How to secure your website: 5 tips for every business website

Over the course of 20+ years as a web developer, part of my job has been to ensure that the websites I produce are easy to use, beautiful to look at and, of course, secure. 

Secure is one of those words that is thrown around a lot in conversation regarding website development. It’s important to everyone, promised with the best of intentions, but still often overlooked. 

A website that is insecure can lead to the manipulation and interception of sensitive customer information.

This is information that your customers faithfully give to your business assuming you’ve done everything necessary to protect it — and you need to make sure that you do.

I have backups and I can recover if I need to. Why should I “waste time” worrying about securing my site?

Securing a website is not just about preventing your site from being hacked. 

Although it is important to protect your investment, ensuring that your site is secure is more about protecting your customers / visitors. 

Their information security is paramount to anything else. 

Having a site that is vulnerable might mean that a hacker can inject code that makes it look like your site is requesting information from the user, but really is taking that information to phishing scams, third-party contact lists, and all sorts of nefarious practices.

A website that is secure and puts visitors at ease translates to the way they feel about your company, too.

If your site is not on the up and up regarding best practices, security, protection, etc. that might be a direct correlation to your corporate outlook or attention to detail.

There is way too much competition now-a-days and the web is your industry's first point of contact when a consumer is looking for who should enjoy their business.

How to secure your website in 5 steps

Following are the most important steps one can take towards securing a website. Some are related to architecture and some are related to infrastructure, but they’re equally important. 

If your site is missing something on either side of this, it could mean a gaping hole in your site’s security / integrity.

1. Make sure your site uses an SSL connection. 

An SSL connection is one of the easiest ways to ensure your customer’s information is secure and provide them an actual certificate that says so.

SSL (secure sockets layer) is the encryption method used when a connection is made from your web host’s server to your customer’s browser.

With it, any form submissions or any personal data collected / provided is protected from being stolen during transit. When a user clicks the submit button on your forms, the data collected in the fields is encrypted, sent, then decrypted on the either end. 

Now, an SSL certificate is the assertion, provided by a reputable, recognized third-party that your site’s ownership has been verified and that the customer can trust that the connection is secure.

It lets users know that you are indeed as secure as you claim. Otherwise, consumers wouldn’t know definitively.

2. Enforce strict strong password policies for admins

If your website uses a Content Management System (CMS) then there is typically a backend dashboard to your site where staff or site administrators can sign in and make changes to the site or perform various other functionalities.

It’s natural for users to create passwords that are going to be easy for them to remember, but ultimately, this could be a security risk for the website.

You may have heard the saying “A chain is only as strong as its weakest link.” Well, it’s the same with security. 

One cracked password for administrator could result in the hack of your site in ways that have nothing to do with denial of service and everything to do with stealing your customer’s private information.

If you ensure that your site registration process contains a strict password policy, you’ll ensure that no one user can affect the integrity and security of your website. 

3. Keep your software up-to-date

Every single day new vulnerabilities are found in existing code. This can be everything from ways to inject code to PHP systems to javascript vulnerabilities found in a specific WordPress plugin’s jQuery version.

As these vulnerabilities are made public, software providers update their codebases to ensure they’re patched and new protections are put in place and as a site administrator, you need to keep up. 

Over time, hackers prey on the sites that are moderately to severely out of date due to ease with which they can take control.

We’ve talked many times before about ensuring your website is backed up as a form of protection against catastrophic events. 

A great host-level backup process provides the ability to update software immediately with minimal testing.

If something were to go catastrophically wrong during an update, you can always roll it back to your last backup point and ask your web developer to take a look at why the update broke the site.

For software as a service companies like HubSpot, this is all taken care of for you automatically — leaving you to only have to worry about your marketing / content strategies and execution.

4. Procure a web hosting service that has security top-of-mind and forces customers to follow suit.

A great hosting service will force its websites to adopt certain security practices for everyone’s protection. 

For example, hosting companies like WPEngine, force their users to upgrade their hosting packages to the latest version of PHP within a short amount of time after release. 

They also make that super simple for their customers and even allow them to test run their sites on the new coming version before the upgrade their existing environments. 

This is done to give customers a chance to upgrade any code that is incompatible with the new version of the underlying PHP language which powers many website content management systems, including WordPress. 

A try before you buy approach, if you will, keeps compliance and adoption of these upgrades high while avoiding fully crashed websites and angry customers.  

Aside from that, if you’re on WordPress, many hosts provide automatic plugin updates which ensures that your plugins are always up-to-date and free of vulnerabilities wherever possible.

It’s always my recommendation that plugins be used sparingly when possible and that our customers only use plugins that have a large user base and are actively supported. 

These plugins normally focus on backwards compatibility among many other factors providing that security that your site won’t break every time you update their plugin.

Just like we mentioned above, closed content management systems like HubSpot take care of all the security implications for you.

You can bet they have top web security professionals putting their attention and expertise at work day after day.

5. Make sure you follow file and folder permission best practices.

Your server’s file and folder permissions control the way files are used and by whom they can be used. These are set individually on a per file and per folder basis, although there are ways to bulk update based on type.

Software is usually a collection of files and functionality that is imported into other files and functionality. 

As you can imagine, a lot of that is broken out into many different files for organization, to make it easier to update and immediately make updates available to everything else that imports or uses it.

Using the wrong file permissions could allow a hacker to access a middleware file — mentioned above — and inject their own functionality, highjack communications to and from the site, and even copy their own code into other files making the hack super difficult to eradicate.

This is not for the faint of heart. You’ll definitely want to use a professional to make sure this is all set up properly, but just asking the question might make the difference in ensuring someone takes a look at it versus having it fall through the cracks.

There are many ways to update folder permissions and different CMSs require different permissions. Usually, these can be changed either by updating them one by one within the file manager or via SSH terminal commands which can address more files at once.

Protect your customer and your reputation

A secure website provides the confidence that user’s need to conduct business with your company on the web.  Now-a-days none of what we’ve mentioned is rocket science or a brand new development

This has become the norm and what is expected of you as a content provider. 

Your customers will most certainly judge you based on your ability to provide them a secure environment where communication and/or transactions can be conducted free from the worry that their personal information is going to be stolen. 

Any break in that trust could mean a direct hit to your bottom line if your customers decide they feel better doing business with one of your competitors that has a super easy-to-use, secure and modern website.

Providing that cushion of trust is a small step to take towards garnering the trust you wish to gain or retain from your customers.