The Beginner’s Guide to Website Security

Disclosure: Our content is reader-supported, which means we earn commissions from links on Crazy Egg. Commissions do not affect our editorial evaluations or opinions.

Disclosure: This content is reader-supported, which means if you click on some of our links that we may earn a commission.

Many small businesses erroneously assume that only large websites and companies are the main targets of online security threats. In truth, up to 43% of cybercrimes target small businesses. Cybersecurity is a constant concern for anyone with an online presence, from bloggers making a couple of thousand dollars a month to large corporations and multinationals raking in hundreds of millions. The good news is that you can do a lot to safeguard your website from malicious attacks by hackers.  

Why Boosting Your Website Security Is So Important

If you haven’t been staying on top of your website security, consider that there are at least 30,000 websites hacked each day. Cybersecurity threats are continually developing and advancing. Your lackluster security leaves your website vulnerable to worms, viruses, Trojans, and a host of other malicious software (malware). Malware can easily damage your physical assets (think computers and servers), sometimes causing irreversible damage to your expensive machines and devices.

Worse still, an insecure site exposes your customers to a host of online security threats. Hackers often use malware to steal your customer’s data, identities, payment information, and other sensitive data. Also, hackers can redirect your customers to a dummy website where their sensitive data is ripe for exploitation. If you take a customer-first approach to business, website security should be a top priority.

There is still a lot we don’t know about how search engine algorithms work. But we do know that Google and other search engines take website security into account when ranking search results. Google will even display a warning to your visitors if it suspects your site is compromised. If you’re unlucky enough to be blacklisted by Google (for security reasons), your site loses 95% of its organic traffic. Getting blacklisted from search engines is an almost guaranteed kiss of death for your business.

Finally, you’ll have to take down your site for cleanup in case of a security breach. You’ll be missing out on crucial sales for the time it takes to clean up your site. The process is also expensive. Besides cleaning out the malware, experts have to comb every nook and cranny of your site to ensure it’s safe again. If Google blacklisted you, you’d have to jump numerous loops to get your site back online.  You could avoid all this trouble by merely taking preemptive measures to secure your site in the first place.

A case for boosting your website security

Take the case of the infamous 2013 Target cyberattack on the biggest shopping day in the US, Black Friday. This attack saw:

  • 41 million customer’s credit card information stolen
  • An approximate 46% drop in profit
  • Cost banks and credit unions more than $200 million in disputed charges and replaced cards
  • Target lost approximately $300 million in the attack
  • Target settled for $18.5 with customers following a multi-state lawsuit

After the dust settled, it turned out that Target wasn’t even the primary target of the attack. Cybersecurity experts revealed that a relatively small HVAC company doing business with Target was the victim of an email phishing campaign on its employees. Once the malware (named Citadel) was securely in place in the company’s computers, the attackers could grab login credentials to Target’s vendor portal. The attack details get sketchy after this point, but the vendor was undoubtedly the entry point into Target’s servers.

A refrigeration contractor unwittingly opened the doorway to one of the largest data breaches to ever hit a U.S. retailer.

The massive attack aside (the attackers stole 11 gigabytes of data), security firm Aorato declared the damage would have been significantly worse if it wasn’t for Target’s robust Payment Card Industry (PCI) compliance program.

The take-home here is two-fold. Even in the event of a cyber attack, website security can help tone down the scale of the damage. Also, website security isn’t just about protecting yourself and your customers. You are also protecting other businesses that you work with. The same goes for giving vendors and contractors with lax web security access to your website. Their non-compliance could very well cost you your business.

Quick Tips to Improve Your Website Security Today

Before we get to the practical steps you can take to protect your website, it’s useful to remember that your web host is the first line of defense against online attackers. All the security measures in the world won’t help you if your web host is vulnerable to attack. A good web host can complement your website security, making your website virtually impregnable.

Additionally, a good web host will take care of most of the security measures we’ll go through in this post for you, saving you the trouble of doing everything manually. For this, we recommend SiteGround. SiteGround offers among the most robust website security you could hope to get from a web host, including:

  • Free SSL certificate
  • Server monitoring every 0.5 seconds
  • Anti-hack systems & help
  • Spam protection
  • Automated daily backup
  • Proactive updates and patches
  • AI anti-bot system
  • Hack Alert (an early warning system from GlobalSign)
  • Two-factor authentication

SiteGround prides itself in its security-first approach. The host backs up its claims by writing hundreds of new Web Application Firewall (WAF) rules every year. All servers on SiteGround use the latest PHP 7 version, complete with the latest security features.

