If you run a business, you need a website. Available technology makes it easier than ever to get started. A website acts as an owned brand asset (unlike a Facebook page, which could be shut down at any time, for any reason) where customers can find answers to their pressing questions — including how to get to your location (when applicable). And if you have a business website, you also need a working knowledge of website security vulnerabilities and ongoing website maintenance.
Website maintenance encompasses all of the activities you must undertake to ensure that your website stays up-to-date and in working order. One major website maintenance activity that many don’t pay enough attention to is website security.
In 2016, the U.S. National Cyber Security Alliance reported that about 60 percent of small companies cannot sustain the business over six months after a cyberattack. It’s easy to understand why this could be: exposure of sensitive information can damage the trust you have with customers (among other negative consequences).
Here’s the good news: You don’t need a big budget to adequately protect your website from the website security vulnerabilities that threaten it. But you do need a proactive approach that involves putting security measures in place.
Related: What is the cybersecurity skills gap and what does it mean for your business?
7 common website security vulnerabilities
Website security covers a broad spectrum of attacks and solutions, which can be overwhelming, but these seven vulnerabilities are the most common:
-
Malware.
-
SQL injection.
-
Cross-site scripting (XSS).
-
Interception.
-
Password attacks.
-
DDoS attack.
-
Security misconfiguration.
While there are other website security vulnerabilities, protecting your website from these seven types of cybersecurity threats will help to keep you on the right track.
1. Malware
Malware is software created for malicious purposes, designed to infect and harm a system. Since it’s a broad term, malware encompasses website security vulnerabilities that range from viruses to adware that can infect both computers and websites. A website attacked by malware exposes sensitive data, including customer information.
Malware attacks can be overwhelming for businesses, especially those that don’t recognize them.
In the first quarter of 2018, 60 percent of those who experienced cyberattacks were infected with malware. Two of the most common types of malware include:
- Defacement: This type of malware changes the appearance of a website. Usually, the website will display a message that contains the hacker’s name.
- Malicious redirect: In this situation, when users go to your website, they are redirected to another website containing malicious content. This can make certain pages, or even the whole website, inaccessible to users.
GoDaddy Website Security features various tools to keep your website safe, including malware scanning, removal and prevention. This tool is ideal for small business owners without the time or tech chops to adequately protect their websites against security vulnerabilities.
Related: What is malware?
2. SQL injection
Website security vulnerabilities happen when a website contains a weak point in the code that allows those with malicious intent to attack or gain control. This is commonly caused by issues in outdated (not frequently updated) WordPress plugins or other software tools used on your website.
SQL injection is a type of website security vulnerability that involves malicious SQL statements or application codes that are injected into user input fields. This process allows attackers to gain access to the website’s backend database or corrupt database content.
If the attack is successful, the results can be used to steal customer information, modify or delete data, or get a full control of the website.
This is one of the most widespread website security vulnerabilities.
In 2018, it was reported that the average vulnerable website contained SQL injection vulnerabilities on more than 1,000 pages. This web security threat is also included in OWASP’s The Ten Most Critical Web Application Security Risks in 2017.
A web application firewall (WAF) — part of GoDaddy’s Website Security package — is designed to enhance protection for your website against SQL injection attacks. A WAF is a cloud-based firewall service that screens and protects your real-time website traffic from threats such as SQL injection attacks and comment spammers, while also thwarting DDoS attacks. You can learn about choosing a WAF in this article.
Related: 5 simple steps to avoid WordPress security problems
3. Cross-site scripting (XSS)
Cross-site scripting (XSS) is another common type of website security vulnerabilities. Unlike SQL injection, XSS occurs when lines of malicious JavaScript code are injected into a webpage to target the website’s users, manipulating client-side scripts.
These scripts hijack user sessions through a website’s search bar or comments (via the website’s backend). This can deface the website and redirect users to other malicious websites that might manifest as seemingly normal-looking pages that can potentially steal their information.
4. Interception
Interception happens when a hacker captures any type of data that users submit to a website, then use this for their own gains. This data can take the form of simple contact information or sensitive credit card information. Cybercriminals then sell this data or make purchases of their own.
In just one of many examples, a cybercriminal group in Belgium hacked a number of medium to large European companies in 2015 to gain access to sensitive financial data. They stole €6 million as the result of these criminal activities.
It’s important to secure your website with an SSL certificate to protect sensitive data.
SSL builds a secure and encrypted connection between the visitor's browser and the web server, to establish a secure session. This protects buyers from cyberattacks, such as interception.
So, does your website need an SSL certificate? Even if you don’t operate an eCommerce website, the answer is yes.
5. Password attacks
Some hackers guess passwords or use tools and dictionary programs to try different combinations until they get in.
In some cases, keylogging is also used to gain access to user accounts. Keylogging records every keystroke made by a computer user. The results are then communicated back to the hackers who initially installed these programs.
One big lesson here? Be careful of how you use public computers or public WiFi!
Many websites lack strong password security, making attempts to log in incredibly easy. A few ways to protect your website:
- Require a strong and unique password combination.
- Ask users to regularly change their passwords.
- Require two-step authentication to confirm user access.
And for goodness sake, don’t make your WordPress admin username “admin.”
Related: Setting up two-factor authentication for WordPress
6. DDoS attack
A Distributed Denial of Service (DDoS) attack happens when a website server is receiving a lot of traffic or requests that overload or overwhelm the system.
These website security vulnerabilities are fake traffic from attacker-controlled computers, often called botnets. A botnet is a number of internet-connected devices that are running one or more bots.
When the web server gets overwhelmed by the overloaded traffic or requests, the website loads poorly as a result. With enough force behind these attacks, the website server can crash, bringing the website offline completely.
In 2017, Kaspersky Lab reported that 33 percent of small- and midsize businesses were attacked by DDoS, with 20 percent of very small businesses, and 41 percent of larger enterprises also affected. For small businesses, this number is almost double the report from 2016 (17 percent).
The takeaway? DDoS attacks are on the rise!
Fortunately, preventing DDoS attacks does not have to be complicated. GoDaddy Website Security’s advanced security monitoring and Web Application Firewall (WAF) is designed to help prevent this type of cyber security attack.
Related: How to stop a DDoS attack that’s already in progress
7. Security misconfiguration
Security misconfiguration happens when the security settings of a website have holes or weaknesses that can lead to various website security vulnerabilities. This often occurs due to lack of proper website maintenance or improper web application configuration.
A security misconfiguration allows hackers to gain access to private data or website features that can compromise the system completely. In these situations, data can also be stolen or modified.
Website security vulnerabilities arise when settings are insecure default configurations. Leaving your settings as the default makes it ridiculously easy for hackers to gain access to the backend of your website.
The takeaway here? Never keep your website’s default security settings—spend some time customizing them and configuring them as appropriate for your needs.
Related: How to improve WordPress security in 11 steps — even if you’re non-technical
Final thoughts on website security vulnerabilities
Spending time getting to know the most common website security vulnerabilities is an important first step in defending your small business website. Step two is taking action, making changes and installing software to protect your data, and that of your customers.