From hijacking servers to stealing data, cybercrime has become a daily threat, and online consumers have to be more careful than ever. If your property’s website doesn’t give consumers confidence, they won’t stick around, let alone make a booking. And if your website becomes compromised, it could cost you even more.
The security of your site is critical to user experience and protecting your business. Here’s how to ensure your website stays safe.
Promote Phishing Awareness
Phishing refers to the criminal practice of sending seemingly innocent communications designed to trick the recipient into downloading malware or giving out secure information. Unfortunately, scams like this are on the rise, with 94 percent growth between 2020 and 2024. Once mostly confined to email, scammers are branching out into phone calls and text messages as well. Ensure that your staff are watchful and familiar with your property’s legitimate IT procedures so that they are not tricked by fake IT messages. Like other training concepts, review this regularly.
Only give website access to those staff who need it. The more people that have access, the greater chance one of them will click on that phishing email. Hint: If each employee has their own site login, instead of sharing one, it’s easier to tell who a problem originated with.
This goes for your property management system (PMS) as well. If your PMS is hacked, it jeopardizes your online bookings. The information in your PMS could even help hackers send out phishing emails pretending to be you!
Invest in Anti-malware Software
Anti-malware software is what it sounds like, a program that prevents malware from doing damage to your website. It can include web scanning, firewalls, PCI compliance, and other security measures. You may have to purchase it yourself, or it may come with your hosting provider and/or content management system. Either way, it creates another obstacle between you and any hackers.
Use Web Application Firewalls
A web application firewall is a barrier between users and your site. Think of it like a security checkpoint at a border. If the firewall accepts the user, they get through to the site. Otherwise, they don’t. These firewalls determine if a user is cleared based on a blocklist (turns away known attacks), allowlist (enables pre-approved traffic to enter), or a combination of the two. This can impede SQL injections, cross-site forgery, cross-site scripting (XSS), and file inclusions, so it’s worth having even if it doesn’t block every attack.
Ensure You’re PCI Compliant
Make sure that your booking engine is PCI compliant. This means that it adheres to the Payment Card Industry Data Security Standard (PCI DSS) for companies that accept, process, store, or transmit credit card data. If a guest’s credit card information is stolen from your booking engine, it creates a serious reputational concern among other issues.
Use Strong Passwords
If a TV hero can guess your password in the nick of time, it isn’t strong enough. Don’t choose any of these most common hacked passwords, passwords you’ve used before, or passwords with your personal information (your birthday is out). One technique is to link three random, but easy to remember, phrases into one. Whichever password you use, change it regularly and make it long (over 12 characters).
Using a password manager is a good option. These computer programs create random passwords and store them for you encrypted. This way, you don’t have to write passwords down, which could compromise their security.
Two-factor authentication may still save you if your password is stolen. While it adds a step to the login process, it’s a great way to secure access to your online accounts by sending you a one-time code by email or text message that you must enter along with your password when you log in.
A little over a quarter of hackers have attempted to guess passwords, and 17 percent of them have succeeded. Your password can be an easy fix or an easy fail.
Employ HTTPS
HTTPS stands for “Hypertext Transfer Protocol Secure,” and it protects the privacy and integrity of data passed between a website and a user’s computer.
Through data encryption (keeps data from spies), data integrity (data can’t be modified or corrupted without being detected), and authentication (proves users are communicating with the website they expect), HTTPS ensures the user’s connection with the website is secure. Any website that accepts data from users should implement HTTPS.
The difference between HTTP and HTTPS is much more than a letter. Data passed between a website using HTTP and a user’s browser is not encrypted and can be intercepted by third parties. Google marks HTTP websites as unsecured so that users avoid them and downgrades their SEO.
Update Regularly
Your website and plugins should be updated regularly to prevent security breaches. Hackers are learning new things, and you need to keep up with them. If you use WordPress, security updates can be set to happen automatically, and you can see available updates under Dashboard >> Updates.
It’s important to keep track of your plugins. In WordPress, that’s where 94 percent of the vulnerabilities are. Be judicious. Don’t use so many that you can’t remember to update them all and don’t choose cut-rate, or worse pirated, versions. You get what you pay for.
Monitor Comments
Monitor comments regularly on your blog (and anywhere else on your site that accepts them) or set up your site so that you have to manually approve them to keep out bots, fake accounts, and malicious links. A CAPTCHA test helps exclude the bots as does requiring people to register before they comment.
If you don’t have endless time to browse through comments (and most of us don’t), you can always turn them off a month or so after the content is posted to stop them from piling up or being overlooked.
Be aware that spam comments compromise your SEO as well as your security. Google doesn’t want to send users to unsecure sites!
Protect Your Personal Computer
If hackers gain access to your personal computer, they could use that access to reach your hotel website. Therefore, it’s vital to ensure that your personal computer is safe. Do you log into your hotel website from your personal computer? Are you running any antiviral software on it? If the answer is yes to that first question, it has to be yes to the second as well.
If you aren’t using a computer program, uninstall it. It’s like having a door to your house that you don’t need…but that burglars could use.
Be Prepared
Know what steps you’ll take if your site does get hacked and have backups available. A backup is a saved version of your website, including databases, content, files, and media. This can protect you from ransomware. If you have a backup copy of your information, hackers can’t hold it hostage.
Certain web hosts and plugins include backup services. Backups should be stored on a different server from your website. If it’s not, hackers can get to it there. It’s also useful to have more than one backup and perform backups on a regular basis to prevent the data from being outdated. Automate backups so that it isn’t forgotten.
If the worst happens, and you are hacked, have contingencies offline as well. Tell your staff who they should call in an emergency. This helps get the site running again that much faster and keeps them from reaching out to any bad actors, hackers posing as IT.
Search your site regularly for issues and vulnerabilities and have an ongoing log of site activity. Site security isn’t something you can set and forget. You should review TLS/SSL certificates, DNS records, application updates, user access, file integrity, and web server configuration. If you have multiple sites on the same server, hackers can access safe sites from the ones that have already been infected. Think of it like an actual virus. You don’t want to stand next to the coughing guy.
Using these basic precautions and working with partners (hosting providers and content management systems) that take security seriously ensures that your website remains safe and prevents guest data from being compromised. This in turn safeguards your property’s reputation and bottom line.
If you use WebRezPro design services, we offer a WordPress maintenance plan that covers security so that you can focus on guests knowing your site is safe.
Editor’s note: This post was last updated December 2024.