Website security matters now more than ever.
In fact, there have been about 300 percent more cybercrimes reported to the FBI since the COVID-19 pandemic began.
It’s clearly not just about building trust with your customers. Data breaches can also result in stolen data and lost revenue due to downtime. The global cost of data breaches averaged about $3.86 million in 2020. While the data breaches for large, national companies are what make the news, about 43 percent of cyberattacks do happen to small businesses.
In other words, no small business is too small to be noticed by a hacker.
The following is a 12-step website security checklist that’s simple enough for even the biggest beginners to work through.
No. 1: Keep all your software up to date
Software updates might be annoying or inconvenient, but they’re critical to ensuring that you don’t have obvious vulnerabilities that can be taken advantage of by hackers.
Keep an eye out for software patch notifications. They’re intended to help resolve any discovered vulnerabilities.
And in general, make sure you update your software as soon as you get those notifications. Resist the urge to “remind me later.”
No. 2: Tighten up your passwords
Passwords are an obvious aspect of your website security that you must consider. However, they’re often neglected as far as:
- Their complexity
- How frequently they’re updated
In fact, it’s not uncommon for people to keep all their passwords written on a Post-It located on their computer monitor. We definitely do not recommend this!
Focus on creating complex, secure passwords. As recently as 2019, the password “123456” was used 23 million times in the UK. You can do better than that. Avoid being predictable. Mix up capital letters, numbers and special characters in your passwords.
To help with your password management, you can try tools like LastPass and 1Password. Tools like these can help you not only create secure passwords but can also keep track and help you regularly update them as necessary. We recommend updating every six to 12 months at least.
No. 3: Prevent spam comments on your website
Especially when you’re maintaining blog content on your website, spam comments can be a top concern. In fact, they’re one of the most common ways that hackers and spammers will mess with your website.
Obviously, spam comments reduce the trust your real visitors would have for your site. In addition, spam comments don’t bode well for your search engine optimization (SEO) either.
There are a number of integrations and plugins that can help you identify and moderate comments on your website with a simple code embed. Refer to your hosting platform to see if they already have an option available for you to use.
No. 4: Prepare for the worst by regularly backing up your website (and all of its data)
By backing up your website regularly, you’ll be able to bounce back quickly should something go wrong.
The “wrong” could be a hacker, but it also could just be a garbled website after a problematic redesign.
Check with your hosting provider for help with this. If you’re using WordPress, there are several plugins that can automate backups.
No. 5: Use an SSL certificate
SSL stands for Sockets Secure Layer, and it helps keep sensitive transfers of data secure.
Think login credentials, credit card information or any other personal information. An SSL certificate gives you that extra layer of protection.
In addition, SSL boosts the overall perceived security of your website since secure websites have a lock symbol on the side of the URL address bar of your browser. In fact, if you don’t have an SSL certificate, the browser will notify visitors either with a “not secure” label or by blocking the connection entirely.
If you don’t already have an SSL certificate for your website, you can get one by:
- Verifying your website’s information through the ICANN Lookup tool.
- Generating a Certificate Signing Request (CSR) through your server, your cPanel or an online CSR generator.
- Submitting your CSR to a certificate authority to validate your domain.
- Installing the certificate on your website.
No. 6: Limit both user permissions and access
Spoiler alert: You should not give all your employees and colleagues unfettered access to the backend of your website.
Every user with access translates into natural vulnerabilities for your website, so make sure that you’re setting appropriate permissions that reflect each team member’s role.
Of course, you’ll want to terminate access as soon as an employee leaves your team. But you also should set the standard for secure, frequently updated passwords for all users.
No. 7: Only use a trusted payment provider
If you’re processing payments of any kind on your website, it’s important to only use a trusted payment provider.
Not only will a trusted provider properly and securely process payments, but their use automatically builds trust with your website visitors.
No. 8: Reduce any XSS vulnerabilities on your website
XSS stands for Cross-Site Scripting and refers to the way that hackers can insert malicious code into your website. That code then aims to capture the private data of your website visitors.
This step of reducing those vulnerabilities actually can require a web developer’s help. However, beginners should still be aware of this threat. In the meantime, use a web application firewall to scan your website. You can also clean your user HTML inputs with such tools as HTML Purifier.
No. 9: Reduce any SQL injection vulnerabilities
If your website stores a lot of sensitive user data (like credit card information), you’re doing to want to consider SQL injection vulnerabilities on top of XSS.
It’s not as common but will steal sensitive data directly from your database.
Again, this is definitely a step that you should discuss with your web developer, but solutions can include setting up a firewall, using a whitelist and so on. Learn more about what can be done to reduce SQL injection vulnerabilities.
No. 10: Use anti-malware software for advanced, extra website security
Anti-malware software aims to prevent security threats by detecting and removing them early on from your website (before they do too much damage).
Of course, anti-malware can cost money to install and use. Take the time to review your budget, and remember that the cost of a security breach (both monetarily and perception-wise) can be so much more.
No. 11: Keep an eye out for any traffic surges
Another type of website security attack involves blasting your website with fake traffic to essentially overwhelm your web servers and crash your website.
This type of attack, called Distributed Denial of Services (DDoS), happened more than 10 million times in 2020 alone.
Fortunately, your traffic analytics tools can help you identify and strange surges. Most web hosting platforms come with DDoS protection, but you can always use external tools, such as Cloudflare or Radware, for additional protection.
No. 12: Get an extra layer of protection with Web App Firewalls
Web App Firewalls, otherwise referred to as WAF, defend against multiple types of website security attacks. Hence why this isn’t our first mention of them.
A firewall essentially monitors your web traffic and guards against any traffic that’s malicious. WAFs use policies to determine which traffic is dangerous.
If you’re a small business, we recommend a cloud-based or software-based WAF due to lower cost and ease of maintenance. That being said, there is also hardware-based WAF that, while harder to maintain and more expensive, can also be more effective.
Website security can feel like an overwhelming topic for any website beginner, but simply go step-by-step to identify what you can do better to protect your business and your customers.