Security is one of the most important aspects of any website. This is especially true today considering the fact that cybercrime continues to be a serious threat for businesses and users. The FBI states that “Cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated.” In fact, websites experience a staggering 62 attacks per day, according to SiteLock research. Now more than ever, small businesses need a cyber security checklist when building and maintaining their websites.
When cybercrime happens to your company website, you can lose money, credibility, and customers. Left unchecked, your website could be taken offline completely if the right hacker gets into it. With that in mind, let’s cover what you need on your cyber security checklist to protect yourself, your customers, and your company overall.
A web application firewall (WAF) is one of the most important elements on your cyber security checklist, by monitor incoming traffic to help prevent severe cyber attacks to your site. Research and implement a WAF network that specializes in OWASP top 10 attacks, including common bad bots, malicious traffic, harmful requests, and targeted attacks.
It’s critical that you regularly check your website for malware and vulnerabilities. The more frequently you look into the state of things (like your files and plugins), the sooner you can see if anything is amiss. Having an automated website scanner for malware detection and removal is only part of the solution.
You should also proactively keep an eye out for random code that may appear, files that have been uploaded without your knowledge, unauthorized logins, etc. If you do find a weakness, you should patch it immediately before it can turn into a full-blown problem (aka a website compromise).
From plugins and themes to your content management system (CMS) in general, it’s critical that you keep all the software related to your website updated. Often times when a plugin or theme is updated, software developers patch up leaks and holes they are finding in their own security. By using outdated software, you’re virtually asking cybercriminals to breach your website’s security. After all, when a vulnerability is found, it’s the easiest time to exploit it. Don’t give hackers the chance!
Whether you are updating and scanning your own website or using a web developer, it’s a good idea to regularly update or change your login information. Today, generic passwords like “password123!” are not enough to keep savvy hackers out. Your passwords should be unique and contain numbers, symbols and at least eight characters, and you should change them regularly. As an added security measure you should use two-factor authentication or a password manager.
If you hired a web developer, make sure they too are regularly updating their login information. The last thing you want is a breach due to someone else not keeping security (theirs or yours) top of mind.
As a best practice, there should be a limit on how many people have access to the backend of your website. Not everyone needs full access to everything. Consider what permissions you are giving the people accessing your website and restrict it as you feel necessary.
You also may want to restrict access to your website’s front end. Yes, you want your customers to be able to visit your site freely, but for sensitive activities where data might be entered, they should be a little more limited as to what they can access. For example, if customers will be making purchases on your website, you may want to require they register with your site and have a username and password in order to complete their transactions.
As Google Developers states, “HTTPS helps prevent intruders from tampering with the communications between your websites and your users’ browsers. Intruders include intentionally malicious attackers, and legitimate but intrusive companies, such as ISPs or hotels that inject ads into pages.”
It’s important to note however, that HTTPS isn’t just a setting you can turn on to effectively secure your website on its own. You must have an active SSL (Secure Sockets Layer) certificate installed on your website server to effectively encrypt the communication between your website and your users’ browser.
An SSL certificate is a basic security measure you should have, especially if you collect customer data, have a contact page, and accept online payments. This will prevent cybercriminals from intercepting sensitive information—while it is in transit from the users’ browser to your web server.
When your communications are unprotected through HTTP, Google Developers explains that cybercriminals can use them to “trick your users into giving up sensitive information or installing malware, or to insert their own advertisements into your resources.”
Learn more about SSL certificates in our post “What Is an SSL Certificate?”
While the hope is you will never need it, having a clean backup of your site is helpful in the event anything does go wrong. After all, if a cybercriminal got in, you wouldn’t want to have to rebuild a site from scratch on top of everything else.
While it’s true that there could be times the traffic to your website is higher than others, a significantly large and unexpected surge in traffic could be a sign that something is wrong. It could mean that bad bots are flooding your website, and in the worst cases, it could mean that your website is experiencing a Distributed Denial of Service (DDoS) attack.
This list is far from exhaustive in terms of what you can do to keep your website secure. The reality is that even if you use all of the items on this cyber security checklist, you still may have vulnerabilities in your site. Get a free risk assessment, and learn how likely your website is to be compromised.
Call us today! (844) 775-3692