No matter who you are, no matter what type of business you own, if you have a website, it has likely been under attack from hackers, malicious code injection, spam with malicious links, or other forms of cyberattacks. What most people don’t realize, however, is that these attacks occur every day – sometimes every hour, sometimes every 15 seconds. Most websites and Content Management Systems (CMSs) have some sort of protections in place. This protection works without the website owner having to do anything further or even knowing that their site could be under attack. In the conversation of custom websites, however, the playing field is a little bit different. This week on the Launchpad Blog, we’re discussing best practices for website security.
If you’re familiar with any of New Moon Strategy’s previous articles on the Launchpad Blog, then you may know that we primarily build our client’s websites with WordPress as a standalone CMS. Though these practices are important to implement for any business website, different CMSs are not able to implement all of these. Because WordPress allows for custom code injection and total customization of the website elements, WordPress is a great CMS to use for building a professional and customized website at small business prices. However, out of the box it has very basic security protections. At New Moon Strategy, we use professional and premium themes, plugins, and security solutions for our clients. New Moon Strategy is a best practice digital marketing agency and we take website security practices very seriously. Here are just a few best practices to follow when protecting your website investment:
1 – Keep Your Website Updated
Nowadays, most CMSs or “website builders” use a variety of different integrations in order to display the desired content on a business website. Usually, these plugins or integrations are the work of a dedicated development team. When security vulnerabilities are found, the development team begins working to patch it right away, as it is a potential vulnerability for anyone using that platform. Keeping your website updated at all times minimizes the risk of hackers utilizing bugs or security vulnerabilities to gain access to or control over your website.
2 – Secure Sockets Layer (SSL) Certificate
Nowadays, every reputable website should have an SSL certificate. SSL certificates are not only a best practice for a proper website build, but they are also a requirement of a good, thorough Search Engine Optimization (SEO) strategy (which helps your business get more exposure on search engines). Years ago, SSL certificates weren’t as big of a deal. Today, SSL certificates are what help visitors identify a brand as credible and trustworthy.
But what do they actually do? SSL certificates prevent a visitor’s connection with your website from being spied on and they also protect visitor’s computers from vulnerabilities. So, put into practice, an SSL certificate would prevent hackers from being able to record a visitor’s keystrokes and the information that they put into forms. These certificates also prevent hackers from gaining access to sensitive information (such as credit cards or addresses) and prevent malicious cookies from installing on a visitor’s computer. It’s important to note that many browsers will notify a website visitor if the website they’re trying to access doesn’t have an SSL certificate – which means a lot of visitors won’t even get to the point of viewing your website content. If your website doesn’t have an SSL certificate, it’s likely that you’re losing potential customers. SSL certificates are crucial for business websites and, must be renewed upon expiration – typically, this is every 90 days, but it can be as long as one (1) or three (3) years..
3 – Force HTTPS or Redirect
With an SSL certificate in place, the next important best practice for website security is to ensure that your visitors are using a web address that actually contains that SSL certificate. That means making sure that visitors to your website are using the HTTPS address. This is most commonly done through a redirect or a “Force HTTPS” rule. HTTP stands for “Hypertext Transfer Protocol.” HTTPS stands for “Hypertext Transfer Protocol Secure,” the difference of course being the word “secure.” By redirecting visitors from the HTTP to the HTTPS version of your website, you make sure that they’re using your SSL certificate and that website visitors are browsing your site via a secure connection that isn’t vulnerable.
4 – Anti-Spam Plugins
Similar to an injection of code, hackers also leave spam comments… a lot! Many website admins don’t know this, but those spam comments often contain malicious download links in the title, person’s name, or even their email address. This happens to ecommerce businesses, but is most common on blogs. These links can install cookies or malicious files and viruses on the users computer. An anti-spam plugin or integration makes sure that these comments or reviews don’t make their way onto your website and pose a potential security risk for your website or your visitors.
5 – Website Backups
With your website visitors protected, it’s time to put protections in place for your website investment. That means backups! You’ll want to have copies of your website build saved and easily accessible. Website backups should be taken frequently, in multiple ways, and at regular intervals. This means having at least two different methods for backing up your website, and backing up the site whenever you publish a new article, a new product, or update the website. Though it’s impossible to completely prevent your website from being hacked (especially during COVID with cybercrime skyrocketing), you’ll want to put protections and preventative measures in place that can minimize any downtime as much as possible.
6 – Website Firewall
With the website backed up, the next best practice for website security is to put protections in place that minimize the risk of a security breach on the website. Hackers will commonly try to inject malicious code into a website. These codes typically shut down a website, redirect the website to a different URL, or even give the hacker login credentials to the backend of the website. Implementing a website firewall will prevent this malicious injection of code. Website firewalls also protect against malicious login attempts and they can even lock out a user if they’ve tried to access the admin panel of the website too many times and failed. Additionally, a website firewall can be used for manual IP blocking. Most firewalls will show you the IP address that is trying to access your website. With manual IP blocking, you can permanently ban those pesky hackers that keep trying to take over your website!
7 – Two-Factor Authentication (2FA)
The final best practice for website security that is a must for all website admins is Two-Factor Authentication, or 2FA. 2FA simply means that there is an additional step to logging into the website, above and beyond just entering your username and password. While using a complex and secure password (16+ characters, numbers, symbols, etc.) is important, 2FA adds additional protection on top of that. 2FA commonly works by sending a code to you via email or text message. At NMS, we use secure passwords in combination with an authentication app, which refreshes an access code every 30 seconds. The only way to gain access to a website, is to have the secure code for that specific website and to use that 2FA code before it expires in the 30 second time interval.
Knowing how to protect your website from security vulnerabilities and risks helps your website rank better on search engines, it increases your brand’s credibility, trustworthiness, and even your perceived value. Implementing best practices for website security protects your visitors and your digital assets!
As a best practice digital marketing agency, New Moon Strategy implements all of these security measures and more for our clients. If you’re interested in a best practice website with privacy and security protections in place, contact us today!