Website Security Checklist: 18 Ways to Secure Your Site
Most people don’t take website security seriously until they get hacked. And no amount of regret or tears can bring back their precious data, website, money, time, energy, and clients lost when this horror strikes. What’s even more scary is that most hacks are made possible through their own negligence or naivety.
Whether you sell products online, or just advertise your services; whether your website accepts customer data or not; whether you are a multi-million-dollar enterprise, or just a new tech start-up; securing your website should be your number one digital concern. Yes, you read that right. Website security is more important than engaging with your readership, generating more leads, even ranking higher on Google. In fact, if your website gets hacked, Google may never show it in its search results (more on this later).
What does it mean to “secure” a website?
Put simply, website security ensures that a user only gets to see what they’re authorized to see, and only gets to perform actions that they’re authorized to perform. For example:
- A guest user shouldn’t be able to access the internal customer dashboard on your website
- A logged in customer should be able to see the internal dashboard.
- A customer shouldn’t have access to the administrator portal of your website.
- Your blog writers should only be able to add posts to your website, and not update its configurations.
- Only a few system engineers should have direct access to the servers hosting your website.
What really is at stake?
The end goal of securing a website is to prevent it from getting hacked. A hack could have wide-ranging ramifications; from preventing visitors to access your website, to stealing and/or encrypting sensitive customer data.
Your own private data could also be hijacked and abused. Fraudsters can pose as you and use your credit card to their rotten heart’s content. While you may be able to reverse those charges on some occasions, the hit on your credit score could have lasting effects. If that’s not a reason to take website security seriously, we don’t know what is.
Here’s what else is at stake:
Your precious data
According to Infosecurity Magazine, there was one Ransomware Victim Every 10 Seconds in 2020. So, if you’re still thinking, “Oh please, it will never happen to me.” think again!
Now, what’s a ransomware attack?
It’s the horror of logging in to your computer one day to find a message across your screen saying that either
- You’ve been blocked from using your computer or website
- All your personal, website or business data has been taken hostage (encrypted from you), and the hackers have demanded a large sum of money be paid by a deadline or have your data deleted forever.
Of course, most people ignore the importance of backing up their data. Thus, they’re forced to accept this data loss which can ruin businesses or pay the ransom while there’s no guarantee hackers will have the honour to actually return what was held hostage after payment is made.
In May 2021, the business networks of a massive U.S. oil pipeline operator was shut down by ransomware and it paid nearly $5 million to get restarted.
Your clients’ precious data
Hackers will do anything to get their hands on your clients’ data. Why? Clients enter their personal information (email addresses, residential addresses, passwords) and bank card details on websites to create accounts or make transactions.
If hackers get their hands on this, they can either go on spending sprees with these bank details, or sell the card details to other hungry criminals for a pretty buck. Clients’ personal information is valuable too. It can be used to create marketing profiles and sold to spammers or even genuine advertisers for unscrupulous targeting.
If you need any more motivation to protect your clients’ data, read the next section on Money to see the penalties you pay for compromised client data.
Your money and time: getting sued
In addition to the loss in revenue because of ransomware or client data getting stolen, customers and partners may jump ship or straight out sue you for negligence. Getting sued means months spent in court and painful amounts of money on lawyers and settlements.
What’s worse is you may also have to pay hefty fines to regulatory bodies like Payments Association of South Africa (PASA) whose job it is to ensure websites accepting payments comply with the rules. For instance, Equifax paid a whopping $575 million to the authorities and its customers, as a penalty for a massive data breach in 2017.
Your website’s ranking
Google takes strict actions against websites that encounter data breaches. So much so that they may completely de-index hacked websites, which means that they’ll never show up in its search results.
People just don’t trust companies that have been breached. And why would they, if it could put them at risk of getting their data compromised? Your partners and vendors, both existing and prospective, will think twice before doing business with you.
Besides your customers and users’ data being at risk, your brand could also tank. Any brand you’ll have built for yourself will be ruined. The possibility of restarting, even after you make any sort of fix, is near to none. As the saying goes, once bitten, twice shy.
Not only will your brand be ruined, but it can be appropriated by said thieves to conduct other nefarious activities like pushing their schemes further, or using your connections to dupe even more people. They could even replace content on your site, like payment details and email addresses, with their own.
The worst part is that you may not have been the deliberate target of a hack, but rather part of a generic phishing expedition built to ensnare many websites at once.
18 Simple ways to quickly secure your website
Now that we know why website security is important, let’s look at some basic website security tactics that’ll go a long way to keeping you protected.
1. Use an SSL certificate
SSL, or Secure Sockets Layer, is the most basic, yet the most important tool to secure your website. An SSL certificate encrypts traffic, as it flows between servers and browsers. It ensures that all customer data, including account numbers, usernames and passwords etc. stay hidden as they travel across the internet. It’s the go to check for seeing if a website is secure for payment.
Using it, a browser can guarantee that the user is in fact communicating with the original, certified website, and not an impersonating hacker. It’s therefore of foremost importance to get an SSL certificate for your website.
Check out this in-depth blog post on the impact an SSL can have on your website and why it’s imperative for security, including how to get a security certificate for your website.
