For many people, website security is an intimidating topic. It seems like there’s an endless list of things necessary for protecting your website. And while resources like our Website Security Guide cut through much of the clutter of the threat landscape, some folks might need it simplified even further.
Okay, we hear ya. If you’re looking for the bare-bones lowdown on what you need for protecting your website, we offer you this: Seven tips for protecting your website.
While the following tidbits will certainly prove useful, keep in mind that website security is not something to skimp on. Consider the following a list of things you must have, but still make sure to implement a website security plan that addresses your unique situation. And if you need a hand with that, we’ve got people ready to help.
1. Regularly make backups
Once you have a live website, back it up and continue making backups at regular intervals. And if you make a significant update, create a backup at that point. If your website gets hacked and you need to rebuild anything, backups let you re-publish a version of your site that was saved prior to the hack. While you can always manually create backups, it’s smarter to automate the process — or better yet, get backups as part of a comprehensive security plan.
2. Always run updates
When plugins, themes, or other components of a content management system (CMS) get published, hackers immediately go to work finding a way to compromise them. Meanwhile, the good guys try to stay a step ahead by patching those vulnerabilities. Those security patches are included with updates, which is why maintaining updates is so important. If you don’t, it’s like leaving the backdoor to your website wide open for any bad actor who happens by.
3. Use strong passwords
While passwords like password123 are tempting because they’re easy to remember, it’s a bad idea to use something that’s so susceptible to being hacked. Make sure your passwords have these characteristics:
- They’re unique — Don’t use the same password for more than one account. If that password gets hacked, bad actors gain access everywhere you’re using it.
- They’re long — Make your passwords longer than 12 characters. The math gets tricky, but longer passwords are exponentially harder for an automated program to crack.
- They’re random — If you can verbally say your password, it’s not strong enough. Use passwords that aren’t based on words, but instead use random characters.
Yes, following those three rules will make your passwords a lot harder to remember. And that’s a good thing. Try using a password keeper (we like LastPass a lot), so you can access all those hard-to-remember key phrases with one master password.
4. Limit users & permissions
Say your cousin Frank volunteers to help add images to your website, so you create a set of credentials for him. (Hey, he took a night class, after all.) When he’s done with the images, be sure to delete his account so it can’t be used to log in to your site. Nothing against Frank, but what if his password gets cracked? Better to always follow the principle of least privilege.
5. Continuously scan & monitor
Hacks happen, and when they do, it’s critical to get immediate help. The key to knowing when you need that help is awareness of your website’s health. To check for infections, there are numerous website scanners out there, which are often free and easy to use. (We found SiteCheck and UnmaskParasites are two of the best.)
6. Get an SSL certificate
Some people might scoff at the idea of adding a secure sockets layer (SSL) certificate because it doesn’t secure the website itself. Rather, an SSL encrypts data transmitted to and from a website. That might seem only useful to, say, financial institutions or ecommerce operations, but Google thinks SSL is so important they’re now penalizing sites that don’t have a certificate. Fortunately, adding SSL is a straightforward, very doable process for nearly any CMS.
7. Get behind a firewall
For people who love ruining a hacker’s day, getting a website behind a web application firewall (WAF) is reason to celebrate. That’s because a WAF is continuously updated to identify hackers and the threats they create — and completely blocks off their access to the website. Better still, a WAF will speed up a website significantly, and the best ones even include an SSL certificate. Our WAF includes all these features, and we’ll even let you try it free for 30 days.
Closing thoughts on protecting your website
Protecting your website is something that everyone should take seriously. From individuals to big businesses and design agencies, it’s essential to gain an understanding of website security, and then implement it thoroughly. Hopefully, these seven tips for protecting your website gave you a head start — but don’t stop there. Constantly pushing for more security online creates a safer internet for everyone.