step #9: Lock down your directory and file permissions All websites can be boiled down to a series of files and folders that are stored on your web hosting account. Besides containing all of the scripts and data needed to make your website work, each of these files and folders is assigned a set of permissions that controls who can read, write, and execute any given file or folder, relative to the user they are or the group to which they belong. On the Linux operating system, permissions are viewable as a three-digit code where each digit is an integer between 0-7. The first digit represents permissions for the owner of the file, the second for anyone assigned to the group that owns the file, and the third for everyone else. The assignations work as follows: 4 equals Read 2 equals Write 1 equals Execute 0 equals no permissions for that user As an example, take the permission code “644.” In this case, a “6” (or “4+2”) in the first position gives the file’s owner the ability to read and write the file. The “4” in the second and third positions means that both group users and internet users at large can read the file only – protecting the file from unexpected manipulations. So, a file with “777” (or 4+2+1 / 4+2+1 / 4+2+1) permissions is readable, write-able, and executable by the user, the group, and everyone else in the world. As you might expect, a file that is assigned a permission code that gives anyone on the web the ability to write and execute it is much less secure than one which has been locked down in order to reserve all rights for the owner alone. Of course, there are valid reasons to open up access to other groups of users (anonymous FTP upload, as one example), but these instances must be carefully considered in order to avoid creating a website security risk. For this reason, a good rule of thumb is to set your permissions as follows: Folders and directories = 755 Individual files = 644 To set your file permissions, log in to your cPanel’s File Manager or connect to your server via FTP. Once inside, you’ll see a list of your existing file permissions (as in the following example generated using the Filezilla FTP program): The final column in this example displays the folder and file permissions currently assigned to the website’s content. To change these permissions in Filezilla, simply right click the folder or file in question and select the “File permissions” option. Doing so will launch a screen that allows you to assign different permissions using a series of checkboxes: Although your web host’s or FTP program’s backend might look slightly different, the basic process for changing permissions remains the same. Our support portal has solutions for how to modify your folder and file permissions . #10 Keep your error messages simple (but still helpful). Detailed error messages can be helpful internally to help you identify what’s going wrong so you know how to fix it. But when those error messages are displayed to outside visitors, they can reveal sensitive information that tells a potential hacker exactly where your website’s vulnerabilities are. Be very careful what information you provide in an error message, so you’re not providing information that helps a bad actor hack you. Keep your error messages simple enough that they don’t inadvertently reveal too much. But avoid ambiguity as well , so your visitors can still learn enough information from the error message to know what to do next. Protecting Your Website from Hackers Securing your site and learning how to protect against hackers is a big part of keeping your site healthy and safe in the long run! Don’t procrastinate taking these important steps. At HostGator, we have created a set of custom mod security rules to aid in the protection of your website. If you’re looking for a new hosting provider, you can click here to sign up for a great deal. For new accounts, we’ll even transfer you for free! After you’ve created an account, you just need to fill out the form here . Don’t worry about getting tripped up in the process. HostGator has world-class support available around the clock! Our customer support specialists are available 24/7/365 via email ticket, chat, or phone. We can help you get secure! Find the post on the HostGator Blog Continue reading
Posted in HostGator, Hosting, php, VodaHost
Tagged birthday, browser, business, credit-cards, database, hackers, manager, php, search-engine, wordpress-hosting
Comments Off on How to Secure a Website from Hackers [10 Step Guide]
7 Mistakes Internet Entrepreneurs Make with Business Credit Cards
The post 7 Mistakes Internet Entrepreneurs Make with Business Credit Cards appeared first on HostGator Blog . A business credit card is a powerful financial tool that all good entrepreneurs should have at their disposal. But as they say, with great power comes great responsibility. When you’re running an eCommerce business , a business credit card helps you build business credit, allows you to finance a variety of important business-related purchases, and provides lucrative rewards, perks, and protections. It truly does it all. That being said, it’s easy to lean too heavily on your business credit card, or otherwise misuse it in an attempt to wring all possible value out of it. Not understanding the relationship your business credit plays to the rest of your business also leads to errors that have a ripple effect on your bottom line. Whether you’re exploring options for your first business credit card, looking for another card as your eCommerce venture scales, or a long-time business owner who hasn’t given your business credit much thought in awhile, here are seven mistakes entrepreneurs make with business credit cards . 1. Using their credit card to finance overly large purchases It can be tempting, once you get a hold of your new business credit card, to finance everything with it. Cloud-based software subscriptions, shipping costs, inventory—you name it. If you get points back on every purchase, why not get a discount on every purchase you make? This works, but only to a point. But financing hugely expensive purchases that will take a long time to pay down with your credit card doesn’t make sense—your credit card interest rate will likely be too high. Unless you have a 0% APR during your introductory period, or a plan to pay down your charges quickly, the extra costs will rack up. If you want to purchase something on credit that you expect will take months, or even years, to pay off, consider finding an alternate source of small business financing , such as a line of credit, loan, or inventory or equipment financing. 