You would not only learn about the largest security threats to mid-sized companies in this handy checklist, but also how to defend against those threats. The best portion? Most of the items on this security checklist for this website do not require a developer!
1. Use Strong Passwords and Change Them Regularly
81 per cent of data breaches are caused by passwords that are compromised, weak or reused. One of the first things people will try is to try to guess or crack user passwords, so it’s crucial to protect against this. Using password generators is an easy way to do this, as many browsers come with password generators that automatically ask you whether you want to create a secure password. This is objected to by some people because they believe they can get into their accounts if someone takes their laptop. You need to be more worried about people you don’t know trying to hack your website in most cases, but there is a way to get the best out of both worlds. Combine this secure password with 2-factor authentication. This is when every time you want to login, a code is sent to your email / phone. Not only will a hacker have to guess your password this way, but they will need access to your email / phone. Also, if you’re worried about someone you know using your computer as a spouse or sibling, they won’t be able to login using the autofill password option because they won’t have access to your phone’s code. In addition, at least every 6 months, you should change your password, especially if your website is some type of business.
2. Use Website Backups
You can create a periodic schedule for creating your website backups. This way, the loss will be mitigated if something goes wrong and something is deleted or lost, because you only lose data between your last backup and today. How you backup your data depends on what platform you are using (WordPress, Squarespace, Wix etc). For example, if you use WordPress, you can look into easy backup for cPanel or VaultPress, which allows automated backups on a regular schedule. It may be harder to find reliable plugins for other platforms, but they do exist, and you may find it appropriate to make manual backups of your content depending on your needs.
3. Limit Contributors Permissions
This is known as the use of the least permissive model in security. This simply means that you want to restrict the permissions users have on your website to the absolute minimum necessary for them to perform their duties. For instance, not everyone needs to be an administrator, you can use other roles such as editor, author, contributor, etc., and set permissions for users as they need. You shall decrease the chance of someone doing something negative to your website intentionally or accidentally by limiting the permissions individuals have.
4. Secure Online Checkouts
You should use AVS (address verification system) and use CVV (credit card verification value) when accepting any credit card payments if your website accepts online payments. By requesting additional information, these features help to prevent fraudulent payments from going through and save you a lot of time and revenue.
5. Update All Plugins
It’s important to regularly update all of your plugins. In popular plugins, it is common for safety vulnerabilities to be found. The vendor usually releases an update that addresses that particular problem once a vulnerability is found and disclosed. Your website will remain vulnerable for extended periods of time if you go for months or years without updating that plugin and that will often lead to someone hacking your website. For websites running outdated versions of known vulnerable plugins, hackers use computer bots (controlled machines) that scan the internet 24/7. A cyberattack is estimated to occur every 39 seconds, so it’s not a matter of whether your website will be discovered, it’s a matter of when. That’s why it’s essential to set up a schedule to check your plugins for software updates and, where possible, turn on update notifications. This way, you will be aware of the updates once they become available.
6. Use Anti-malware Solutions
In various ways, malware can be introduced to a website. Hackers are sometimes able to inject code into your website via input forms, or when copying and pasting custom code, you can accidentally introduce malware into your website whilst giving a unique feature. Either way, investing in anti-malware solutions that can spot malicious code on your website is good. Quttera, sucuri, and Astra security are some anti-malware software providers you can look at.
7. Consider DDos Protection
In various ways, malware can be introduced to a website. Hackers are sometimes able to inject code into your website via input forms, or when copying and pasting custom code, you can accidentally introduce malware into your website whilst giving a unique feature. Either way, investing in anti-malware solutions that can spot malicious code on your website is good. Quttera, sucuri, and Astra security are some anti-malware software providers you can look at.
8. XSS Scripting Attacks
Cross-site scripting is a type of injection attack where malicious code is inserted by a hacker into a web page that other users will view. This way, the code will automatically run whenever another user goes to the infected webpage. You need to ensure that all input forms on your website sanitize their inputs to avoid this, which simply means that it filters out unwanted commands rather than running the code. You also need to make sure that your website’s html code is safe, you can do this by manual code reviews, but it’s easier for most people to use automated tools that scan your website.
9. SQL Injection
In order to steal data from your database, the SQL injection inserts SQL queries into input forms. Stealing sensitive information includes credit card numbers, customer addresses, phone numbers, and personal identification numbers. SQL defense is similar to XSS, where you need to make sure that the information entered in the input forms is correctly filtered.
10. Use Security Scanning Tools
In order to steal data from your database, the SQL injection inserts SQL queries into input forms. Stealing sensitive information includes credit card numbers, customer addresses, phone numbers, and personal identification numbers. SQL defense is similar to XSS, where you need to make sure that the information entered in the input forms is correctly filtered.
11. Hide Your Web Host Provider and Version
You make it easier for attackers to exploit known vulnerabilities associated with that web provider or that particular version of the software (if you’re running WordPress) by showing this information. You can copy and paste this line of code into your active theme’s functions.php file in order to hide the WordPress version.
remove action(‘wp_head’, ‘wp_generator’);
You should always hide the name of the software and the version of anything running on your website in general.
Make sure to do your research on how to secure it if you choose to enable that functionality. Some of the things you can do include limiting the type of files you can upload, changing the permissions of the uploaded files to ensure that no files can run after uploading, changing the directory to which the files are uploaded so that they cannot be easily guessed (such as securitymadesimple.org/uploads is too obvious) and, if possible, making it impossible for regular users to access the directory holding the files.
Need more information?
Our expert team is here to help with any questions you have regarding our products or services.