2. Restrict file uploads
There are many security risks associated with file uploads. A user can replace a file on your server by uploading one with the same name or extension. There’s also a chance they upload a harmful file that could potentially allow them to gain unauthorized access to system resources. To prevent file upload attacks, keep the following guidelines in mind:
- Restrict file uploads by extensions or types.
- Scan files before saving them on the server.
- Set a maximum size limit.
- Don’t store uploaded files on the same directory as your website’s source code.
- Make users authenticate themselves before uploading files.
3. Adjust default CMS settings
It’s almost never a good practice to keep your website running with the default CMS settings. Some of these settings can be related to permissions, visibility, and user types. For example, you may want to change the default file permissions on WordPress. Or you may want to choose different “roles” (e.g., super admin, author, contributor etc.) for different people on your team.
4. Regular backups
When everything else is falling apart, backups can swoop in and save the day. Someone corrupted your source code by injecting a malicious script on the server? No problem. Just revert to the backup you created last night. Your computer attacked by ransomware? Once again, your backup has you covered. Here are a few tips to keep in mind:
- Backup your website regularly. A site export from several months ago may strip multiple features off your UI and set you back several months.
- Store backups externally i.e., not on the server(s) hosting your website.
- Automate the backup process. A manual process is not only tedious, but also prone to human error.
Backing up your data should be like a habit you can’t kick. And why would you want to, when it has livelihood-saving benefits. Educate yourself on how vital it is to properly backup your data.
5. Implement access control
Trust no-one by default, and apply the principle of least privilege, i.e., give a user the bare-minimum level of access that they need to perform their duties. E.g., A writer doesn’t need access to the server configuration dashboard. Similarly, no one but the system engineers should be given direct SSH access to your servers.
6. Secure your personal computer
As a site owner or administrator, your personal computer can be full of sensitive information regarding your website. This can be passwords, user roles, databases, and server access, etc. It’s therefore critical that you secure your personal computer. In this regard, here are a few things to keep in mind:
- Choose a strong passphrase.
- Don’t leave your computer unlocked and/or unattended.
- Use a firewall and an anti-virus software to prevent malware from entering your system.
- Keep your operating system and programs up to date.
- Beware of phishing attempts; don’t download suspicious attachments or click on potentially harmful links.
On the topic of phishing, bad actors are always on the lookout for a new catch. Don’t take the bait. Learn what to look out for and how to protect yourself from online phishing emails.
7. Use strong passwords and multi-factor authentication
If you’re not sure how to create strong passwords, read our article on best practices for password security. Moreover, implement a multi-factor authentication mechanism that requires users to specify additional information to their passwords while logging in.
A one-time pin code sent to their mobile phones after they enter their password, or a verification code from an authenticator application, like the Google Authenticator.
8. (For WordPress users) Monitor with security plugins
If you are a WordPress user, you can actively monitor your website’s security outlook using different plugins, like Wordfence and Cerber. They install a rigorous firewall on your server, and run comprehensive malware scans to identify any risks and vulnerabilities. They’re among the top WordPress security plugins, so you know they’ll do a fine job keeping your site protected.
9. Don’t hate updates – install them immediately
According to a 2020 report, 53% of cyberattacks in the previous two years stemmed from third-party software. This includes the plugins you install on your WordPress site, the anti-virus software on your server, the web API you fetch random data from, and your favourite browser.
A lot of new software updates and releases are patches to vulnerabilities and bugs that can potentially be exploited by hackers. So, make it standard practice to keep all your applications up to date.
10. Use a web application firewall (WAF)
A web application firewall, or WAF, is a special type of firewall used for monitoring, filtering, and blocking traffic (typically HTTP), to and from a web application. Use a modern WAF to protect your website from some of the most common attacks like SQL injections, cross site scripting and forgery, improper system configuration, cookie poisoning, and application layer DDoS attacks.
This addition to security is one of the simpler ways to improving website security.
11. Disable Directory Indexing and Browsing
Let’s suppose someone enters the name of a directory in the address bar. The directory actually exists on the server hosting your website. If there’s no index file present in the pertinent directory, by default, the web server will return the directory structure to the browser. This means that the entire list of files and folders in that subdirectory will be made visible to the visitor. See image below:
This happens because of something known as directory browsing, which is enabled by default on some web servers. As you can imagine, hackers can extract exploitable information like which plugins are installed, what theme you’re using, and which database contains your data. All of this from directory browsing. From here, they’ll use the information to plan their attacks.
Fortunately, there’s usually an easy way to disable directory indexing. For WordPress, follow these steps:
- Log in to your website using an FTP client.
- Download the .htaccess file present in the root folder. (Since the file is usually hidden, you may need to enable hidden file viewing.
- Open the .htaccess file, and put the following line at the bottom:
- Options –Indexes
- Save the file and upload it to your server using the FTP client.
This will disable directory browsing on your website, redirecting the user to a 404 Not Found page instead.
12. (For WordPress users) Change your wp-admin URL
By default, WordPress uses
http://yourblog.com/wp-login.php as the default page for admin login. However, it’s recommended to change it as soon as your website goes live. With access to the default login page, all a hacker has to do to gain access to your WP dashboard, is crack your password. To prevent that from happening, randomise your WP Admin URL, using a plugin like WP Cerber.