2. Maxing out their credit cards Whether it’s personal credit cards or business credit cards, using as much of your credit available to you as possible is never a good idea. One of the main perks of having a business credit card is its flexibility. Hit with an unexpected charge, or want to surprise your team with a party for meeting an end-of-the-month goal? If you’ve already maxed out your cards, you lose out on your ability to spring for sudden purchases. Additionally, maxing out your cards throws your credit utilization ratio out of whack. This ratio is simple: How much credit is available to you, and how much of it are you using? Lenders look at this ratio when you apply for a loan to get an idea of how much outstanding debt you have. If you already appear overextended, creditors are less likely to offer you additional funding. Keep your credit utilization ratio below 30% and you’ll appear much more responsible to future lenders—as well as have plenty of wiggle room to take on unexpected expenses. 3. Carrying a balance from month-to-month Carrying your balance over from month-to-month is another mistake business owners make when they put too much stock in rewards points over their ability to repay their debt. The bottom line is that reward points and perks will never be worth having to make interest payments on your purchases. Your exact APR will vary depending on your credit history and situation, but even the best cards have APRs north of 13%, and it will likely be higher. When possible, only put on your card what you can afford to pay back at the end of the month. This habit will help build your business credit score and keep your money where it belongs—in your business bank account. 4. Mixing business and personal expenses If you use a business credit card for only one reason, it’s this: To separate your business and personal expenses. Everything else is window-dressing—albeit quite attractive window-dressing. So if you’re ever in a situation where you want to cover a personal expense with your business card, or vice versa, due to convenience or forgetfulness or wanting to take advantage of reward points—don’t. Mixing your expenses is also called “ piercing the corporate veil, ” and doing so may expose your personal assets in the event that your business goes bankrupt or you’re the subject of a lawsuit. Even a seemingly harmless one-off purchase can have repercussions. Plus, come tax season, you’ll be so much happier that you don’t have to parse through all of your personal credit statements for the odd business expense to write off. 5. Offering corporate credit cards to employees without setting boundaries You may get to a point in your small business where it’s easier to extend individual corporate credit cards—physical or virtual—to your team members, rather than forcing them to contact you for the approval of every purchase. This is a good thing: It means your business is growing and you have faith in your team. That being said, your employees may not be privy to all of your cash flow needs, and may not understand how easy it is to hamstring a small business with uncapped spending. Worse, their unchecked spending may affect your business credit, hampering your borrowing capabilities for years to come. Before issuing credit cards, discuss with employees exactly what qualifies as a business expense, and let them know that you’ll have clear oversight into their spending. 6. Overlooking credit cards with annual fees There’s a tendency for small business owners to want to cut costs any way they can. Often, this frugal mindset serves the well, and innovative techniques are borne out of the necessity to stay under budget. Sometimes, however, small businesses need to invest. And while there are plenty of excellent no-fee credit cards out there, some business credit cards have an annual fee that are worth it—depending on how you plan to use it. Research annual fee business credit cards and see what you get for your money. If you spending habits align with the perks offered on the card—point multipliers on travel, for example—you may actually come out ahead each year quite easily. Bottom line: Don’t instantly write off a credit card just because it’s not free. 7. Closing rarely used accounts As you continue to open up lines of credit and credit cards throughout the life of your business, you might think it’s time to close up your old accounts so you have an easier time reviewing your finances. But closing your accounts affects your credit utilization ratio. If there are no clear benefits to closing those accounts other than streamlining things, it’s better to just leave them open and give your business even more credit overhead. If your accounts are charging you money—e.g., with an annual fee—and you need to close them, time your decision strategically. About to apply for a loan from a bank or online lender? Hold off until after the deal is done. *** Many of the best practices for personal and business credit cards are typically the same: Don’t be late with your payments, don’t spend more than you can afford. The difference with some of the above mistakes that they can truly prevent your business from taking important steps in its growth process. Don’t limit your business to unaffordable lending options, or waste your time parsing through mountains of expenses. Make your life simple by avoiding these mistakes, and everyone involved in making your eCommerce business a success will be happier for it. Find the post on the HostGator Blog Continue reading
Posted in HostGator, Hosting, VodaHost
Tagged business, cash, credit-cards, credit-score, debt, ecommerce, hostgator, small-business, vodahost, your-business
Comments Off on 7 Mistakes Internet Entrepreneurs Make with Business Credit Cards
accepting credit cards?
