Most people think a website attack will never happen to them—until it does.

Cyber attacks are actually becoming more common, doubling in 2017 alone. The Online Trust Alliance (OTA) named 2017 “the worst year ever in data breaches and cyber-incidents around the world.” If it’s any consolation, everyone is at risk: companies like Uber, Deloitte, Equifax, Apple, and Ebay are only some of the entities that faced data breaches via hacking in 2017.

At any moment, malevolent marauders could be trying to access your website or server’s data and have their way with your code and personal information. We’re not saying this to scare you—we swear! The truth is, many security breaches can be avoided if simple security steps are taken, like keeping software up-to-date and using strong passwords. That’s why we have put together a website security audit checklist.

Depending on your technical knowledge, your website setup, and the infrastructure you use, website security audits can get pretty complex. We’re going to cover the security basics with you today so that it doesn’t look like your website has a “Hack Me” banner displayed on its homepage. If you would like to take extra measures, speak to our support team about setting up additional security.

 

security audit checklist

 

How to Perform a Website Security Audit

 

Follow these easy steps to keep your website safe from many unsavoury characters.

 

1. Keep your software, applications, and plugins up-to-date.

 

Make sure you are using the latest versions of operating systems, browsers, apps and WordPress plugins. When you receive a notification of an update being available, make the update as soon as possible. Out of date versions can be compromised by hackers who have found flaws in the previous code. More information on making your WordPress site secure can be found here.

 

2. Remove inactive plugins.

 

If you are no longer using a plugin, or a plugin hasn’t been updated by its author for several months, delete it. Hackers can hijack plugins and insert malicious code. When you finally update the plugin, you will receive the new compromised version, which can create a secret entrance to your website.

 

3. Download a security plugin for your website.

 

On the topic of plugins, install one that will perform security checks for your website and will alert you if anything fishy happens. We like the WordPress plugin Wordfence Security. It sends out updates through email and alerts you when a plugin needs to be updated, or if any threats occur.

 

website security audit

Get a security plugin to monitor your website for suspicious activity, sort of like this Lego policeman.

 

4. Use strong passwords and change them regularly.

 

If your password is simple, it can be simply found out. If you struggle to create and remember different usernames and passwords (like most of us do), find a trustworthy password manager to help you. Many password keepers can randomly generate mega-passwords for you—complex passwords made up of letters, numbers, and symbols that are near impossible for a brute force attack to crack. 

In case you’re wondering, these are the “Top 10 Worst Passwords of 2017”:

  1. 123456 
  2. password 
  3. 12345678 
  4. qwerty  
  5. 12345
  6. 123456789 
  7. letmein 
  8. 1234567 
  9. football 
  10. iloveyou

 

5. Change your username.

 

Many people know that the default username for a WordPress website is “admin.” By leaving your username as this default, you’re eliminating one step hackers have to take to access your account. It is recommended to delete the original “admin” account that comes with WordPress and create a new account altogether. 

On that note, during the WordPress installation process, there are two default URLs created to log on to your account: 

  • wp-admin.php
  • wp-login.php

Given the predictability of these, it is also wise to change them. There are different plugins that will help you achieve this, like WPS Hige Login

 

Let’s “admin” it: there are so many better usernames out there. 

 

6. Use Secure Shell Protocol (or SSH).

 

When backing up your website or grabbing files manually using FTP (or File Transfer Protocol), use SSH. SSH ensures secure remote login when connecting from your computer to a server. SSH uses encryption and several layers of authentication so that no one can get a hold of your files when they are publicly transferring. The last thing you want is someone getting a hold of your login credentials when you are innocently backing up your website. 

