10 Best Practices for Website Security

Security

With website security being top of mind for both business owners and bloggers these days, you may be wondering how to effectively secure your own website. While searching for answers online, it’s easy to get overwhelmed. Perhaps you’re asking yourself if you need a bunch of plugins to stay safe? Or maybe you feel like you should disable comments on your blog posts. You might even be considering taking some coding classes to learn how to keep hackers at bay. The truth is there are several ways organizations and security experts go about securing their websites.

Get it right, and you can prevent the majority of cyber threats. Get it wrong and you can risk losing your reputation, money, and in the worst cases be forced to shut down your website completely. Since your website is perhaps your most significant online commercial asset, you must take proper precautions to guard it against online threats. That said, below are 14 best practices for website security you can implement to help you reduce the chances of your website getting attacked. While there is no such thing as a 100% guarantee of keeping your website secure, these tips can certainly go a long way in deterring the majority of would-be cybercriminals.

  1. Use a Secure Website Host

Your website hosting company matters, and not every company out there has security as a priority. Security is one of the big reasons people like to use large companies like SiteGround, BlueHost, Web.com, Network Solutions, or Register.com for their website hosting. These are names people recognize, and as a result, trust more than smaller companies.

They tend to provide measures such as SSL certificates, firewalls, network monitoring, and remote backups. While these services often come with a higher cost, the key is that companies like these tend to have defense mechanisms available. And, they are more likely to have secure web servers to host your website on in the first place with redundancies in case of a company-wide breach. Bottom line – do your homework and choose your website host carefully.

  1. Implement Strong Passwords

Make sure you use a strong password for every user on your site. A strong password has both lowercase and uppercase letters, numbers, and unique characters. You may also want to consider utilizing a password manager to help you produce and store secure passwords for your website and other online services. However, as with website hosting, you should use caution with the password manager you choose. A little research can be the difference between software that could compromise your security and one that is safe.

  1. Deploy Two-Factor Authentication

CSO Online describes two-factor authentication, also called 2fa, as “a method of establishing access to an online account or computer system that requires the user to provide two different types of information.” Using it in addition to your website login credentials will create another layer of security by requiring you to enter a specific code that is sent to your mobile phone, or click an approval button produced by a phone application.

In addition to two-factor authentication, you could add additional factors such as one-time use tokens, digital signatures, and other encryptions to further limit access. You can also require two-factor, or multi-factor authentication for any users you grant website access to as well. Adding these extra layers of security makes it much harder for software that some cybercriminals use to “guess” your password.

  1. Regularly Update Themes, Plugins, and the Content Management System Itself

It is important to update all website software regularly, as updates are often security-related, focused on patching recently discovered vulnerabilities. A common way for hackers to get into the backend of websites is by taking advantage of loopholes in security caused by using outdated software. You can prevent many potential security breaches simply by keeping your software updated.

While you’re updating plugins and themes, it’s also a good idea to remove any that you are no longer using, and ones that are no longer being monitored and patched by developers. Plugins and themes that aren’t maintained anymore are the most susceptible to threats, and hackers are notorious for inserting malicious scripts and code into them to sneak into your website.

  1. Frequently Scan Your Site for Malware

Scanning your site regularly for malware is a best practice for website security that is too often overlooked. The reason it’s overlooked is because many people don’t think to look for a problem until they notice something is amiss. The problem with that line of thinking is that malware can be lurking silently in the background without you even being aware of it. A single line of malicious code hidden in the thousands of lines of one of tens of thousands of files that make up a website is all it takes to redirect your visitors to a bad website, or destroy your website’s search engine presence. Think of malware scanning as a regular checkup that will signal you the moment something is wrong. The best malware scanner tools will also remove anything malicious as soon as they detect it.

  1. Backup Your Site Often

In the event something does happen with your website, you’ll be glad you had a backup on file. This will help you get back online quickly, and if you’re lucky you can do so before any visitors realize anything went wrong in the first place. Hostgator recommends backing up your website on a regular basis. In fact, they said, “The best case scenario is either daily or weekly backups.” This will help you prevent losing all the work you’ve done, losing revenue, and losing time during a site rebuild.

  1. Limit Access to High Level Roles On Your Website

There is no reason everyone who has an account with your website needs administrative access. In fact, most users might not need nearly as much access as you are granting them. Even Google’s developer website states that giving administrative access to users who don’t require it is a poor security policy that can lead to data breaches. This is a common security concept called the principle of least privilege, which essentially means that a user should only be given the access they need to complete their role.

