Your Website Security Guide

Website security is critical to the ongoing health of your self-hosted website.

When you run your own website on your own server, especially if you are using a content management system (CMS) like WordPress, extra care needs to be taken to secure your website. Inadequate security can expose visitor information, allow malware to be injected into your site, cause your site to be blacklisted by search engines and anti-virus software, and even lock you out of your own site. Taking a few precautions can help you maintain a site free of issues that cost your organization and damage its reputation.

While it may seem overwhelming to secure your website, there are simple, concrete ways that you can help secure your site. In this guide, you will find some actionable steps to improve site security, especially for sites with content management systems like WordPress. You will also find some tried-and-true tools we use to keep sites secure.

Scan Your Website

Knowledge is power, right? Get to know the state of your site’s security by giving it a security scan. For a quick external scan, try Sucuri’s free service, Site Check, to get an overview of your site’s situation. You will see whether they have detected any malware and if your site has been blacklisted by a selection of search engines or security software due to security issues with your site. They will check for their own monitoring and firewall service. You will also get suggestions to improve security in the Hardening Improvements section.

The average cost in time of a malware attack is 50 days

Accenture

Knowledge is power, right? Get to know the state of your site’s security by giving it a security scan. For a quick external scan, try Sucuri’s free service, Site Check, to get an overview of your site’s situation. You will see whether they have detected any malware and if your site has been blacklisted by a selection of search engines or security software due to security issues with your site. They will check for their own monitoring and firewall service. You will also get suggestions to improve security in the Hardening Improvements section.

Be sure to set up recurring scans so you are regularly updated. The longer an exploit stays on your site the more damage it can do.  

Add an SSL Certificate to Your Website

An SSL encrypts information submitted through your website so that it is unreadable if it is intercepted, as indicated by the little lock in your browser’s address bar. This protects your customers’ personal and private information and protects your business or organization from being a victim of cybercrime through your website. Once used predominantly on financial company and ecommerce websites, SSL certificates are essential for all websites.

Major browsers like Edge, Chrome and Safari now block users with this security warning when a website lacks an SSL certificate. In some cases, the user will not be permitted to proceed to the site after reviewing the warning.

Hackers attack every 39 seconds, on average 2,244 times a day.

University of Maryland

A range of SSL certificates are available. Domain Validated (DV) is the most basic level of certificate. As the name suggests, this certificate verifies that the domain is controlled by the user applying for the certificate. To offer your visitors a higher level of validation, you may chose the Organization Validated (OV) that also verifies that organization requesting the certificate or the Extended Validation (EV) that provides a more in-depth of the organization.

Which certificate you choose depends largely on how much trust you want to create with your customers. For many purposes DV is sufficient. You can even get a free DV certificate from Let’s Encrypt. These certificates are available with easy installation from many web hosting companies.

Add a Firewall to Your Website

A firewall for your website, called a Web Application Firewall (WAF), filters and monitors traffic between your website and the Internet to ward off attacks. These attacks can come from different places and take different forms. Brute force attacks, for example, include automation designed to guess the username and password used to sign into a site. Distributed Denial of Service (DDoS) attacks try to overwhelm the site’s resources to prevent valid users from accessing your sites.

If you are running a WordPress website, have a look at Wordfence for firewall protection. The WAF in Wordfence identifies and blocks malicious traffic. It also offers brute force protection by limiting sign-in attempts.

Create Backups on a Regular Basis

A backup of your site is the easiest way to get back up and running if your site is damaged a security exploit. How often you need to back up your site is going to depend on how frequently you update your site. If you update daily, for instance, you are going to want to backup daily. Keying your backups to frequency of updates helps ensure that you do not lose content if you will have to revert to a backup.

If you’re using WordPress, you can install a backup plugin like UpdraftPlus. You can set it up to back up your database, plugins, themes, uploads, and other content files along to set up regular backups automatically. You can have your backups saved locally or sent to cloud storage or email.

Secure Your Sign-in Information

Use Two-Factor Authentication

Like the name suggests, Two-Factor Authentication (2FA) requires two  factors to authenticate your account. Frequently, this means signing into your account and then receiving a text with a numerical code to enter into the interface to finish the sign in process.

28% of breaches involved small business victims

Verizon

While 2FA is integrated into some WordPress plugins, you might find it more helpful to have a solution outside of WordPress. An external service enables 2FA on all your important accounts.

The Duo provides 2FA with mobile apps for Android and iOS. When you sign in to one of your supported account the app will activate on your device. With the press of the Approve button, you’ve into your account. If there is a suspicious attempt to access your account, simply press Deny.

Use a Password Manager to Store Your Sign-in Information

Using a password manager lets you keep all your passwords secure while keeping them readily available. You have one password to access all your passwords, so you can make your passwords extremely complex and only have to remember one. You can also securely share log-on credentials with those who need them. There are a few options.

Over 80% of breaches within Hacking involve Brute force of the Use of lost of stolen credentials

Verizon

Lastpass offers a lot of features with its free version. Their apps let you access your credentials on your smartphone or tablet. You can also share passwords to accounts with others with a Lastpass account.

They help you create strong passwords with their password generator.

Use Secure Passwords

What’s prime factor in making a password more secure? Password length. So, make sure your password is at least 12 characters long. Yes, you will want a complex password too, including uppercase and lowercase letters, numerals, and symbols.

Use Unique Passwords

While it may be tempting to reuse them, do not reuse your passwords from one account to another. If your password is accessed by a hacker and you have used the same password for other accounts, they can be compromised too. The only thing worse than a hacked account is multiple hacked accounts. Make sure each password is strong and unique.

Keep Calm and Secure On

While website security is a serious real-world issue, there are many ways to make your website and all your accounts more secure. We hope you find this guide helpful and look forward to hearing back about how your security endeavors are going.