Hakerzy atakują stony. Theft kredyt card data, customer data, inject malware.

Google penalizuje strony bez SSL. Pokazuje 'Not Secure' w pasku adresu.

Klienci nie wierzą strony bez HTTPS. 80% porzuca jeśli see warning.

GDPR fines: €10-20 million za breach danych (lub 2-4% revenue, co wyższe).

SSL (Secure Sockets Layer) / TLS (Transport Layer Security) encrypts data między user i server.

Without SSL: someone na same network może intercept passwords, credit cards, etc.

HTTPS = HTTP + SSL. Green lock w browser = trust signal.

Where to get: Let's Encrypt (free, automated), Comodo, DigiCert (paid, more features).

Firewall — blocks malicious traffic.

Web Application Firewall (WAF) — blocks common attacks (SQL injection, XSS).

DDoS protection — protects against floods of traffic.

Malware scanning — detect if site jest compromised.

Security headers — Content-Security-Policy, X-Frame-Options, etc.

Automate backups — daily if possible. WordPress = plugins like UpdraftPlus.

Multiple locations — don't just backup locally. Cloud backup (S3, Google Drive).

Test restores — backup je pointless jeśli nie możesz restore.

Disaster plan — what if site goes down? How quickly can you restore?

Strong passwords — mix uppercase, lowercase, numbers, special chars. Min 12+ chars.

Unique passwords — don't reuse. Use password manager (Bitwarden, 1Password).

2FA — two-factor authentication na admin access. WordPress = plugins.

Never hardcode credentials — if you use API keys, don't put in code. Use environment variables.

GDPR applies jeśli strona zbiera data od europejczyków (nawet jeśli jesteś na innym kontynencie).

Privacy policy — musi być czytelna, musi mówić co robisz z danymi.

Consent — musisz prosić o permission zanim zbierasz jakiekolwiek dane.

Right to delete — jeśli ktoś poprosi, musisz usunąć ich data.

Data breach notification — jeśli data jest stolen, musisz powiedzieć within 72 hours.

Błąd 1: Outdated software. WordPress, plugins nie updated. It's first thing hackers exploit.

Błąd 2: Weak admin credentials. Password 'password123' na WordPress admin.

Błąd 3: No backups. Ransomware locks strona. If no backup, game over.

Błąd 4: Forms without validation. Stored XSS attacks możliwe.

Błąd 5: Ignoring security headers. Clickjacking, MIME sniffing attacks.

Brute force attack na WordPress admin: Hacker próbuje 'admin/password123', 'admin/password', etc. Takes minutes jeśli brak rate limiting. 45% attacked WordPress sites w Polsce suffers from this.

SQL injection: Form pole (contact form, search) nie sanitized. Hacker wpisuje SQL code i gets access to database. Rare jeśli proper validation, common jeśli sloppy code.

Cross-site scripting (XSS): Comment field accepts JavaScript. Kiedy inny user czyta comment, script runs i steals cookies or logs keystrokes. 30% attacked sites have XSS vulnerabilities.

Ransomware via compromised plugins: Plugin z 50k instalacji ma vulnerability. Hacker exploits mass. Encrypts all files, demands 5-10k PLN w Bitcoin. Happened to 100+ Polish businesses w 2024.

DDoS (Distributed Denial of Service): Hacker sends 1M requests/second. Server overwhelmed, site down. Demands payment to stop. 15% of attacked sites were DDoS'd w Poland last year.

WordPress is 43% of internet. Also 43% of attacked sites. Why? Popular = attractive target. Older WordPress versions have known vulnerabilities everyone knows about.

Plugin vulnerabilities: Most common attack vector. Plugins napisane przez small developers, nie security experts. Update all plugins ASAP. Old plugin = open door.

Theme vulnerabilities: Same story. Cheap themes from marketplaces sometimes have backdoors (code that allows hacker access). Buy themes from trusted sources only.

Outdated WordPress: WordPress 4.x (released 2015) has 50+ known exploits. Update to WordPress 6.x (current) = significant security improvement.

User roles: Every WordPress user shouldn't be 'Admin'. Editor can write posts. Contributor can submit. If hacked, attacker can't do full damage if not admin.

