Security is one of the most important aspects of any website. This is especially true today considering the fact that cybercrime continues to be a serious threat for businesses and users. The FBI states that “Cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated.” In fact, websites experience a staggering 62 attacks per day, according to SiteLock research. Now more than ever, small businesses need a cybersecurity checklist when building and maintaining their websites.
When cybercrime happens to your company website, you can lose money, credibility, and customers. Left unchecked, your website could be taken offline completely if the right hacker gets into it. With that in mind, let’s cover what you need on your cybersecurity checklist to protect yourself, your customers, and your company overall.
1. Set Your Site Up for Success with a Web Application Firewall (WAF)
A web application firewall (WAF) is one of the most important elements on your cybersecurity checklist, by monitor incoming traffic to help prevent severe cyberattacks to your site. Research and implement a WAF that specialize in OWASP top 10 attacks, including common bad bots, malicious traffic, harmful requests, and targeted attacks.
2. Scan Your Website Regularly For Weaknesses
It’s critical that you regularly check your website for malware and vulnerabilities. The more frequently you look into the state of things (like your files and plugins), the sooner you can see if anything is amiss. Having an automated website scanning tool for malware detection and removal is only part of the solution.
You should also proactively keep an eye out for random code that may appear, files that have been uploaded without your knowledge, unauthorized logins, etc. If you do find a weakness, you should patch it immediately before it can turn into a full-blown problem (aka a website compromise).
3. Keep Your Software Updated
From plugins and themes to your content management system (CMS) in general, it’s critical that you keep all the software related to your website updated. Often times when a plugin or theme is updated, software developers patch up leaks and holes they are finding in their own security. By using outdated software, you’re virtually asking cybercriminals to breach your website’s security. After all, when a vulnerability is found, it’s the easiest time to exploit it. Don’t give hackers the chance!
4. Update Your Login Information
Whether you are updating and scanning your own website or using a web developer, it’s a good idea to regularly update or change your login information. Today, generic passwords like “password123!” are not enough to keep savvy hackers out. Your passwords should be unique and contain numbers, symbols and at least eight characters, and you should change them regularly. As an added security measure you should use two-factor authentication or a password manager.
If you hired a web developer, make sure they too are regularly updating their login information. The last thing you want is a breach due to someone else not keeping security (theirs or yours) top of mind.
5. Restrict Access
As a best practice, there should be a limit on how many people have access to the backend of your website. Not everyone needs full access to everything. Consider what permissions you are giving the people accessing your website and restrict it as you feel necessary.
You also may want to restrict access to your website’s front end. Yes, you want your customers to be able to visit your site freely, but for sensitive activities where data might be entered, they should be a little more limited as to what they can access. For example, if customers will be making purchases on your website, you may want to require they register with your site and have a username and password in order to complete their transactions.
6. Use HTTPS
As Google Developers states, “HTTPS helps prevent intruders from tampering with the communications between your websites and your users’ browsers. Intruders include intentionally malicious attackers, and legitimate but intrusive companies, such as ISPs or hotels that inject ads into pages.”
It’s important to note however, that HTTPS isn’t just a setting you can turn on to effectively secure your website on its own. You must have an active SSL (Secure Sockets Layer) certificate installed on your website server to effectively encrypt the communication between your website and your users’ browser.
An SSL certificate is a basic security measure you should have, especially if you collect customer data, have a contact page, and accept online payments. This will prevent cybercriminals from intercepting sensitive information—while it is in transit from the users’ browser to your web server.
When your communications are unprotected through HTTP, Google Developers explains that cybercriminals can use them to “trick your users into giving up sensitive information or installing malware, or to insert their own advertisements into your resources.”
Learn more about SSL certificates in our post “What Is an SSL Certificate?”
7. Backup Your Site Regularly
While the hope is you will never need it, having a clean backup of your site is helpful in the event anything does go wrong. After all, if a cybercriminal got in, you wouldn’t want to have to rebuild a site from scratch on top of everything else.
8. Investigate Traffic Surges
While it’s true that there could be times the traffic to your website is higher than others, a significantly large and unexpected surge in traffic could be a sign that something is wrong. It could mean that bad bots are flooding your website, and in the worst cases, it could mean that your website is experiencing a Distributed Denial of Service (DDoS) attack.
Is Your Website Secure?
This list is far from exhaustive in terms of what you can do to keep your website secure. The reality is that even if you use all of the items on this cybersecurity checklist, you still may have vulnerabilities in your site. Get a free risk assessment, and learn how likely your website is to be compromised today.