Most people think a website attack will never happen to them—until it does.
Cyber attacks are actually becoming more and more prevalent, doubling in 2017 alone. The Online Trust Alliance (OTA) named 2017 “the worst year ever in data breaches and cyber-incidents around the world.” If it’s any consolation, everyone is at risk: companies like Uber, Deloitte, Equifax, Apple, and Ebay are only some of the entities that faced data breaches via hacking in 2017.
At any moment, malevolent marauders could be trying to access your website or server’s data. We’re not saying this to scare you—we swear. The truth is, many security breaches can be avoided if simple security steps are taken, like keeping software up-to-date and using strong passwords. That’s why we have put together a website security checklist.
Depending on your technical knowledge, your website setup, and the infrastructure you use, website security can get pretty complex. We’re going to cover the security basics with you today so that it doesn’t look like your website has a “Hack Me” banner displayed on its homepage. If you would like to take extra measures, speak to our support team about setting up additional security.
Website Security Checklist
Follow these steps to keep your website safe from many unsavoury characters.
1. Keep your software, applications, and plugins up-to-date.
Make sure you are using the latest versions of operating systems, browsers, apps, and WordPress plugins. When you receive a notification of an update being available, make the update as soon as possible. Out of date versions can be compromised by hackers who have found flaws in the previous code. More information on making your WordPress site secure can be found here.
2. Remove inactive plugins.
If you are no longer using a plugin, or a plugin hasn’t been updated by its author for several months, delete it. Hackers can hijack plugins and insert malicious code. When you finally update the plugin, you will receive the new compromised version, which can create a secret entrance to your website.
3. Download a security plugin for your website.
On the topic of plugins, install one that will perform security checks for your website and will alert you if anything fishy happens. We like the WordPress plugin Wordfence Security. It sends out updates through email and alerts you when a plugin needs to be updated, or if any threats occur.
4. Use strong passwords and change them regularly.
If your password is simple, it can be simply found out. If you struggle to create and remember different usernames and passwords (like most of us do), find a trustworthy password manager to help you. Many password keepers can randomly generate mega-passwords for you—complex passwords made up of letters, numbers, and symbols that are near impossible for a brute force attack to crack.
In case you’re wondering, these are the “Top 10 Worst Passwords of 2017”:
- 123456
- password
- 12345678
- qwerty
- 12345
- 123456789
- letmein
- 1234567
- football
- iloveyou
5. Change your username.
Many people know that the default username for a WordPress website is “admin.” By leaving your username as this default, you’re eliminating one step hackers have to take to access your account. It is recommended to delete the original “admin” account that comes with WordPress and create a new account altogether.
On that note, during the WordPress installation process, there are two default URLs created to log on to your account:
- wp-admin.php
- wp-login.php
Given the predictability of these, it is also wise to change them. There are different plugins that will help you achieve this, like WPS Hige Login.
6. Use Secure Shell Protocol (or SSH).
When backing up your website or grabbing files manually using FTP (or File Transfer Protocol), use SSH. SSH ensures secure remote login when connecting from your computer to a server. SSH uses encryption and several layers of authentication so that no one can get a hold of your files when they are publicly transferring. The last thing you want is someone getting a hold of your login credentials when you are innocently backing up your website.
7. Add an SSL certificate.
Add an SSL certificate to your website. That’s the ‘s’ you see at the end of ‘http’ in certain browsers, often with a lock icon and the word “Secure” to the left of it. SSL stands for Secure Socket Layer and the protocol encrypts the information going between your website and a user’s browser. SSL Certificates have become so important that Google will even give websites a ranking boost if they have one! Depending on your business’ needs, there are free and paid options of SSL certificates. Canadian Web Hosting shared hosting customers can have Let’s Encrypt set up, a free certification with the option for renewal. We also offer paid SSL certificates with further liability protection and coverage of affiliated subdomains. Whichever you chose, having an SSL certificate will give you and those who visit your website peace of mind!
