Website security is absolutely critical to maintaining a great search ranking on Google and building a brand that is trusted by users.
Without website security, you can create legal issues for your business and angry customers.
Here are 5 simple steps that you can take to lock down your website and run things as securely as possible:
- Choose a Good Host Plan
- Management Best Practices
- Security Installations
- Building Hacker-Resistant Code
- Monitor Your Site
Let’s go through each:
1. Choose a Good Host Plan
The first thing that you really need to do is to get an SSL certificate, basically an encryption certificate that shows that your site is secure.
An SSL certificate is critical to maintaining rankings in Google, since a couple of years ago Google decided that any website without an SSL would get marked as unsecure.
Getting marked as unsecure, of course, is a great way to drop in the rankings and lose the opportunity for anyone to buy anything on your site.
These days, many hosts offer SSL plans for free.
They may even sign you up to get encrypted without much extra work on your own end.
In addition, your host plan should offer a good system of backups.
Backups are necessary to restore your site in the event that things go wrong.
Choose a host that has good firewall options and protection against DDoS attacks.
This not only prevents your own site from being hacked, but it ensures uninterrupted service by protecting other sites on your server.
2. Management Best Practices
Update things.
That means updating your software, any CMS, and even any hardware that you might be responsible for.
Updates often include security patches and fixes for known weaknesses.
By keeping everything updated, you’ll prevent a hacker from exploiting a known weakness or an older version of software.
You’ll also want to back everything up and have automatic backups running regularly.
How often you should backup is dependent on how often content changes and updates on your site.
Securing your website isn’t just about preventing things from going wrong in the first place, it’s about being able to fix things in the event that they do go wrong.
Failing to backup your site is simply naive wishful thinking that is likely to get you in trouble.
Always have backups that you can restore in the event that you need your data back.
3. Security Installations
There are a number of different kinds of software and plugins that you can install to your site or server to make your website more secure.
These things come after the host plan and management best practices, providing a layer of protection for hacking.
The first thing that your site needs to have is an SSL certificate, like we talked about above.
While many hosting solutions will help you get the encryption green light, if you don’t get it through your host you’ll need to use a third party to obtain one as soon as possible.
Most CMS solutions have a variety of security plugins to choose from that you can run directly within the site.
Especially if you use WordPress, you should have a number of great options to choose from.
Find some things that you like and install them.
You absolutely need to invest in malware detection software.
Malware can be malicious code slipped into your site by hackers or even redirect links or uploaded files that you don’t know about.
While you might be able to self-monitor some things, you definitely don’t want to be combing through all your pages and all the code on your site every single day.
Malware detection software is a great investment.
4. Building Hacker-Resistant Code
Your site is vulnerable to hacking along a few different lines: file uploads, SQL, and XSS.
File uploads can allow hackers to write code into your system through the file upload.
If you can avoid it, it’s safest to have no way for any files to be uploaded to your site.
If you need to take in file uploads, there are a handful of things that you can do to prevent those uploads from being security threats.
Limit file sizes to prevent DDoS attacks, store uploaded folders outside your webroot, and rename files so that hackers cannot use them as points of entry.
SQL injections are a way that SQL sequences can be hacked and the databases can be broken into.
If the parameters of a field are not defined enough, people can insert extra code and get into your databases.
This is an especially vulnerable part of many sites, because SQL databases often house sensitive information.
Keep your SQL tightly written and the queries specific.
XSS attacks target the JavaScript on your site by sliding malicious kinds of code and calls into your site for visitors.
You can prevent XSS attacks by ensuring that the code on your site is tightly written and doesn’t allow for extra fields or entry points.
5. Monitor Your Site
There is no kind of website defense that can be set up that is so good that you never have to look at it.
Whether it is you or someone else that works with the site, there should be someone in charge of poking around from a user point of view every so often to make sure that things stay clean.
For many larger sites and smaller operations, self-monitoring isn’t a very practical solution.
That’s why you can also invest in a security monitoring company.
For example, SiteLock is built to monitor small business websites every single day for strange activity.
It even looks for weak spots in your code.
Sucuri is another service that does this, responding to malware threats with unlimited emergency removals and active hacking protection.
Monitoring your own site can be difficult, and having a teammate in the event that things go wrong can be super helpful.
You should also note that Sucuri has a “fix my hacked site” option for when things have already gone wrong.
You can also roll the dice, avoiding the monitoring service until something happens.