How To Conduct A Website Security Check
By one estimate, more than 30,000 websites get hacked every day. Viruses, malware, spam, and DDoS attacks constantly threaten your organization’s valuable information. Customers trust you to maintain website security; so how can you make sure your site is as secure as possible?
Follow this website security checklist to make sure you have all your bases covered when it comes to securing your business site.
Step 1: Assess the current situation
First, diagnose any security issues of which you may not be aware. This is crucial when doing a website security check. Here are some website security essentials:
- Do you have HTTPS with an SSL Certificate enabled across your entire website? This is an important layer of protection both for your business and your website visitors, and can also improve your SEO results.
- Is your software up to date? It’s important to keep your iOS current for bug fixes and patches; and, the same is true for your website. Check to see if you have the most recent WordPress software, plugins, CMS/e-commerce system, and any other updates.
- Do you use CAPTCHA or a spam filter? If you’re collecting visitor information through a form, add a CAPTCHA or other spam filter to prevent bots and other strange sources from uploading inappropriate content or phishing messages.
- How old is your theme? For WordPress users, it’s important to keep the theme of your site up-to-date. An article published by G1 in 2020 found that more than one million WordPress sites may be vulnerable due to outdated, obsolete code.
Many website hosts, such as GoDaddy and Squarespace, offer resources to help you understand what these various steps mean. GoDaddy, for instance, offers a website backup service; Squarespace has a good primer on understanding SSL certificates.
Step 2: Try a website security checker
In addition to doing some basic self-diagnosis, you can use a website security checker or a website security testing tool to see where your site might be vulnerable. These website security scanning tools range in price and technicality; here are a few options.
- Using WordPress? Check out this ranking of the seven best WordPress Security Plugins from Quicksprout.
- Here are some great options ranked by Geekflare: 12 Online Free Tools to Scan Website Security Vulnerabilities & Malware.
- For developers, there are also many open-source tools that can be used to check the security of your website or web application: Top 10 Open Source Security Testing Tools for Web Applications.
Some tools will include testing for GDPR or PCI compliance which are important components of a website security check. Others can help you not only detect malware, but remove too. Shop around to find a solution that fits your budget and level of expertise.
Step 3: Check your user access permissions
Nearly 10% of website attacks happen due to weak authentication: easy-to-guess passwords or user error can leave websites surprisingly vulnerable. Admin passwords, in particular, need to be strong to resist brute force attacks.
“Believe it or not, weak user names and passwords are prevalent and it’s a sure-fire way to get your website flagged by the scanners that hackers use to identify these types of security vulnerabilities,” wrote the Business Development Bank of Canada (BDC). “Ensure you use a user name that is not obvious. When it comes to passwords avoid words from the dictionary, your name or your pet’s name. Use a combination of letters (upper/lower case), numbers, special characters, and make sure it’s at least eight characters long.”
In addition to using strong passwords, actively manage who can access your hosting platform. Only provide access to those who are regularly working on your site. As part of your website security check, remove inactive users and restrict permissions of certain pages to only those who need access. For instance, a product photographer should have “read only” access to the pages of your e-commerce site related to payments or collecting customer information.
Step 4: Review your website for compliance
Depending on your location and industry, there may be certain regulatory requirements that your website needs to meet, on top of industry best practices. For instance, GDPR carries very specific instructions for website security, including (but not limited to):
- Using WordPress 4.9.6 or a later edition;
- Including an “opt-out” tick box on a consent form for users to state their awareness that their information is being collected;
- Including specific privacy terms and conditions.
PCI compliance is required if your site accepts payments or donations using a credit card of any kind. Achieving PCI compliance may involve adding a firewall to your site, as well as measures to encrypt and protect the transmission and storage of cardholder data.
Step 5: Regularly back up your information
You need to make a copy of your website regularly and depending on how frequently you make updates to your site. For instance, if you’re running an e-commerce site and uploading new products or promotions each day, it’s recommended that you back-up your site every 30 days.
It’s even more critical to back up your site if you’re using a shared host. “If you use open source technologies like WordPress, Drupal, Joomla, nopCommerce, ExpressionEngine, Magento, Zen Cart, PrestaShop or AspDotNetStorefront, to name just a few, you’re at risk of getting hacked. A regular back-up schedule is your fail-safe to get you back up and running quickly (depending on the complexity of your website),” wrote BDC.
Backing up your site helps protect your customer data, and allows for better business continuity in the event of an attack.
Step 6: Get a DLP solution for your cloud platforms
Finally, as we shift toward working remotely, make sure your company is protected from data loss on every platform — not just on your website. When you collect or store customer information from your site, it’s important to make sure it’s still being kept safe once it leaves your e-commerce page.
A platform like Nightfall can help your company protect data on sites and apps like Slack, Google Workspace, and GitHub. With more than 100 detectors, Nightfall scans these environments to make sure no PII is shared improperly. It can send you an alert if user error results in data leakage so you can take appropriate steps to remedy the situation. When your e-commerce or sales team works on data collected through your website, it’s still kept secure no matter what.
Learn more about cloud DLP and setting up your organization for secure remote work in our complete 2021 Security Playbook for Remote-first Organizations. And, learn more about Nightfall by scheduling a demo at the link below.