13. Run vulnerability scans
It’s an undeniable fact that security is an ongoing effort. There is no room for complacency. There is no amount of security recommendations, that once applied, will make your website categorically impenetrable.
They will improve your security posture, yes, but to keep everything safe, you need to adopt a security-first approach. A big part of that is regularly running vulnerability scans on your server. They’ll not only help you identify risks and vulnerabilities in your web application, but also in other software on your server.
14. Limit the number of allowed login attempts
If you don’t limit the number of allowed login attempts, potential hackers can run a brute-force attack, where they continuously try to log in with different username-password combinations. If a user’s password is not too strong, they may get it right after a few attempts. Even if the password is strong, there is still a possibility that they get it right, even though it may take much longer.
The bottom-line is, if someone fails to provide correct login details after 3-4 attempts, their account should get locked. To unlock, they must be required to reset their password, or request an administrator to do so.
15. Regularly check error logs
Checking the error logs of your website can give you some nifty insights as to where you may be experiencing some issues. This can include simple 4xx and 5xx errors, users struggling to access you site, or system failures.
You can take a look at your error log using cPanel, although some software, like WordPress, has its own error log. To check your error log with cPanel, simply log into the system and navigate to the Metrics category and then Errors.
Any problems with your website will show up there. You’ll also find a breakdown of the type of error, in which file it resides, and the line of code. Now, you may be able to tackle some of these yourself, for others, you’ll need a developer.
16. Protect against SQL injection
Hackers find increasingly slippery ways to steal data, and an SQL injection is one of the more nefarious methods.
They can inject additional code into your website’s database using a web form or URL. By doing this they could also dump your entire database, which then gives them access to all of your private and secure data.
Most software has commands that protect you from website SQL injections. For example, W3 Schools uses a bit of code that has the server checking each line of code and treating it individually, as opposed to a complete expression.
17. Outsource your PCI Compliance
If your company or organization accepts credit card payments in any way you’ll need to be in compliance with the PCI DSS (Payment Card Industry Data Security Standard). This is a PASA (Payment Association of South Africa) regulation in South Africa.
If you don’t follow it you can expect some serious-suited individuals to come knocking, and they won’t be there for tea. In fact, they’ll impose fines as hefty as R50 000 per merchant after one month of non-compliance.
Now, it’s possible for any company to undergo the process of becoming PCI Compliant, but it can be a tedious process and requires a team of experts for that acquisition and its maintenance.
Alternatively, companies like PayFast and PayGate jump through those metaphorical hoops as a paid service. If you’re a small company, outsourcing to a PCI Compliant company makes the most sense. It’s even viable if you’re a bigger company, like us and many others.
As you may have seen via a redirection when you make a purchase on our site, we use PayFast. They redirect clients to make payments in a certified 3D secure environment.
Here’s an example of their certificate of compliance. Be sure to verify any company’s certification if you decide to outsource.
18. Choose a good web hosting provider
Last but not least, choose a web hosting provider that takes security as seriously (if not more) as you. This is really critical because as a website owner, there’s only so much you can do to secure your website. All your efforts can be rendered useless if your hosting provider doesn’t ensure high levels of security.
At HOSTAFRICA, security is at the heart of everything we do. We use strong WAFs, along with some of the best web-app protection software like Imunify360 and Patchman. We also offer a rich selection of SSL certificates.
We know these are a lot of safety precautions to go through, but a single mistake can be the end of your website as you know it, so taking as many steps as possible to prevent that is well worth it.
For a TL; DR version, take a look at the below FAQs. It’s important to note, that these answers are of course not the full story. We’d suggest taking the time to saddle up with your security measures by implementing as many of these steps as possible.
How do I make my website secure?
Implement as many actions and precautions as possible to ensure that a user only sees what they are authorized to see. This can include:
- Using an SSL certificate
- Restricting file uploads
- Adjusting CMS setting
- Regular backups
- Access control and securing your personal computer
- Using strong passwords and multi-factor authentication
- Using web application firewalls (WAF)
- Disabling directory indexing and browsing
- Running vulnerability scans
- Limiting the number of login attempts
- Become PCI Compliant or Outsource to a PCI Compliant company
- Choosing a good web hosting provider.
How do you know a website is secure?
There are a few ways to check if a website is secure.
- Check to see if it has an SSL.
- Look for spelling and grammatical errors.
- Check if the brand and theme is in line with what they are selling.
- Look for contact information.
- Run a Whois Lookup.
- Check the URL for missing letters or typos.
What is website security?
Website security is taking action to protect personal and business data against cyber attacks which aim to expose such data.
How to get a security certificate for a website?
Simply purchase an SSL certificate from a registered SSL certificate supplier, like us.
You can’t find a one-time-only, complete website security implementation guide, no matter how or where you search. With this article, our aim was to handpick some of the most important guidelines which will help you get started and secure quickly.
Don’t forget, security is a never-ending affair, and it’s important to always stay vigilant, and always keep improving.