The more people that are logging into your website, the more opportunities you have for nefarious individuals to wiggle their way in. Check your access controls and make sure that any user logging in can only see and interact with the things you want them to.

  1. Install a Web Application Firewall (WAF)

As G2.com explains, “Web application firewalls (WAF) are designed to protect web apps by filtering and monitoring incoming traffic.” In other words, they are built to block hackers from your website, and protect it from being exploited in the wrong hands. They root out traffic that could be malicious and identify anomalies in your traffic as well. Where traditional firewalls control traffic between servers, a WAF will filter and monitor traffic between web applications and the internet.

  1. Remove Unauthorized Users From Accessing Content

If you are no longer working with a website design company, remove their access. Or perhaps you have let an employee go – it’s time to revoke access to them as well. The last thing you want is a disgruntled past vendor or ex-employee logging in and ruining the coding on your website, or intentionally exposing you to risk of a cyberattack.

  1. Subject Your Website To Regular Testing

Malware scanning and removal tools aren’t enough to keep you secure. You should be testing your website regularly and asking yourself two questions:

– How much time does it take for your website to load?

– How’s the performance?

Sites that go down regularly and/or that take forever to load can sometimes indicate you’ve been hacked. Then again, there is a chance that your images on your website are too big which can kill your uptime speed. You can use compression software to shrink the images on your website to improve your loading speed, and then monitor your uptime and performance to root out any anomalies that might need to be addressed.

Additional Website Security Tips For You

Use Comment Moderating

It’s a bad idea to allow people to leave comments on your website without first vetting them. Check your comments for websites and links that could be malicious in lieu of automatically approaching all of them as they come in. And don’t approve comments that have weird characters or HTML code in them. This will help you filter out spam and dangerous links. If you’re using a Content Management System like WordPress – which has built in blogging capabilities – but you don’t actually encourage visitors to comment on your site, it’s recommended to fully disable comments. Bots can create comments that don’t display on the page, but can be read by search engines, ultimately harming its reputation without the website admin even being aware of it.

 Deactivate Directory Browsing and Indexing

Hackers can use directory browsing to determine if you have vulnerable files on your website that they can take advantage of. Directory indexing occurs when there isn’t a default file to load (often called index.php or index.html). This results in the browser instead displaying your website’s entire file structure, including all files and folders. According to WPBeginner, “Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information.” Once a cybercriminal finds a vulnerability, they will sometimes target it in an attempt to add malicious code to your site.

Don’t Allow All File Types to Be Uploaded

The best website security practice would be to prevent all file types from being uploaded to your site. However, in some cases your business will require allowing users to upload image, pdf, audio, and other file types. If you have to allow uploads, at least enforce these rules:

– Have a maximum file size allowed

– Limit the file extension types permitted to be uploaded

– Make sure you are using a malware scanner for all incoming files

– Use software to automatically rename files upon upload so a hacker won’t be able to find it again in the event they manage to upload something malicious

– Don’t allow uploads into your webroot files that could unintentionally give access to the backend of your website

Make Sure To Have Security Protocols In Place

 Keep a checklist on hand of all of your security protocols for your website. For example, you could add things to it like “update plugins,” “delete inactive accounts,” and “require employees to change their passwords.” Add a weekly, monthly, or quarterly deadline to these protocols, and enforce them regularly.

Audit your protocols at least once every quarter to determine if you need to add more protocols to your internal website security checklist. If you have several people working in your business that will be accessing your website regularly, make sure they are aware of all of your security protocols. It’s also a good idea to train your employees in things to look out for, and who to contact if they see something is amiss. Finally, don’t hesitate to bring in professionals and purchase security tools to help you keep your website secure.

The sad truth is, there will always be hackers and cybercriminals out there. And, they are getting more sophisticated with their attacks every year. That’s why it’s more critical now than ever before you implement systems and processes to keep your website safe for yourself, your employees, and your visitors. I hope these tips have inspired you to examine your own website’s security to look for vulnerabilities and patch them up. Never forget that the best defense is a good offense, and you have many options for keeping cybercriminals away.

Ron Doss is a Senior Web Security Analyst and content contributor at SiteLock, a global cybersecurity company, based in Scottsdale, Arizona. With over 10 years’ experience in web design and hosting, as well as 5 years focused on web security, Ron specializes in finding and removing malware along with dispelling other website security issues that harm websites. When he's not ridding the world of malware and making the web a safer and better place, he's pwning n00bs while online gaming and yeeting his life savings on meme stocks.