 

7. Add an SSL Certificate.

 

Add an SSL certificate to your website. That’s the ‘s’ you see at the end of ‘http’ in certain browsers, often with a lock icon and the word “Secure” to the left of it. SSL stands for Secure Socket Layer and the protocol encrypts the information going between your website and a user’s browser. SSL Certificates have become so important that Google will even give websites a ranking boost if they have one! Depending on your business’ needs, there are free and paid options of SSL certificates. Canadian Web Hosting shared hosting customers can have AutoSSL set up, a free 3-month certification with the option for renewal. We also offer paid SSL certificates with further liability protection and coverage of affiliated subdomains. Whichever you chose, having an SSL certificate will give you and those who visit your website peace of mind!

 

website security audit

Not to toot our own horn, but Canadian Web Hosting is 100% SSL certified. 

 

8. Keep a backup.

 

Keeping a backup of your website is one of the most important things you can do as a website owner. If a hacker jeopardizes your website, you could lose everything, including years’ worth of content, images and blog posts. Having a backup will ensure that you can recover quickly and not lose all of your hard work. Just make sure you have more than the backup provided by your hosting company. Canadian Web Hosting provides weekly backups to all shared hosting customers, however, if the copy we back up is the latest hacked version, it will overwrite the previously good copy. We strongly recommend performing your own manual backups through cPanel onto your desktop or a hard drive to mitigate any unanticipated events.

 

9. Perform a security scan.

 

Last but definitely not least, perform regular security scans of your website. A security scan will tell you more than meets the eye. A professional scanner can look out for malware, and if it detects any, remove it. All Canadian Web Hosting Linux shared hosting customers are protected with an automated security solution that scans websites for digital attacks. There are also WordPress security plugins that monitor websites, like Sucuri Security

 

website security

Think of Canadian Web Hosting as your team of Storm Troopers when it comes to website security.

 

Ongoing Security Solutions

 

Canadian Web Hosting offers ongoing, round-the-clock solutions to protect our customers’ websites, because malware doesn’t take a day off. The following web security solutions are built-in to our shared servers; Read on to find out more about our security measures, or if you are a non-shared hosting customer and would like to find out more about security options available to your environment. 

 

Firewalls 

 

Why get a dedicated firewall? Unlike shared firewall devices that leave the possibility of unauthorized access by any other customer sharing the same firewall, a dedicated firewall provides protection exclusively to your server. Canadian Web Hosting firewalls filter both inbound and outbound traffic and mitigate the effects of DOS attacks.

 

website security firewalls

Security solutions provide several protective layers between your website and the internet.

 

Enhanced Threat Protection

 

All Canadian Web Hosting Linux shared hosting customers are protected with Imunify360’s automated security solution against digital attacks at no additional cost. We manage Imunify360’s AI-powered multi-level security to keep your websites secure and online. VPS and dedicated server customers can also add Imunify360 to access an integrated security dashboard that allows for hands-off automation of threat detection, analysis, and protection.

 

website security audit - threat detection

Immunify360 offers a centralized dashboard for management.

 

Malware Scanning

 

Canadian Web Hosting has partnered with security leaders to help our customers effectively monitor their sites for malware and potential blacklisting. Our malware removal service includes automated alerting and managed malware removal.

 

Managed Security

 

With our managed security plan, Canadian Web Hosting minimizes your exposure to common threats, identifies and assesses your system and application vulnerabilities, and provides 24/7 monitoring, management, and response – usually at 60% less cost than it would take for you to effectively do it yourself.

 

Managed Web Application Firewall

 

Canadian Web Hosting offers a powerful web application firewall (WAF) that improves your site security, keeps your website and server up to date, and helps ensure that your reputation is protected by eliminating hackers and malicious attacks. The Managed Web Application Firewall includes cutting-edge virtual patching and server hardening mechanism for customers who are unable to update and patch their websites, or want to get help patching their site on a regular basis.

 

Wrapping Things Up

 

In conclusion, no one is invincible to cyber attacks. If you have a website that is hosted on a server, then you are at risk to all sorts of nefarious web activities. Use our checklist to perform regular basic security audits of your website, which should keep out many no good doers. If your website receives a lot of traffic or contains critical content, speak to your hosting provider about how you can take your website security to the next level.