All plans, including the cheapest option of the StartUp Plan for $3.49 per month, come with all the security features mentioned above.

It may be worth evaluating your web host’s security measures and migrate to a new host if necessary. Most web hosts offer free migration with little to no website downtime. If you need help finding a good web host, check out our Best Web Hosting Services post, where we narrow it down to the top eight web hosts on the market today.

Once you’re set up with a secure web host, you can take other quick security measures to secure your website.

Strengthen Your Passwords

According to a 2019 study, 80% of that year’s data breaches resulted from compromised passwords. The quickest way to secure your website is to prioritize identity and access management, starting with strengthening your passwords.

Don’t be like the more than 2.5 million internet users that set 123456 as their password in 2020.  

A few tips to strengthen your passwords include:

  • Do not reuse your password across multiple accounts
  • Avoid using personal details like your name, date of birth, or phone number
  • Use at least nine to 12 characters
  • Use a mix of symbols, numbers, uppercase and lowercase letters
  • Change your passwords at least once every 90 days

Memorizing complex passwords for multiple accounts isn’t going to be easy. Consider using a trusted password manager to store your passwords. These tools store your passwords in an encrypted vault, and many come with an auto-fill feature to quickly log into your accounts. You may also consider using a password generator to help you create strong passwords if you lack the inspiration.  

Similarly, ensure that everyone who has access to your website, including employees, vendors, and contractors, sets strong passwords and updates their passwords regularly.

Install a Web Application Firewall (WAF)

Most cyber-attacks happen via website applications. Web Application Firewall (WAF) secures the space between your website server (and website applications) and data connection (the internet). This firewall inspects all incoming HTTP traffic to your website and blocks any malicious malware and hacking threats before they reach your server.

The WAF works in one of two ways:

Negative Security Model, which is based on a blocklist. This model blocks pre-defined in-coming traffic and known threats. You can think of this operation as a bouncer at a club denying access to certain people such as those who are too drunk, underage, or don’t meet the club’s dress code.

Positive Security Model is based on an allowlist, only admitting pre-approved traffic. Using the same club bouncer example, you can think of this model as a bouncer at an exclusive party. The bouncer only admits people who are on the guest list.

Most modern WAFs use a hybrid of both models to optimize server protection. Additionally, WAF protects your website from the most common cyber threats, including:

Cross-site forgery (CSRF) – which allows an attacker to make other web users unwittingly perform actions that they don’t intend to, such as changing a password.  

SQL injection – where an attacker injects malicious code to retrieve sensitive content from the SQL database, including intellectual property, trade secrets, customer information, and personal data. It is the most common threat to web applications.

Cross-site-scripting (XSS) – an attacker injects malicious script into your website, causing the website to return malicious JavaScript to users. The attacker can then access the victim’s sensitive information in their browser, including session tokens and cookies.

Most WAF is cloud-based, allowing you to install protection quickly and affordably.

Secure Your URL (HTTPS and TLS/SSL)

For an ecommerce site or one where you gather customer’s private data, securing your URL should be a top priority.

Hypertext Transfer Protocol Secure (HTTPS) is a communication protocol that helps secure data transfers between your website and website users. HTTPS uses SSL or TLS protocol to secure your website in these three primary ways:

Encryption – the security protocol encrypts the data exchanged between your website and its visitors. This data is rendered useless in case of any security breach since the attacker cannot decipher the data.

Authentication – the protocol ensures that your visitors communicate with the website they intend to visit (your website). Hackers often redirect traffic destined for your website to other websites where they can perform malicious attacks or siphon sensitive data. HTTPS prevents this from happening.

Data Integrity – the security protocol ensures that hackers cannot corrupt, modify, or otherwise interfere with data during transfer.

Using HTTPS in your URL indicates to visitors that the communication between their browser and your server is secure. HTTPS protocol can also boost your SEO ranking.

Most web hosts offer free SSL/TLS certificates with your subscription. We recommend purchasing the certificates from your web host if you can’t get one for free.

Change Your CMS Default Settings

Most cyber-attacks occur from bots and are automated. Hackers use this method because it’s quick and allows them to cast a wide net. There are potentially millions of bots scouring the web looking for vulnerabilities. These bots also specifically target default CMS settings which are relatively easy to attack.