Hey everyone, I was wanting to start accepting credit cards for my business, was wondering what people suggest? Looking for one that work… | Read the rest of http://www.webhostingtalk.com/showthread.php?t=1737594&goto=newpost Continue reading
Posted in HostGator, Hosting, php, VodaHost
Tagged business, credit-cards, hosting, php, read-the-rest, rest, start-accepting, the-rest, vodahost, web hosting
Comments Off on accepting credit cards?
How to Secure a Website from Hackers
The post How to Secure a Website from Hackers appeared first on HostGator Blog . As a website owner, is there anything more terrifying than the thought of seeing all of your work altered or entirely wiped out by a nefarious hacker? You’ve worked hard on your website (and your brand) – so it’s important to take the time to protect it with these basic hacker protection tips! This article will also teach you how to check if a website is safe and what you can do to ensure your website is completely from hackers. In addition to regularly backing up your files (which you should already be doing, for various reasons), taking the following these seven easy steps will help protect your website from hackers: Step #1: Install security plugins, when possible Once you’ve updated everything, further enhance your website security with plugins that actively prevent website hacking attempts. Again, using WordPress as an example, you’ll want to look into free security plugins like iThemes Security and Bulletproof Security (or similar tools that are available for websites built on other content management systems). These products address the security vulnerabilities that are inherent in each platform, foiling additional types of hacking attempts that could threaten your website. Alternatively – whether you’re running a CMS-managed site or HTML pages – take a look at SiteLock . SiteLock goes above and beyond simply closing site security loopholes by providing daily monitoring for everything from malware detection to vulnerability identification to active virus scanning and more. If your business relies on its website, SiteLock is definitely an investment worth considering. Note: Our Managed WordPress hosting plan has SiteLock built in, along with other features to help secure your site. Step #2: Use HTTPS As a consumer, you may already know to always look for the green https in your browser bar any time you’ll be providing sensitive information to a website. Most consumers know to recognize those five little letters as an important shorthand for hacker security: they signal that it’s safe to provide financial information on that particular webpage. In July 2018, Google Chrome released an security update that alerts website visitors if your website doesn’t have an SSL certificate installed. An SSL certificate is important because it secures the transfer of information – such as credit cards, personal data, and contact information – between your website and the server. Search engines are taking website security more seriously than ever because they want users to have a positive and safe experience browsing the web. Taking the commitment to security further, a search engine may rank your website lower in search results if you don’t have an SSL certificate. What does that mean for you? If you have an online store, or if any part of your website will require visitors to hand over sensitive information like a credit card number, you need to invest in an SSL certificate . The cost of an SSL certificate is minimal, but the extra level of encryption it offers to your customers goes a long way to making your website more secure and trustworthy. At HostGator, we also take website security seriously, but most importantly, we want to make it easy for you to be secure. All HostGator web hosting packages come with a free SSL certificate. The SSL certificate will be automatically applied to your account, but do need to take a few steps to install the free SSL certificate on your website. Step #3: Keep your website platform and software up-to-date One of the best things you can do to protect your website from being hacked is to make sure your content management system, plugins and apps, or scripts you’ve installed are up-to-date. Because many of these tools are created as open-source software programs, their code is easily accessible – to both good-intentioned developers as well as malicious hackers. Hackers can pore over this code, looking for security vulnerabilities that allow them to take control of your website by exploiting any platform or script weaknesses. As an example, if you’re running a website built on WordPress, both your base WordPress installation and any third-party plugins you’ve installed are potentially vulnerable to these types of cyber attacks. Making sure you always have the newest versions of your platform and scripts installed minimizes the risk that you’ll be hacked in this way and usually takes very little time to do. WordPress users can check this quickly when they log in to their WordPress dashboard. Look for the update icon in the top left corner next to your site name. Click the number to access your WordPress Updates. Step #4: Make sure your passwords are secure This one seems simple, but it’s so important. It’s tempting to go with a password you know will always be easy for you to remember. That’s why the #1 most common password is still 123456. You have to do better than that – a lot better than that to prevent login attempts from hackers and other outsiders. Make the effort to figure out a truly secure password (or use HostGator’s password generator). Make it long. Use a mix of special characters, numbers, and letters. And steer clear of potentially easy-to-guess keywords like your birthday or kid’s name. If a hacker somehow gains access to other information about you, they’ll know to guess those first. You also want to make sure everyone who has access to your website has similarly strong passwords. Institute requirements in terms of length and the type of characters that people are required to use so they have to get more creative than going with the