Is your website secure? Probably not (Here's why)

Written on 17 January 2025 by Webcentral

Updated on 28 April 2025

Estimated read time 5 minutes

Is your website secure? Probably not (Here's why)

Right now, automated bots are scanning your website for vulnerabilities. They're checking your login pages, probing your contact forms, and looking for outdated plugins they can exploit. This isn't fear-mongering – it's the reality of website security in 2025.

If you're using our hosting and security, you're already protected against many common threats. However, website security often seems like a maze of technical complexity and costly solutions for most Australian business owners.

💡 2025 Alert: Website attacks have become Australia's primary vector for data breaches. Content management systems (CMS) are the most targeted entry point, surpassing 76,000 in a single year.

Understanding website threats in 2025

While the Optus and Medibank breaches dominated Australia’s headlines, cybercriminals aren't just targeting corporate giants. Hackers are increasingly targeting small and medium-sized Australian businesses.

Why?

Because attackers know that smaller businesses often lack the robust security measures of larger corporations while still handling valuable customer data, the payoff might be smaller. Still, the success rate is much, much higher.

Automated attacks

According to the ACSC's threat report, every 6 minutes, another Australian business reports a cyber attack. Most of these aren't sophisticated hackers targeting specific businesses - they're automated bots constantly scanning for common vulnerabilities such as:

WordPress installations
Plugin systems
Contact forms
Login pages
Shopping carts
File upload functions

So how are they doing it?

Unfortunately, there are many different types of attacks on your website. Below, we’ve made a table outlining some of the most common website attacks, how they work and how they can impact your site:

Attack Type	Description	Impact
SQL Injection	A technique where attackers insert or manipulate SQL queries through input fields or URLs to gain unauthorised access to the database. This exploits vulnerabilities in database handling.	Unauthorised access to sensitive information such as user data, financial records, and personal details. Attackers can alter, steal, or delete data.
Cross-Site Scripting (XSS)	It involves injecting malicious scripts into web pages viewed by other users. This is often done through input fields like comments, forms, or user profiles, exploiting trust in the website.	Theft of user credentials, hijacking of user sessions, and displaying unwanted or harmful content to users.
Website Defacement	Attackers alter the visual appearance of a website, replacing legitimate content with their messages, images, or links. This often signifies more profound security vulnerabilities.	Damage to the website's reputation and credibility, potential loss of user trust, and increased risk of further malicious activities or malware installation.
DDos	An attack that overwhelms a website with excessive traffic from multiple sources, rendering it inaccessible to legitimate users.	Prolonged website downtime, loss of revenue, diminished user trust, and potential reputational harm.
Malware Injection	Installing malicious software into a website's code or server can then infect visitors or compromise data. This can occur through vulnerabilities or compromised credentials.	Compromised user security, data breaches, potential legal repercussions, and loss of trust from users and stakeholders.
Phishing Attacks	Creating fraudulent websites or forms that mimic legitimate ones to deceive users into providing sensitive information such as login credentials or financial details.	Data theft, financial loss for users, and erosion of trust in the website or organisation.
Credential Stuffing	Utilising automated tools to attempt logins on a website using stolen usernames and passwords obtained from other breaches, exploiting the reuse of credentials by users.	Unauthorised access to user accounts, data breaches, potential identity theft, and increased security management burdens.
Remote Code Execution	Exploiting vulnerabilities that allow attackers to execute arbitrary code on the server, gaining control over the website's backend and infrastructure.	Full control over the website and server, data theft or manipulation, and potential for deploying further malicious activities or malware.
Man-in-the-Middle Attacks	Intercepting and potentially altering communications between the website and its users, often through unsecured networks or compromised systems.	Data interception, altered or injected communications, compromised user trust, and potential data breaches or manipulation.

So, now we know exactly what is targeting your site, what can we do to actually deal with it? Below, we have broken down a list of tasks you can get on with today.

Website-specific protection

1. Keep your CMS updated

Whether you are using WordPress, Joomla, and or some other CMS platforms – they often regularly release security updates to ensure that your site from the backend is protected. Where does this often go wrong? When the user isn’t updating the site.

We’ve put a table together to help you monitor exactly what you should be looking for and when to do it. Sure, updates aren’t always convenient, but do you know what’s more inconvenient? All your website data being compromised.

