12. Enforce strong physical server security.
Maintaining strong physical security is clearly a fundamental measure for keeping your website and its data safe. If hosting your own physical servers, ensure that proper physical access and visual surveillance is in place. If hosting through a cloud/web hosting provider, check the vendor’s website to verify that appropriate levels of physical security have been implemented in their data centers and facilities (e.g., biometric access, CCTV, motion detection).
11. Stay up-to-date with software updates and patches.
Any third party software products used to power your website—databases, web server software, content management systems (CMS)—are subject to continuous patching and updates from the vendor. Be sure to stay on top of these critical updates, especially for CMS packages like WordPress or Drupal. Unpatched software is a leading cause of outages and data breaches.
10. Use strong passwords.
You’ve surely heard it before, but it’s worth repeating: strong passwords are a critical first line of defense against unauthorized access to your website and underlying systems. Typically, a strong password:
- consists of at least 8 characters
- does not contain your username, real name, company name, a complete word.
- is different than previously used passwords
- contains both uppercase and lowercase characters, numbers, and symbols.
9. Make sure any unused website resources are removed, if possible.
Unused resources such as scripts or CMS plugins should be removed, as they could potentially be exploited by cyber attackers for gaining access to your website. Extraneous files (images, documents, text files) and databases should be removed if not in use.
8. Implement Google Webmaster Tools on your website.
Google Webmaster Tools (GWT) will alert you immediately if your website is infected with malware. Additionally, since a compromise will likely result in negative SEO, monitoring your website’s performance with GWT will alert you of any potential security issues.
7. Configure GWT to send you automatic email notifications when issues are detected.
By using GWT’s automatic notification feature, you will receive email alerts when
- your website is being attacked by malware
- your pages are not indexed
- you have server connectivity problems
- you get a manual penalty from Google
6. Use the appropriate website scanner tools to diagnose your website.
Free and low-cost tools exist for spotting vulnerabilities and security gaps in your website’s security: SUCURI, Acunetix, and Qualys, to name a few.
5. Use encryption for your web server’s files and databases.
These mechanisms ensure that data—even if stolen by cyber attackers—is rendered useless without possession of the appropriate digital key(s). Encryption should be used in critical web server files as well as databases.
4. Ensure that software version numbers and error messages are not visible by users.
Website error pages usually display sensitive information about the web server, operating system, file paths, and more by default. You should therefore configure web servers and underlying components to never reveal this data to visitors.
3. Use two-factor authentication for your website’s login(s).
Two-factor authentication (2FA) is an extra layer of security that requires not only a password and username, but also data provided from a physical object in the user’s possession. Many CMS packages like WordPress and Drupal support 2FA.
2. Disable any file upload capabilities.
Allowing users to upload files poses a significant security risk to your website. If file uploading is necessary, be sure to implement filters and controls that only accept certain file types uploads from users.
1. Implement SSL on your website.
Secure sockets layer (SSL) is not only critical for website security—Google will penalize your website and its SEO ranking for not using it. Because it encrypts all web traffic between the web browser and website, SSL prevents login credentials and other sensitive data from being usable by hijackers.
In short, the sad reality is that most websites will fall victim to cyber attacks or data breaches. The preceding 12 measures cover website security basics; as such, your efforts should not be limited to these efforts, but should entail a comprehensive security framework to include all your systems and IT data assets.