15 Common Website Security Myths

The Truth about 15 Website Security Myths

Over the years, I’ve heard lots of Website Security Myths. So, here’s a list of some of the top Small business Website Security misconceptions.

Myth #1 – My business is too small, it won’t get hacked.

Of all the website security myths I hear, this one is the most common from small businesses. Hackers don’t care how big or small your business is. Hackers will attempt to gain access to your site for a number of reasons :

  • Harm your business reputation.
  • Deface your site for their own purposes.
  • Gain access to your server and use it for their own purposes.
  • Use your site as a platform to infect other systems.
  • Because they can.

Many initial hack attempts are done by bots, not human hackers trying to gain access to your site or business. Hacker bots continuously scan the internet for potential vulnerabilities. Once a vulnerability is discovered, it will likely be exploited.


Myth #2 – I have an SSL Certificate, my website is secure.

Not True. SSL Certificates don’t protect your website. SSL Certificates encrypt data transmitted between a visitors computer and the server. Any vulnerabilities on a website are still exploitable even if an SSL Certificate is installed.


Myth # 3 – I don’t need to upgrade PHP on the server, it’s working fine.

No Way. Even though the site appears to be working fine, if a website isn’t running supported and secure code, it will likely get hacked, eventually. As a website security myth goes, if you don’t see it, it doesn’t exist. Far from the truth.


Myth #4 – The Credit Cards are displayed in the Admin, but there’s a login so it’s secure.

If credit card numbers are stored on your server that automatically puts the website at a higher risk and a different level of PCI compliance. Never display full credit card numbers anywhere, and worst, don’t store them unencrypted or plain text in the database. If you can reduce your liability and security cost and get those number off your server as soon as possible. You only need to store the last 4 digits. Use the PCI compliant merchant account for the rest.


Myth #5 – I have nothing of value on my site, it won’t get hacked.

Not True. The value of your site content is not the only reason to gain access to your server. They may be trying to use your server for additional attacks, file storage, gain access to other websites on the same web hosting company server and do all this anonymously.


Myth #6 – My Developer built security in.

I’m sure he’s a nice guy and likely has the best intentions. Don’t leave security to assumptions and chance. We always recommend a scan and additional security measures to ensure you don’t get hacked.


Myth #7 – I only used WordPress plugins and no custom code, I’m sure it’s safe and secure.

Nope. Plugins are usually the most common ways to introduce vulnerabilities into WordPress. Adding insecure plugins to your site will open vulnerabilities the core is unable to protect against. It’s better to be secure and only use the latest versions of secure/tested code.


Myth #8 – My Hosting Company is responsible for security.

No, they are not. Hosting companies generally don’t work on your website content. WordPress is considered website content. Hosting companies should make sure their server (operating system, PHP and etc) are all up to date. Adding insecure code to a security-hardened server will still make your site vulnerable. You can avoid this website security myth by understanding what your hosting company is providing and responsible for.


Myth #9 – My site isn’t using Microsoft technology, so it’s secure.

Definitely not. Although Microsoft may have a reputation in some circles for security issues, the truth is website vulnerabilities can be added at multiple points on any platform through Operation System (OS), server application layer, server code or JavaScript. It’s best to make sure all these points are secure and up to date.


Myth # 10 – My website looks fine. If there was a vulnerability, I’d know.

Not True. Website vulnerabilities are not always visible to the user or website owner until they have been exploited. Even then, it’s not always clear where the vulnerability is and usually requires digging and testing to close the hole. If a site is running an outdated or old version of anything, it’s very likely a vulnerability exists and is just waiting to be exploited. For example, if a hacker can tell what version of WordPress or PHP your site is running, they can just exploit known vulnerabilities for that version. Sometimes hacker just tries the known exploits in any version.


Myth # 11 – My password is secure enough, isn’t it?

You may think so, but there are a number of techniques hackers use to gain access to your hosting control panel, FTP, admin and any open contact point. Some typical techniques are password guessing common passwords or brute force attacks. Computers are so fast these days that simple short passwords can easily be cracked by a brute force attack in a short amount of time. Make your password at least 12 characters and mix upper case, lower case, symbols, and numbers. Here are some hints on creating a secure password. This website security myth not only applies to your website but password security in general.

Myth #12 – I’ll install a security plugin or code and it will be fine.

Security Plugins are always a good idea, as long as they work and are up to date. Just don’t rely on them completely. Many security plugins will only inform you after the site has been hacked. Then it’s too late. Make sure all vulnerabilities have been closed. To keep it secure, update the server, software, code, website and all plugins. A security plugin is not a silver bullet to fix all security issues. Don’t be fool by this website security myth.


Myth #13 – I have a backup. If my site gets hacked, no big deal.

Yes, you may be able to get it back up and running, but a backup will not prevent an exploit. The damage to business reputation may already have been done. It is better to be preventative and proactive than to fix it after the fact. Additionally, unless your backup is on a separate server not accessible by the exploited site, they may be able to delete the backup. I’ve seen so many backup solutions store the backup on the same server, or have credentials to the backup in the exploited account. Even if you use Dropbox as a backup and place the credentials to that backup on the vulnerable site, hackers can now also gain access to the backup. Definitely, have a backup, but set it up correctly and securely, too.


Myth #14 – I don’t need to security scan my site.

You should always security scan your website. Just because you can’t see the exploit doesn’t mean it’s not there. Scanning the site will uncover everything you can’t see with the naked eye. It’s the only way to know where the vulnerabilities are and how to go about patching them.


Myth #15 – My website was scanned last year, so it’s secure.

Not necessarily. Security is an ongoing practice and needs to be treated as such. As technology progresses, code changes and new vulnerabilities are discovered. A once secure website may no longer be as secure as it once was. Website servers and code should be updated and tested to maintain website security.


Remember, a website is only as secure as it’s most vulnerable point. Hence, make sure to keep your server, PHP and website code all up to date.

These are 15 most common Website security myths I hear regularly. If you have any comments, additional myths or recommendations please leave comments below and we’ll add them to this article.


About The Author