15 quick ways to secure your website on dark background

Website Security Checklist: 15 Ways to Secure Your Site

Website Security Checklist: 15 Ways to Quickly Secure Your Site

Most people don’t take website security seriously, until they get hacked. And no amount of regret or tears can bring back their precious data, website, money, time, energy, and clients lost when this horror strikes. What’s even more scary is that most hacks are made possible through their own negligence or naivety.

Whether you sell products online, or just advertise your services; whether your website accepts customer data or not; whether you are a multi-million-dollar enterprise, or just a new tech start-up; securing your website should be your #1 digital concern. Yes, you read that right. Website security is more important than engaging with your readership, generating more leads, even ranking higher on Google. In fact, if your website gets hacked, Google may never show it in its search results (more on this later).

Table of Contents

What does it mean to “secure” a website?
What really is at stake?

Simple ways to quickly secure your website
1. Use an SSL certificate
2. Restrict file uploads
3. Adjust default CMS settings
4. Regular backups
5. Implement access control
6. Secure your personal computer
7. Use strong passwords and multi-factor authentication
8. (For WordPress users) Monitor with security plugins
9. Don’t hate updates – install them immediately
10. Use a web application firewall (WAF)
11. Disable Directory Indexing and Browsing
12. (For WordPress users) Change your wp-admin URL
13. Run vulnerability scans
14. Limit the number of allowed login attempts
15. Choose a good web hosting provider

What does it mean to “secure” a website?

Put simply, website security ensures that a user only gets to see what they are authorized to see, and only gets to perform actions that they are authorized to perform. E.g.

  • A guest user should not be able to access the internal customer dashboard on your website.
  • A logged in customer should be able to see the internal dashboard.
  • A customer shouldn’t have access to the administrator portal of your website.
  • Your blog writers should only be able to add posts to your website, and not update its configurations.
  • Only a few system engineers should have direct access to the servers hosting your website.

What really is at stake?

The end goal of “securing” a website is to prevent it from getting hacked. A hack could have wide-ranging ramifications; from preventing visitors to access your website, to stealing and/or encrypting sensitive customer data. Here’s what’s at stake:

Precious Data

Infosecurity Magazine stated there was “One Ransomware Victim Every 10 Seconds in 2020.” So, if you’re still thinking, “Oh please, it will never happen to me.” think again! Now, what is a ransomware attack?

It’s the horror of logging in to your computer one day to find a message across your screen saying that either 1. you’ve been blocked from using your computer or website or 2. all your personal, website or business data has been taken hostage (encrypted from you), and that the hackers demand a large sum of money be paid by a deadline or have your data deleted forever.

WannaCry ransomware attack
By Unknown criminal – https://cdn.securelist.com/files/2017/05/wannacry_05.pngDownloaded from :https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/, Public Domain, https://en.wikipedia.org/w/index.php?curid=54032765

Of course most people ignore the importance of backing up their data, so they’re forced to accept this data loss which can ruin businesses, or pay the ransom while there’s no guarantee hackers will have the honour to actually return what was held hostage after payment is made.

In May 2021, the business networks of a massive U.S. oil pipeline operator was shut down by ransomware and it paid nearly $5 million to get restarted.

Money

“Every minute, $2,900,000 is lost to cybercrime”. In addition to the loss in revenue because of ransomware, customers and partners may jump ship, and you may also have to pay hefty fines to regulatory bodies. For instance, Equifax paid a whopping $575 million to the Federal Trade Commission, as a penalty for a 2017 data breach.

Your website’s ranking

Google takes strict actions against websites that encounter data breaches. So much so that they may completely deindex hacked websites, which means that they will never show up in its search results.

google deindexed search engine land for a day

Your reputation

People just don’t trust companies that have been breached. And why would they, if it could put them at the risk of getting their data compromised?

Business relationships

Your partners, your vendors, both existing and prospective, will think twice before doing business with you.

Simple ways to quickly secure your website

Now that we know why website security is important, let’s look at some sure-shut ways to secure your website, right now:

1. Use an SSL certificate

Sectigo SSL Certificate on animated web browser
Image by: https://sectigo.com/ssl-certificates-tls

SSL, or Secure Sockets Layer, is the most basic, yet the most important tool to secure your website. An SSL certificate encrypts traffic, as it flows between servers and browsers. It ensures that all customer data, including account numbers, usernames and passwords etc. stay hidden as they travel across the internet. Using it, a browser can guarantee that the user is in fact, communicating with the original, certified website, and not an impersonating hacker. It’s therefore of foremost importance to get a SSL certificate for your website.

2. Restrict file uploads

There are many security risks associated with file uploads. A user can replace a file on your server by uploading one with the same name or extension. They could also upload a harmful file that could potentially allow them to gain unauthorized access to system resources. To prevent file upload attacks, keep the following guidelines in mind:

  • Restrict file uploads by extensions or types.
  • Scan files before saving them on the server.
  • Set a maximum size limit.
  • Don’t store uploaded files on the same directory as your website’s source code.
  • Make users authenticate themselves before uploading files.

3. Adjust default CMS settings

It’s almost never a good practice to keep your website running with the default CMS settings. Some of these settings can be related to permissions, visibility, and user types. For example, you may want to change the default file permissions on WordPress. Or you may want to choose different “roles” (e.g. super admin, author, contributor etc.) for different people on your team.