Plugin bloat: More plugins = more vulnerabilities. 20+ plugins statistically have more security issues than 5 plugins. Remove unused plugins.

2FA requires two things: password (something you know) + phone/authenticator (something you have). Hacker has password, but bez phone, can't login.

SMS 2FA: Enter password, get SMS code, enter code. Better than nothing, but phone can be hacked (SIM swapping). Still, 99.9% better than no 2FA.

Authenticator app (Google Authenticator, Authy): Generate 6-digit code every 30s. No SMS needed. Better than SMS. Phone lost = you can backup codes.

Hardware security key (Yubikey): Physical device. Must have it to login. Most secure. Cost: 100-300 PLN, but worth dla important accounts.

WordPress plugins: WP 2FA, Two Factor, Wordfence all do 2FA. Add to all admin accounts. For employees, mandate 2FA. Cost: free-50 PLN/year.

Content-Security-Policy: Tell browser 'allow scripts only from my domain'. Prevents inline script injection attacks effectively.

X-Frame-Options: Prevent clickjacking (attacker puts your site w hidden iframe, user clicks on fake button). Set to DENY or SAMEORIGIN.

X-Content-Type-Options: nosniff. Prevent browser from guessing file type (could be exploited). Force MIME type declared.

Strict-Transport-Security: 'Always use HTTPS'. Even if user goes to http://, redirect to https://. Prevents MITM (man-in-the-middle) attacks.

Referrer-Policy: Control what info sent when user clicks away. Privacy + security combined feature.

DDoS protection: Cloudflare (free tier available, 20-200 PLN/month dla advanced), Akamai, AWS Shield. Route traffic through their network, filter bad traffic automatically.

WAF: Blocks common attacks (SQL injection, XSS, etc.) before reaching server. Cloudflare WAF free, or 20+/month dla advanced rules.

Cost-benefit: DDoS attack can cost 10-50k PLN w lost sales + reputation. WAF protection: 50-500 PLN/month. ROI obvious na first attack.

Implementation: Change DNS to Cloudflare (30 min), enable WAF (2 clicks). No code changes needed. Works na any hosting.

DIY security audit: Use free tools (OWASP Top 10 checklist, securityheaders.com, SSL Labs) + manual testing. Cost: your time, 10-20 godzin. Quality: 60-70%.

Professional penetration test: Hacker (ethical) tries to break in. Reports vulnerabilities, severity, fix recommendations. Cost: 5-20k PLN (depending na site complexity). Quality: 95%+. Covers everything.

Middle ground: Security scan tools (Sucuri, Wordfence) scan your site automatically. Cost: 50-500 PLN/mies. Quality: 80%. Good dla ongoing monitoring.

Frequency: After major changes (redesign, new features), yearly minimum. Czy zmieniłeś coś w security? Test immediately.

For Polish business: RODO compliance audit mandatory jeśli collect personal data. Auditor checks: privacy policy, consent mechanisms, data storage, breach procedures. Cost: 2-5k PLN. Required by law.

Czy Let's Encrypt SSL jest bezpieczny? Tak. Free, automtaic renewal, trusted browsers. Same encryption jak paid SSL (DigiCert, Comodo). Difference: no company verification badge. But security = same.

Ile kosztuje data breach dla biznesu? RODO fines: 10-20 million EUR or 2-4% revenue (whichever higher). Plus: lost customers, reputation damage, lawsuit. Average breach cost: 200k-2M PLN dla Polish SMB.

Czy VPN na stronie potrzebna? No, nie dla user data. HTTPS already encrypts transmission. VPN dla employees accessing admin panel = good idea.

Czy password manager jest bezpieczny? Yes, if reputable (Bitwarden, 1Password). Better than reusing passwords. Use for all accounts.

Bezpieczeństwo to not a one-time thing. It's ongoing process, monthly at minimum.

SSL is baseline. Firewall, backups, updates, monitoring, 2FA = real security.

Invest w security. Budget 1-2% of revenue yearly. It's cheaper than breach.

Regular audits (yearly) + monitoring (ongoing) = peace of mind.