Website security is essential for all businesses operating online in 2020.
Many people don’t know where to start or what to look for when assessing, securing, and monitoring their site against today’s threats.
That’s why we made it easy.
Below are the 12 steps you can begin to take today to ensure your site stays secure against threats such as:
- Cross-Site Scripting (XSS)
- SQL Injections
- Abusive/DDoS traffic
- Hackers
- Malware
- Brute force attacks
- Software vulnerabilities
- Malicious insiders with account access
Read on to get secure.
What is Website Security?
Website security can be defined as a set of actions and procedures that you take in order to protect the website. This is very important if you are looking to prevent any form of exploitation of the site’s data and users.
If you don’t take care of security, this will lead to loss of revenue, reputation, traffic, and even legal issues.
In the past, small businesses could’ve gotten away without investing much into security, but this is no longer an option. Today, hackers are able to search for targets automatically by using automated ways of exploiting all vulnerable websites regardless of their revenue and reputation.
Server security is generally a broader subject, and if you would like to learn more about it, please read this article. For those that came here to secure their WordPress website, we have an article for that specific purpose as well.
12 Step Checklist for Website Security
Here are 12 steps you can start taking today to get secure.
1. Prevent Cross-Site Scripting (XSS)
Cross-Site Scripting is a type of exploit in which malicious scripts are injected into web applications that were built using JavaScript.
There are numerous vulnerabilities that allow these attacks to succeed anywhere a web application takes user-input and generates output without encoding it properly. The user’s browser doesn’t have a way to check if the script is safe so it will execute it, allowing it access to cookies and other sensitive information.
This would mean, for example, that the attacker can steal the end-users credit card number or hijack their browser session. Scripts can even be used to modify the content of a page which opens a virtually limitless potential for exploitation.
To prevent these attacks make sure to use an SSL certificate and restrict file uploads wherever possible. If regular file uploads are necessary for your website type, it would be best to dedicate a remote server solely for this purpose.
2. Prevent SQL Injections
Like with XSS, SQL injection attacks usually require the website to allow user input which is then saved to a database.
The attacker can abuse this ability by writing an SQL statement in a text field that was actually meant for username input, for example. This statement is then executed on the database and that way the attacker can read or modify sensitive data.
In order to protect your website from these attacks, try to limit user input as much as possible.
To achieve this you can use drop-down menus with predefined input and input validation for forms with regular text input. Web application firewalls (WAF) provide great protection from these attacks as well with their pattern identification capabilities.
3. Use a Web Application Firewall (WAF)
Web Application Firewalls track and filter website traffic in real-time, blocking abusive traffic while regular secure traffic continues.
These firewalls are constantly being updated with new threat profiles by security teams that make sure things remain up-to-date. The most popular examples of this software are Cloudflare WAF and Sucuri WAF.
If you’re using WordPress, you most likely already heard of Wordfence as well, since it’s the number one all-purpose security plugin.
4. Prevent DDoS Attacks
Distributed Denial-of-Service attacks are used to deny access to your website by depleting the server’s resources. This is done with an overwhelming number of requests sent by a botnet network of compromised computers.
Denying access to your website may not sound like a security threat by itself, but the issue is much more nuanced than that. For example, a common vulnerability that arises after a DDOS attack is that the administrators tend to prioritize getting the website up as soon as possible. This often means temporarily shutting down some security services to free up server resources.
To protect your website from these attacks, we recommend using CloudFlare’s DDoS solution.
5. Install SSL Certificates and Use HTTPS
When a website user enters their credit card number or log-in credentials over an insecure connection (HTTP), an attacker can intercept that data.
SSL (Secure Sockets Layer) certificates are used to encrypt data exchanged between a web server and a browser and to validate your website as a legitimate business.
There are three levels of certificates to consider depending on the sensitivity of the information which is being exchanged by your website. Since first-level certificates are available free of charge, there’s no reason not to apply this solution immediately.
If you are using a control panel solution like cPanel, this is easily done with an SSL installation wizard.
6. Perform Regular Malware Scans
Malware includes all malicious software that was created for the purpose of damaging your website or infecting it with malicious code in order to damage the end-users computers.
This is the most common threat to computer security in general, as there are many different types of malware, including viruses, worms, Trojan horses, ransomware, spyware, etc. Once the malware is stored on the server, it can be used for all sorts of things, like collecting sensitive user data or turning the server into a botnet slave.
A wide variety of malware scanners are available today and a lot of those are offered for free. We wrote an article on installing and using the Maldet malware scanner for this purpose.
7. Manage Passwords Properly
If the website’s administrator or a user sets up a simple password, an attacker could gain access to the account. There are multiple ways of achieving this, from simple social engineering methods like investigating the person online to brute force attacks.
Be sure to request strong passwords when any new accounts are being registered (control panel, FTP, emails, site membership, etc.). Strong passwords are long and include a mixture of lowercase and uppercase letters, numbers, and symbols.
It’s important to request regular password resets from your users as well, and to provide them the option of using two-factor authentication.
Two-factor authentication (2FA) is an additional layer of security that provides a second step such as receiving a message with a PIN to your mobile device.
8. Avoid Outdated Software
Exploits for popular website software are being built at every moment and they are steadily evolving with each software update. This means that it’s only a matter of time until your website’s current software can be compromised by attackers.
To protect your website, make sure to keep all software updated to the latest version. This includes your content management system (CMS), plugins, themes, and any form of add-on software that your site may use.
The server’s software needs to be considered as well, but for the purpose of this article, we will only suggest updating to the highest possible PHP version that your website supports.
9. Set Up Regular Backups
Since there’s no way of making any website 100% secure, it’s very important to keep healthy backups of data to restore if the site gets compromised. Use your control panel’s software or a CMS plugin like UpdraftPlus to set-up regular website backups.
The frequency of the backup should be determined by how often the website is being edited or updated with new content from both the admin side and the end user’s side.
Other things to consider are backup size and location. We suggest storing the backups on at least two locations to avoid losses caused by hardware failure or malware.
10. Consider the Hosting Companies Reputation
This might seem like an obvious consideration, but unfortunately that isn’t the case. We are often distracted with low prices and quick set-up claims when purchasing online services, and it’s not any different when it comes to hosting.
When picking a hosting company, you should investigate its market share, support quality, terms of service, and included security products. It’s also important to check for optional security products that it may offer.
Also, check to see if the hosting provider has been breached in the past, and if so, how they handled the situation.
11. Keep Websites on Separate Accounts
If you’re using control panel software like cPanel, Plesk, or Interworx, make sure to take advantage of its user management capabilities.
Dedicating a separate account to each website will prevent malware from spreading once a single site is infected. Removing malware from just one website is often a long, manual, and challenging process, so the least we can do is separate the websites.
12. Limit User Accounts
If your website allows users to make their own accounts, be sure to limit user account capabilities to what is necessary.
Disabling all unnecessary options will greatly reduce the security risks for your website. The same advice applies to managing the user permissions in your control panel software, so make sure to check what you can do with the available options.