8. Keep a backup.
Keeping a backup of your website is one of the most important things you can do as a website owner. If a hacker jeopardizes your website, you could lose everything, including years’ worth of content, images and blog posts. Having a backup will ensure that you can recover quickly and not lose all of your hard work. Just make sure you have more than the backup provided by your hosting company. Canadian Web Hosting provides weekly backups to all shared hosting customers, however, if the copy we back up is the latest hacked version, it will overwrite the previously good copy. We strongly recommend performing your own manual backups through cPanel onto your desktop or a hard drive to mitigate any unanticipated events.
9. Perform a security scan.
Last but definitely not least, perform regular security scans of your website. A security scan will tell you more than meets the eye. A professional scanner can look out for malware, and if it detects any, remove it. All Canadian Web Hosting Linux shared hosting customers are protected with an automated security solution that scans websites for digital attacks. There are also WordPress security plugins that monitor websites, like Sucuri Security.
Ongoing Security Solutions
Canadian Web Hosting offers ongoing, round-the-clock solutions to protect our customers’ websites, because malware doesn’t take a day off. The following web security solutions are built-in to our shared servers. Read on to find out more about our security measures, or if you are a non-shared hosting customer and would like to find out more about security options available to your environment.
Firewalls
Why get a dedicated firewall? Unlike shared firewall devices that leave the possibility of unauthorized access by any other customer sharing the same firewall, a dedicated firewall provides protection exclusively to your server. Canadian Web Hosting firewalls filter both inbound and outbound traffic and mitigate the effects of DOS attacks.
Enhanced Threat Protection
All Canadian Web Hosting Linux shared hosting customers are protected with Imunify360’s automated security solution against digital attacks at no additional cost. We manage Imunify360’s AI-powered multi-level security to keep your websites secure and online. VPS and dedicated server customers can also add Imunify360 to access an integrated security dashboard that allows for hands-off automation of threat detection, analysis, and protection.
Malware Scanning
Canadian Web Hosting has partnered with security leaders to help our customers effectively monitor their sites for malware and potential blacklisting. Our malware removal service includes automated alerting and managed malware removal.
Managed Security
With our managed security plan, Canadian Web Hosting minimizes your exposure to common threats, identifies and assesses your system and application vulnerabilities, and provides 24/7 monitoring, management, and response – usually at 60% less cost than it would take for you to effectively do it yourself.
Managed Web Application Firewall
Canadian Web Hosting offers a powerful web application firewall (WAF) that improves your site security, keeps your website and server up to date, and helps ensure that your reputation is protected by eliminating hackers and malicious attacks. The Managed Web Application Firewall includes cutting-edge virtual patching and server hardening mechanism for customers who are unable to update and patch their websites, or want to get help patching their site on a regular basis.
Wrapping Things Up
In conclusion, no one is invincible to cyber attacks. If you have a website that is hosted on a server, then you are at risk to all sorts of nefarious web activities. Use our checklist to perform regular basic security audits of your website, which should keep out many no good doers. If your website receives a lot of traffic or contains critical content, speak to your hosting provider about how you can take your website security to the next level.
Photo by Liam Tucker on Unsplash
[…] certificates are an important part of web security. SSL stands for Secure Socket Layer and the protocol encrypts the information going between your […]
Which is the place Norton App Lock comes in.
The Norton app is a mobile app that physically protects the data of apps downloaded on your phone. This is handy to have, but we’re talking primarily about website security in this blog post.
Let us know if you have any other questions!
[…] or plugins. This will keep your website running smoothly and hopefully avoid it from crashing. Additionally, out of date versions of plugins or themes can be compromised by hackers who have found flaws in the previous […]
[…] certificates are an important part of web security when processing credit card information and personal data. SSL stands for Secure Sockets Layer and […]
[…] certificates are an important part of web security. SSL protocol encrypts the information going between your website and a user’s […]
[…] Website Security Audit Checklist […]
[…] this website security checklist […]
[…] website, look for plugins that provide additional security like Wordfence. Most importantly, follow basic website security 101 and ensure everything that you’re running on your website is […]
[…] is best practice to ensure your website is up-to-date for security reasons and in the case of WordPress websites, have the latest version and plugins. However, sometimes […]