4. Regular backups

When everything else is falling apart, backups can swoop in and save the day. Someone corrupted your source code by injecting a malicious script on the server? No problem. Just revert to the backup you created last night. Your computer attacked by ransomware? Once again, your backup has you covered. Here are a few tips to keep in mind:

  • Backup your website regularly. A site export from several months ago may strip multiple features off your UI and set you back several months.
  • Store backups on externally i.e. not on the server(s) hosting your website.
  • Automate the backup process. A manual process is not only tedious, it’s also prone to human error.

5. Implement access control

Trust no-one by default, and apply the principle of least privilege, i.e. give a user the bare-minimum level of access that they need to perform their duties. E.g. A writer doesn’t need access to the server configuration dashboard. Similarly, no one but the system engineers should be given direct SSH access to your servers.

6. Secure your personal computer

As a site owner or administrator, your personal computer can be full of sensitive information regarding your website; e.g. passwords, user roles, database and server access etc. It’s therefore critical that you secure your personal computer. In this regard, here are a few things to keep in mind:

  • Choose a strong passphrase.
  • Don’t leave your computer unlocked and/or unattended.
  • Use a firewall and an anti-virus software to prevent malware from entering your system.
  • Keep your operating system and programs up-to-date.
  • Beware of phishing attempts; don’t download suspicious attachments, or click on potentially harmful links.

7. Use strong passwords and multi-factor authentication

If you’re not sure how to create strong passwords, read our article on best practices for password security. Moreover, implement a multi-factor authentication mechanism that requires users to specify additional information to their passwords, while logging in. e.g. a one-time pin code sent to their mobile phones after they enter the password, or a verification code from an authenticator application, like the Google Authenticator.

8. (For WordPress users) Monitor with security plugins

If you are a WordPress user, you can actively monitor your website’s security outlook using different plugins, like Wordfence and Cerber. They install a rigorous firewall on your server, and run comprehensive malware scans to identify any risks and vulnerabilities.

9. Don’t hate updates – install them immediately

According to a 2020 report, 53% of cyberattacks in the last two years stemmed from third-party software. This includes the plugins you install on your WordPress site, the anti-virus software on your server, the web API you fetch random data from, and your favourite browser. A lot of new software updates and releases are patches to vulnerabilities and bugs that can potentially be exploited by hackers. So, make it standard practice to keep all your applications up-to-date.

10. Use a web application firewall (WAF)

A web application firewall, or WAF, is a special type of firewall used for monitoring, filtering, and blocking traffic (typically HTTP), to and from a web application. Use a modern WAF to protect your website from some of the most common attacks like SQL injections, cross site scripting and forgery, improper system configuration, cookie poisoning, and application layer DDoS attacks.

11. Disable Directory Indexing and Browsing

Let’s suppose someone enters the name of a directory in the address bar. The directory actually exists on the server hosting your website. If there’s no index file present in the pertinent directory, by default, the web server will return the directory structure to the browser. This means that the entire list of files and folders in that subdirectory will be made visible to the visitor. See image below:

index of /admin/backup parent directory

This happens because of something known as directory browsing which is enabled by default on some web servers. As you can imagine, hackers can extract exploitable information like (which plugins are installed, what theme you are using, and which database contains your data etc.) from directory browsing, and use it to plan their attacks. Fortunately, there’s usually an easy way to disable directory indexing. For WordPress, follow these steps:

  1. Log in to your website using an FTP client.
  2. Download the .htaccess file present in the root folder. (Since the file is usually hidden, you may need to enable hidden file viewing.
  3. Open the .htaccess file, and put the following line at the bottom:
    Options –Indexes
  4. Save the file, and upload it to your server using the FTP client.

This will disable directory browsing on your website, redirecting the user to a 404 Not Found page instead.

12. (For WordPress users) Change your wp-admin URL

By default, WordPress uses http://yourblog.com/wp-login.php as the default page for admin login. However, it’s recommended to change it as soon as your website goes live. With access to the default login page, all a hacker has to do to gain access to your WP dashboard, is crack your password. To prevent that from happening, randomise your WP Admin URL, using a plugin like WP Cerber.

13. Run vulnerability scans

It’s an undeniable fact that security is an ongoing effort. There is no room for complacency. There is no amount of security recommendations, that once applied, will make your website categorically impenetrable. They will improve your security posture, yes, but to keep everything safe, you need to adopt a security-first approach. A big part of that is regularly running vulnerability scans on your server. They will help you not only identify risks and vulnerabilities in your web application, but also in other software on your server.

14. Limit the number of allowed login attempts

If you don’t limit the number of allowed login attempts, potential hackers can run a brute-force attack, where they continuously try to log in with different username-password combinations. If a user’s password is not too strong, they may get it right after a few attempts. Even if the password is strong, there is still a possibility that they get it right, even though it may take much longer. The bottom-line is, if someone fails to provide correct login details after 3-4 attempts, their account should get locked. To unlock, they must be required to reset their password, or request an administrator to do so.

15. Choose a good web hosting provider

Last but not least, choose a web hosting provider that takes security as seriously (if not more) as you. This is really critical because as a website owner, there’s only so much you can do to secure your website. All your efforts can be rendered useless if your hosting provider doesn’t ensure high levels of security.

screenshot HOSTAFRICA homepage

At HOSTAFRICA, security is at the heart of everything we do. We use strong WAFs, along with some of the best web-app protection software like Imunify360 and Patchman. We also offer a rich selection of SSL certificates.

Conclusion

You can’t find an all-comprehensive, one-time-only security implementation guide, no matter how or where you search. With this article, our aim was to handpick some of the most important guidelines which will help you get started and secure quickly.

Don’t forget, security is a never-ending affair, and it’s important to always stay vigilant, and always keep improving.

Return to top

Share this article: