Skip to Main Content

Web Security Best Practices In The Age Of COVID-19

Code blocks on a computer screen

The economic downturn due to COVID-19 seems to have brought about a higher rate of spam, scam emails and phishing attempts. (This also happened in 2007-2008 during the Great Recession, so we’re not surprised by this increased threat to online security.)

There are a lot of hackers out there with free time on their hands and a lot of desperate, scared people just trying to keep their businesses afloat.

The good news is: You are not alone if you’ve been the target of a hacking attempt.

The not-so-good news is: No one has discovered the magic spell to make all these hacking attempts go away. As of today, there’s not much we can do about it other than to continue using our trusted arsenal of security tools and being vigilant about our security practices.

Need a security refresher? Welcome! You’ve come to the right place.

In the world of web security, it is far easier to prevent security threats than to remediate the damage done once the threat has gotten through.

An Ounce Of Prevention

Google saw more than 18 million phishing emails per day related to the COVID-19 pandemic during the week of April 5-12. And there’s evidence that it’s getting worse.

We’re also seeing a higher incidence of website hack attempts, social media-based spam and account hacking and, our new personal favorite, spam texts and phone calls that seem legit.

As the saying goes, “An ounce of prevention is worth a pound of cure.” And in the world of web security, it is far easier to prevent security threats than to remediate the damage done once the threat has gotten through.

So let’s review some of our fave security tools and best practices for keeping yourself safe on the web.

Website Security

  • Use HTTPS/SSL to make sure your site is secure. This protects both you and your users by encrypting all data transmitted between their browser and your website’s web server—and is the #1 most important thing you can do for website security.
  • Use advanced spam protection on all your website forms, including comments and reviews (like a Google ReCaptcha).
  • Add additional spam protection on top of that, like Akismet. (Here are a few others.)
  • Add Mailgun to any sites that don’t already have it. This isn’t directly spam related, but it does prevent domain names from being blocked by email systems due to the volume of spam. And it’s great as a preventative measure. (Check out our blog post about how to set up Mailgun for WordPress.)
  • Add a security plugin to your site such as: Sucuri, Wordfence or iThemes Security to help prevent brute force attacks and other hacking attempts.
  • Back up your site. Monthly is fine, weekly is better, daily is best.
    • Be sure to store your backups somewhere other than your computer or hosting account.
    • And remember, your backups are only as good as your restore process. If you don’t know how to access them or how to get them restored to your web host or a new host, you might as well not have them at all.
    • Learn more about WordPress backups here.

In this brave new world of scams, it’s better to be skeptical and wrong than to be too trusting and hacked.

Email Security

  • Use G Suite or Office 365 as your email provider instead of using the webmail provided by some hosting companies OR forwarding emails into a free gmail account.
  • Never click unknown links in an email from someone you don’t know or in a newsletter you didn’t subscribe to.
  • Be critical of the domain name in the email header.
    • Does the domain name match with the company who is supposedly sending you this email? (If not, then steer clear and delete.)
    • Does it contain a foreign extension (like .pl or .ru)? (If so, run for the hills! And also delete.)
  • School yourself on what phishing looks like. Check out the Federal Trade Commission’s recommendations on how to avoid phishing attacks.

General Security Practices

  • Use secure, unique passwords. This is much easier if you’re using a password keeper like 1Password or LastPass.
  • Always independently verify anything that you’re suspicious about. For example:
    • Navigate directly to the account’s website instead of clicking a link in an email or text.
    • Call the customer service number on the account’s website to talk to a real human (don’t try calling any phone numbers provided in suspect emails).
  • Trust your gut. Keep in mind that no automated system can replace good ol’ common sense. If you have doubts or something doesn’t feel quite right, trust your gut and have someone check it out.

In this brave new world of scams, it’s better to be skeptical and wrong than to be too trusting and hacked.

Need Help With Your Web Security?

Prevention – We Can Provide The 411

CodeGeek offers Website Spot Checks that include some basic security scanning and recommendations, Or, if you’re looking for a deeper dive, we can put together a security check that is customized to your website’s needs.

Remediation – We Can Help With A 911

We haven’t discovered the anti-hacking magic spell yet, which we’re all still bummed about. So remember that even with the best web security practices in place, there is no 100% safety guarantee.

If you believe your website has been compromised, the Geeks can help.

Contact us and we’ll review your site and provide some options for getting you back online as quickly as possible.

Important Note About COVID-19 Scams

Not surprisingly, scammers are taking advantage of the increased uncertainty and fear brought on by COVID-19. From emails to texts to phone calls (and even home visits), scams abound.

Stay vigilant, and remember the advice we offered above: It’s better to be skeptical and wrong than to be too trusting and hacked. Check out the FTC’s advice on how to avoid coronavirus scams for more information.