How to secure your website
- Make sure your site uses SSL
- Enforce strict & strong passwords for admins.
- Keep your software and any plugins up to date
- Use a web hosting service that has a security-first approach
- Always follow file & permission best practices
Our focus is to ensure the websites we build are easy to use, beautiful to look at and most importantly, secure.
How to secure your website in 5 steps
Below are the most important steps you can take to secure a website. If you miss some of these, it could leave a hole in the security of your site.
Make sure your site uses an SSL connection.
An SSl connection is one of the easiest ways to ensure customers information is secure, as shown in the picture below is the certificate to prove this which can be easily accessed on any site through your browser.
SSL (secure sockets layer) is an encryption method used when a connection is made from your website host’s server to your customer’s browser.
Any personal data, form submissions, personal data is protected from being stolen through the connection. When a user clicks a submit button on your site, the data from these fields are encrypted, sent then decrypted on the other end.
By having an SSL certificate lets others know that your site is safe and secure.
Enforce password & username policies for admins
If your website uses a Content Management System (CMS) such as WordPress for example, then there is typically a backend dashboard to your site where staff or site administrators can sign in and make changes to the site and perform other various functionalities.
It’s natural for users to create passwords that are going to be easy for them to remember, but ultimately, this could be a security risk for the website.
Creating usernames such as “ADMIN” or “administrator” is another surefire way hackers can gain access to your website. It is important to create a username that is not generic and include letters, symbols & numbers. This makes it almost impossible for attackers to gain access to your website.
If you ensure that your site registration process contains a strict password policy and username, you’ll ensure that no one user can affect the integrity and security of your website.
Keep your software and plugins updated
As these vulnerabilities are made public, software providers update their codebases to ensure they’re patched and new protections are put in place and as a site administrator, you need to keep up.
Over time, hackers prey on the sites that are moderate to severely out of date due to ease with which they can take control. We’ve talked many times before about ensuring your website is backed up as a form of protection against catastrophic events.
A great host-level backup process provides the ability to update the software immediately with minimal testing.
If something were to go catastrophically wrong during an update, you can always roll it back to your last backup point and ask your web developer to take a look at why the update broke the site.
For software as a service company like HubSpot, this is all taken care of for you automatically — leaving you to only have to worry about your marketing/content strategies and execution.
Use a web hosting service that has a security-first approach
A great hosting service will force its websites to adopt certain security practices for everyone’s protection.
For example, hosting companies like WPEngine, force their users to upgrade their hosting packages to the latest version of PHP within a short amount of time after release.
They also make that super simple for their customers and even allow them to test run their sites on the new coming version before the upgrade their existing environments.
This is done to give customers a chance to upgrade any code that is incompatible with the new version of the underlying PHP language which powers many website content management systems, including WordPress.
A try before you buy approach if you will, keeps compliance and adoption of these upgrades high while avoiding fully crashed websites and angry customers.
Aside from that, if you’re on WordPress, many hosts provide automatic plugin updates which ensures that your plugins are always up-to-date and free of vulnerabilities wherever possible.
It’s always my recommendation that plugins be used sparingly when possible and that our customers only use plugins that have a large user base and are actively supported.
These plugins normally focus on backwards compatibility among many other factors providing that security that your site won’t break every time you update their plugin.
Just like we mentioned above, closed content management systems like HubSpot take care of all the security implications for you.
You can bet they have top web security professionals putting their attention and expertise at work day after day.
Always follow file & permission best practices
Your server’s file and folder permissions control the way files are used and by whom they can be used. These are set individually on a per file and per folder basis, although there are ways to bulk update based on type.
Software is usually a collection of files and functionality that is imported into other files and functionality.
As you can imagine, a lot of that is broken out into many different files for organization, to make it easier to update and immediately make updates available to everything else that imports or uses it.
Using the wrong file permissions could allow a hacker to access a middleware file — mentioned above — and inject their own functionality, highjack communications to and from the site, and even copy their own code into other files making the hack super difficult to eradicate.
This is not for the faint of heart. You’ll definitely want to use a professional to make sure this is all set up properly, but just asking the question might make the difference in ensuring someone takes a look at it versus having it fall through the cracks.
There are many ways to update folder permissions and different CMSs require different permissions. Usually, these can be changed either by updating them one by one within the file manager or via SSH terminal commands which can address more files at once.
Protect your customer and your reputation
A secure website provides the confidence that user’s need to conduct business with your company on the web. Now-a-days none of what we’ve mentioned is rocket science or a brand new development
This has become the norm and what is expected of you as a content provider.
Your customers will most certainly judge you based on your ability to provide them a secure environment where communication and/or transactions can be conducted free from the worry that their personal information is going to be stolen.
Any break in that trust could mean a direct hit to your bottom line if your customers decide they feel better doing business with one of your competitors that has a super easy-to-use, secure and modern website.
Providing that cushion of trust is a small step to take towards garnering the trust you wish to gain or retain from your customers.