Update Type	Frequency	Risk Level
Core CMS	Monthly	Critical
Plugins	Weekly	High
Themes	Monthly	Medium

2. Form Protection

Your website's forms are prime targets for attackers seeking to exploit vulnerabilities, you can add some protection to them by adding the following:

Add CAPTCHA systems - you will have seen these before when you’re trying to complete a puzzle in order to complete a task (e.g. click on all the ‘bicycles’), this helps stop those automated bots from attacking your site.
Input validation - ensure that the information entered into your forms meets specific criteria before it’s processed (don’t just let anything get accepted). For example, checking that an email address is in the correct format or that a password includes a mix of letters and numbers. Input validation helps prevent malicious data from being submitted.
Rate limiting - control the number of times a user can perform a specific action within a set timeframe. For instance, limiting the number of login attempts from a single IP address can prevent brute force attacks where attackers try numerous password combinations to gain unauthorised access.
Honeypot fields - add hidden fields to your forms that are invisible to human users but detectable by automated bots. For example, you might include an extra field that should remain empty; if it’s filled in, it’s likely a bot submission.

3. File Upload Security

Likewise, if your website accepts file uploads (e.g. uploading documents, images etc.), you need additional prevention and protection in place:

File type restrictions - only allow specific types of files to be uploaded to your website. For example, restrict uploads to formats like JPEG, PNG, and GIF if your site only needs images. Limiting the types of files that can be uploaded reduces the risk of malicious files being introduced to your system.

Size limitations - set maximum file size limits to prevent huge files from being uploaded. Large files can consume significant server resources, leading to performance issues or even denial of service.
Malware scanning - set up malware protection to automatically scan all uploaded files for malware before they are stored or made accessible. Use reliable antivirus and anti-malware software to detect and remove any malicious code embedded within files.
Secure storage configurations - store uploaded files in safe locations with strict access controls. Ensure uploaded files are not executable and cannot be accessed directly via the web. Use directories outside the web root and implement proper file permissions to restrict access.

Hosting-specific protection

After seeing thousands of websites compromised, one thing becomes clear: most could have been prevented with not just the website protection measures above but hosting ones, too. Let's break down the strategies that consistently prove super effective.

Let’s get your website's security started with three fundamental elements:

1. SSL certificates

Think of SSL as a secure tunnel between your website and its visitors. Without it, data travels in plain text – like sending a postcard instead of a sealed letter. Our guide to HTTPS vs HTTP explains why this matters.

Feature	HTTP	HTTPS
Data Protection	None	Encrypted
SEO Impact	Lower Rankings	Higher Rankings
Browser Warnings	Yes	No
Customer Trust	Low	High

2. Password protection that works

Weak passwords remain a leading cause of website compromises. Here’s the thing: 3 in 4 people risk getting hacked due to bad password practices. Pretty much everyone knows what to do here. It’s just making sure you do them. But let’s make sure we’re on all the samples. Here's what works:

Require passwords with 12+ characters - the longer and more complex the password? The less chance you get hacked. Mix them up with special characters to avoid being brute-forced.
Force regular password changes - it used to be the advice to regularly change passwords, but this is more of an outdated practice now. The issue is that people used to change their passwords, however, only very slightly, giving a false sense of security. Instead, we recommend using password software like 1Password, and Last Pass to generate brand-new complex passwords, but ones you don’t have to worry about remembering constantly.

Enable two-factor authentication (2FA) - with 2FA; users must provide a second form of verification, such as a code sent to their mobile device, in addition to their password.

💡 Pro Tip: Use a super strong password generator to generate these requirements automatically (https://www.strongpasswordgenerator.org).

Have you already been compromised? Check out: “Have I Been Pwned?” You might need to update your password sooner than you think:

3. Update everything

We’ve already touched on updating your CMS and plugins for your website. But you should also update the software on the computer you access your site. Ignoring these updates can expose your website and your personal devices to breaches, risking your data and the trust of your users. Software updates aren't just about new features—they're critical security patches.

Advanced website protection

We’ve got more of the basics covered, but there are steps you can take to ensure you go ‘above and beyond,’ whether it be for compliance or just simple peace of mind.

1. Firewalls

Protecting your website starts with a properly configured firewall. This essential security tool controls all traffic flow based on strict rules, blocking threats while keeping legitimate visitors flowing. Regular updates and consistent log monitoring ensure you stay protected from the latest security risks.

Why It Matters:

Blocks malicious traffic - firewalls can filter out harmful requests, such as those from known malicious IP addresses or suspicious patterns indicative of attacks like SQL injection or Cross-Site Scripting (XSS).
Protects sensitive data - by restricting access to your server, firewalls help safeguard sensitive information from attackers' access or theft.
Enhances compliance - many regulatory standards require the implementation of firewalls as part of their security protocols.

2. Automated Backup Systems

When all else fails, backups are your safety net. Set up automated systems to capture files and databases without manual input and store these backups separately from your main site. Keep your recovery plan solid by testing backups routinely and ensuring they contain all essential components needed to get back online quickly.

Why It Matters:

Data recovery - in the event of a cyberattack, data corruption, or accidental deletion, backups allow you to quickly restore your website to its previous state.
Business continuity - minimises downtime and ensures your website can be up and running swiftly after an incident.
Compliance requirements - some regulations mandate regular data backups to protect against data loss.