Change the default settings as soon as you sign up with your content management system. This may include altering file permissions, user visibility, and controlling comments.  

For example, changing your file permissions defines what users can do with a file. These actions may include viewing the file’s contents, running the program file, or changing the file contents.

The point is to make your website less attractive to bots, and changing your CMS default settings is a perfect way to achieve that.

Update Your Software and Plugins

Updating your software and plugins ensures that you get the most recent security enhancements and vulnerability repairs available. Hackers and bots target outdated software which they have already figured out how to crack. Ensure that you are always running the most recent software, themes, scripts, and plugins. Most CMS allows for automatic updates, which makes the task easier.

Long-Term Strategies For Improving Your Website Security

While there are some things you can do immediately to secure your website, other strategies take a little longer to implement. Remember that website security is an ongoing process. Here are a few ways to protect your website from cyber-attacks in the long-term.

Use Security Plugins

When combined with a web host who takes security seriously, plugins are potent tools for protecting your website and users from hackers.

Be sure to read the plugin reviews before installing them on your website. Also, make sure that you are getting the most recent version of the plugin. Some of the more popular web security plugins include WPScan, Sucuri, and BulletProof Security.

Perform Regular Website Security Checks

The best way to stay on top of web security long-term is to check for website and server vulnerabilities regularly. Penetration testers (or pen testers) simulate internal and external cyber-attacks to point out security loopholes in your website and server.

Vulnerability testers are mostly free, nonintrusive, and an excellent first step for checking your website for flaws. These tools send traffic, specific requests, and queries to your website to check for vulnerabilities. Use a vulnerability tester at least once every quarter. Most of these testers can also be automated.

However, you want to either hire a cybersecurity expert or use paid premium penetration testers for the best protection. Perform these tests annually.

Pen testers can detect common security gaps, including software bugs, configuration errors, and web design flaws.

Many web hosts integrate security checks into their server monitoring. For example, SiteGround monitors server activity every five minutes, including checking for common hacking symptoms such as abnormal resource usage, spam activity, spam attempts, and server irregularities. Even with your web host’s support, you still want to take proactive measures to identify possible security flaws before attackers exploit them.

Backup Your Data

In a worst-case scenario, you want to get back up and running as soon as possible. A malicious attack can take down your entire website, leaving you to start from scratch. Daily backups ensure that you can retrieve your website quickly in case of an attack.

Most web hosts offer daily backups. They also give you the option to back up specific sections of your site. Either way, it’s a good idea to backup your files yourself. There are plenty of plugins and extensions that do this automatically. Ideally, you should have a physical backup of your website in an off-site location such as a home hard drive or computer. Don’t be afraid of redundancy when backing up your website. As the saying goes, backup your backup.

Manage Access To Your Website

If you have employees or other third parties accessing your website, you may want to consider limiting permissions. First, make sure that you know each user and assign them appropriate permissions relevant to their role.

Similarly, avoid shared accounts on your website. You must know what everyone is doing on your website. A malicious user (such as a disgruntled employee) can inject malicious code or lockout other users. Employees may also unwittingly install insecure third-party plugins that leave your website vulnerable to attacks.

If you need to escalate privileges, be sure to reduce these privileges as soon as they complete their tasks. It also helps if you can offer a short course on website security. Small personal measures like updating software, identifying phishing scams, and setting strong passwords can go a long way to preventing attacks targeted at your employees. Also, maintain a physical record of everyone with access to your website. This makes it easy to track access, mainly when employees leave your company.

Consider VPN Hosting

Your website may be secure, but other vulnerable websites on a shared server pose an imminent danger for your website. Hackers can access the server via a vulnerable website and get them free reign of all the websites on the shared server, including yours. Shared servers are inherently weak in this way. Virtual Private Networks (VPN) allocates your website to a private server. This makes it easier to manage your website security.

However, VPN hosting can be expensive, especially if you are running a small to medium website.  VPN hosting may also offer more resources than you need, causing you to overpay for the service.

Another reason we recommend SiteGround is its unique take on shared hosting. The host isolates all accounts on the server using an in-house product known as Hive. This setup means that an account that is compromised does not affect other accounts on the server. This option is an excellent alternative to the more expensive VPN hosting option.

Make your website better. Instantly.

Over 300,000 websites use Crazy Egg to improve what's working, fix what isn't and test new ideas.

Free 30-day Trial