People often assume that unless their site is big (and profitable) or controversial/political, that it won't be a target for hackers. In fact most sites are hacked by bots, often to insert malware that will attack the PCs of visitors to the site, or to place links for "black hat" SEO purposes.

Here are 6 tips to improve your website security for no cost.

1. Use a good password

Whether your website is made up of simple HTML pages that you update via FTP, or you use a CMS (content management system) with an admin area where you manage content, security is dependent on having a good password.

But what makes a good password?

It should be unguessable - the best way to ensure this is to make sure it is as random as possible, and of sufficient length.

Web browser and FTP software will be able to remember the password for you, so there is no need to make it easy to remember - a random string of characters of great enough length will make it virtually uncrackable. If you need help there are utilities that will create very random passwords for you, eg

https://my.norton.com/extspa/idsafe?path=pwd-gen

Set the length to 20 or more characters - every extra character makes the password around 100 times more secure.

If you need to be able to remember the password, then its better to use a long phrase, rather than a shorter collection of random characters. Its important that the phrase isn't a quote, or line from a book, as a bot may try common quotes or passages of text from famous books. It should be original, and easy to remember - for example

"I started my job at XYZ corporation in 2015 and I left 2 years later."

This uses upper and lower case characters as well as numbers and punctuation, and is original (including the company name is a good idea to help this). Most importantly, its very long (69 characters) so there is virtually zero chance that a bot could crack it via "bruteforce" search.

2. Make sure software is up to date

Software is complex, and therefore it inevitably has errors in it. That is why software companies are always releasing security updates and patches. The average website is dependent on many different pieces of software.

You'll need to ensure that your site's operating system is fully updated (your web host might take care of this depending on your hosting arrangements).

Any ecommerce or CMS software that powers the site should be fully patched. If you use plugins on your site then these need to be checked to ensure they are up to date too.

Often overlooked is the PC or device you use to access the website and update it. If your desktop PC gets compromised with malware, that may steal your website passwords as you use them.

3. Use IP Blocking

Every user on the Internet has an IP (Internet Protocol) address. Its a numeric address that enables data to be sent to you - whether that is a web page you've requested, email, or perhaps a skype call. Some users (especially companies) will have a fixed IP address that doesn't change from day to day. Home users are more likely to have a dynamic address that does change, but in this case it would still likely fall within a particular range of IP addresses.

Some ecommerce and CMS software includes the ability to specify that only specific IP addresses, or ranges of addresses can connect to the admin control panel for the software. This means that even if an attacker does obtain your password, it will still be very difficult to access the website's control panel.

A word of caution - setting the IP filter to a single address or range might result in you being locked out of your site if you lose access to the IP address(es) you've specified. Make sure you list several addresses or ranges (perhaps your work, home, friends) to ensure that you'll still be able to access in these circumstances.

4. Use HTTPS on your website

HTTPS is the secure version of HTTP - the protocol that the web is based on. When you connect to a site with HTTPS you'll normally see a padlock or some other symbol to show that the site is secure, depending on which web browser you are using.

HTTPS ensures that the connection between your web browser and the webserver is encrypted (in both directions). This protects the passwords that you use to log into your website to update it.

More recently the major web browsers have begun to flag sites that don't use HTTPS as insecure, which will put off some visitors to your website.

HTTPS requires a secure certificate to be issued by a "trusted third party". In the past a typical certificate cost around $50 per year. These can now be obtained for free.

https://letsencrypt.org/

Setting up HTTPS requires some technical knowledge so is normally done by hosting companies or professional web developers.

5. Use Cloudflare or a similar CDN (Content Delivery Network)

Cloudflare is a system that sits between your website and the Internet. When a user clicks to view a page on your website Cloudflare fetches it (if it doesn't have a recent copy) and serves it to the user. It provides quite a few security advantages

• the IP address of your website is hidden, an attacker can only see the Cloudflare IP address. This makes attacks targeted against the web server very difficult
• Cloudflare can add HTTPS, even if your site doesn't have this (its even more secure if your site has its own HTTPS too)
• Cloudflare can alter content in your pages, for example "munging" email addresses so they still work for users of the site, but aren't visible in the code (and so can't be spidered by bots for future spam runs)
• protection from DoS (denial of service attacks). This attack involves hitting a website with so much traffic that it can't cope. The power of Cloudflare's network, combined with a smart system that attempts to identify and filter out rogue traffic, makes DoS attacks much harder

Cloudflare provides all of this for free, though its paid accounts offer even more features.

6. Use Two-Factor authentication ("2FA")

You may be familiar with this as many banks and other services that need to be very secure have introduced it. The basic principle is that a password (the first "factor") alone is not sufficient to grant access. The second factor might be a text message code sent to your cell phone or an authenticator app that generates codes that must be entered during the login process. Many banks and corporate IT departments issue special devices that generate such codes.

Depending on what system your website is built on, there may be 2FA options available to you.

https://wordpress.org/plugins/tags/2-factor-authentication/

https://our.umbraco.com/projects/backoffice-extensions/umbraco-2fa/

Summary

Your website is a critical investment. One hacking incident can cost thousands of dollars in terms of damage to business operations, reputation, and IT costs. Spending a little time implementing some or all of the above will greatly reduce the chance of falling victim to hackers.