standard, easy passwords they turn to for less secure accounts. Creating strong passwords can prevent a hacker from being able to gain access to your accounts. One weak password within your team can make your website susceptible to a data breach , so set expectations with everyone who has access and hold yourself to the same high standard. Step #5: Use parameterized queries One of the most common website hacks many sites fall victim to are SQL injections. SQL injections can come into play if you have a web form or URL parameter that allows outside users to supply information. If you leave the parameters of the field too open, someone could insert code into them that allows access your database. It’s important to protect your site from this because of the amount of sensitive customer information that can be held in your database. There are a number of steps you can take to protect your website from SQL injection hacks; one of the most important and easiest to implement is the use of parameterized queries. Using parameterized queries ensures your code has specific enough parameters so that there’s no room for a hacker to mess with them. Step #6: Use CSP Similar to SQL injections, cross-site scripting (XSS) attacks are another common threat site owners have to be on the lookout for. They occur when hackers find a way to slip malicious JavaScript code onto your pages which can then infect the pages of any visitors to your website that are exposed to the code. Part of the fight to protect your site from XSS attacks is similar to the parameterized queries you use for SQL injections. You should make sure any code you use on your website for functions or fields that allow input are as explicit as possible in what’s allowed, so you’re not leaving room for anything to slip in. Another handy tool that can help protect your site from XSS is Content Security Policy (CSP). CSP allows you to specify the domains a browser should consider valid sources of executable scripts when on your page, so the browser knows not to pay attention to any malicious script or malware that might infect your site visitor’s computer. Using CSP is simply a matter of adding the proper HTTP header to your webpage that provides a string of directives that tells the browser which domains are ok and any exceptions to the rule. You can find details on how to craft CSP headers for your website provided by Mozilla here . Step #7: Lock down your directory and file permissions Now, for this final technique, we’re going to get a little technical – but stick with us. All websites can be boiled down to a series of files and folders that are stored on your web hosting account. Besides containing all of the scripts and data needed to make your website work, each of these files and folders is assigned a set of permissions that controls who can read, write, and execute any given file or folder, relative to the user they are or the group to which they belong. On the Linux operating system, permissions are viewable as a three-digit code where each digit is an integer between 0-7. The first digit represents permissions for the owner of the file, the second digit represents permissions for anyone assigned to the group that owns the file, and the third digit represents permissions for everyone else. The assignations work as follows: 4 equals Read 2 equals Write 1 equals Execute 0 equals no permissions for that user As an example, take the permission code “644.” In this case, a “6” (or “4+2”) in the first position gives the file’s owner the ability to read and write the file. The “4” in the second and third positions means that both group users and internet users at large can read the file only – protecting the file from unexpected manipulations. So, a file with “777” (or 4+2+1 / 4+2+1 / 4+2+1) permissions would then readable, write-able, and executable by the user, the group and everyone else in the world. As you might expect, a file that is assigned a permission code that gives anyone on the web the ability to write and execute it is much less secure than one which has been locked down in order to reserve all rights for the owner alone. Of course, there are valid reasons to open up access to other groups of users (anonymous FTP upload, as one example), but these instances must be carefully considered in order to avoid creating a website security risk. For this reason, a good rule of thumb is to set your permissions as follows: Folders and directories = 755 Individual files = 644 To set your file permissions, log in to your cPanel’s File Manager or connect to your server via FTP. Once inside, you’ll see a list of your existing file permissions (as in the following example generated using the Filezilla FTP program): The final column in this example displays the folder and file permissions currently assigned to the website’s content. To change these permissions in Filezilla, simply right click the folder or file in question and select the “File permissions” option. Doing so will launch a screen that allows you to assign different permissions using a series of checkboxes: Although your web host’s or FTP program’s backend might look slightly different, the basic process for changing permissions remains the same. Our support portal has solutions for how to modify your folder and file permissions . In conclusion… Don’t put off taking this important step. Securing your site and learning how to protect against hackers is a big part of keeping your site healthy and safe in the long run! At HostGator, we have created a set of custom mod security rules to aid in the protection of your website. If you’re looking for a new hosting provider, you can click here to sign up for a great deal. For new accounts, we’ll even transfer you for free! After you’ve created an account, you just need to fill out the form here . Don’t worry about getting tripped up in the process. HostGator has world-class support available around the clock! Our customer support specialists are available 34/7/365 via email ticket, chat, or phone. We can help you get secure! Find the post on the HostGator Blog Continue reading