3. Security monitoring tools

Security monitoring tools watch your website at all times to spot potential threats. Set up automated tracking and instant alerts for any unusual activity. Check reports regularly to find weak spots, and combine these tools with firewalls for complete protection.

Why It Matters:

Real-time malware detection - identify and neutralise malware before it can cause significant damage.
Login attempt tracking - monitor logs and login attempts to detect and prevent brute force attacks or unauthorised access.
File change monitoring - keep an eye on changes to your website’s files, alerting you to any unexpected modifications that could indicate a breach.
Traffic pattern analysis - analyse visitor behaviour and traffic patterns to identify anomalies that may signify malicious activities, such as Distributed Denial of Service (DDoS) attacks.

Tools alone aren't enough

Training your team in security fundamentals helps protect your website. Teach them to spot suspicious logins and unsafe files and set clear steps for password management and file handling. Ensure everyone knows what to do if there's a security issue - who to call, what steps to take, and what to document. Simple training makes your website safer and helps your team handle any security problems quickly.

The human side of site security

What often gets missed out on most web security guides, yet it is the most important. The majority of website compromises don't start with sophisticated hacking tools. They start with simple human oversight.

Good training followed by regular checks doesn't mean dull presentations about password policies. It means practical, hands-on sessions where your team learns to:

Spot suspicious login attempts before they succeed
Handle file uploads safely (a common attack vector)
Recognise and respond to security alerts

Remember, websites aren't just technical systems - they're tools people use. The best security balances protection with practicality.

We get it, though; it’s overwhelming. There are likely many new terms here with acronyms you don't understand. However, the key though is starting somewhere. You don't need to implement every security measure at once, but you need to begin with the basics: SSL, strong passwords, and regular updates. Build from there based on your specific needs and risks.

Then, when you get stuck, don’t hesitate to contact us or consult an expert.

To make things a bit easier, we prepared a full-on checklist for you to work through and why it matters:

Website Security Checklist

🔲 Keep CMS Updated (Ensure your content management system is current to protect against vulnerabilities)

🔲 Update Plugins & Themes Regularly (Prevent exploits by maintaining the latest versions)

🔲 Implement CAPTCHA on Forms (Block automated bots from submitting malicious data)

🔲 Enable Input Validation (Ensure form inputs meet criteria to prevent injections)

🔲 Set Up Rate Limiting (Limit actions to prevent brute force attacks)

🔲 Add Honeypot Fields (Detect and block automated bot submissions)

🔲 Restrict File Types for Uploads (Allow only safe file formats to minimise malware risks)

🔲 Set File Size Limits (Prevent server overload and denial of service)

🔲 Enable Malware Scanning (Automatically detect and remove malicious files)

🔲 Configure Secure File Storage (Store uploads securely with proper permissions)

Hosting-Specific Protection

🔲 Install SSL Certificates (Encrypt data between your website and visitors)

🔲 Use Strong Passwords (Protect accounts with complex, unique passwords)

🔲 Enable Two-Factor Authentication (2FA) (Add an extra layer of security for logins)

🔲 Regularly Update Hosting Software (Patch vulnerabilities in server software)

🔲 Configure a Firewall (Block malicious traffic before it reaches your site)

🔲 Implement Automated Backups (Ensure data can be restored quickly after an incident)

🔲 Use Security Monitoring Tools (Continuously monitor for suspicious activities)

Advanced Security Measures

🔲 Configure Web Application Firewall (WAF) (Protect against common web attacks like SQL injection and XSS)

🔲 Automate Backup Processes (Schedule regular backups without manual intervention)

🔲 Monitor Security Logs Regularly (Review logs to identify and respond to threats promptly)

🔲 Set Up Real-Time Alerts (Receive immediate notifications of potential security issues)

Human Factors

🔲 Conduct Security Training for Team (Educate your team on recognising and handling threats)

🔲 Establish Incident Response Plans (Prepare procedures for responding to security events)

🔲 Promote Strong Password Practices (Encourage the use of password managers and unique passwords)

Essential Security Tools

🔲 Install a Malware Scanner (Regularly check your website for infections)

🔲 Enable Login Monitoring (Track and secure access attempts)

🔲 Use File Change Monitoring (Detect unauthorised modifications to your site)

🔲 Deploy a Traffic Analyser (Identify and block suspicious traffic patterns)

What really works in website security

After years of helping organisations recover from website attacks, we've learnt that adequate security isn't about implementing every tool available - it's about choosing the right ones and utilising them properly.

💡 Pro Tip: Don't simply install these tools and forget about them. The real value comes from regular monitoring and swift responses to their alerts.

Need to up your website security? Our team can help you transfer over to Webcentral and protect you! Talk to an actual human, any time.

Webcentral

View more posts by Webcentral