7 Steps To Building A Secure Website From The Start
Cloudbric wrote an important blog post about website security titled “6 Steps to Creating a Secure Website.” Here to bring you a refresher on the subject is a guest blog from one of our contributors.
While it’s a given in this day and age that every business needs a website and social media presence, it’s less clear just how much companies should care about cybersecurity.
Here’s the answer: They should be just as concerned about securing their website as they are the doors of their brick-and-mortar location, office, or home.
Small business owners are especially vulnerable, given a general lack of diligence in this arena. According to a Verizon Data Breach Report, 61% of security breaches happen at companies with fewer than 1,000 employees. And the majority of businesses that get hacked are out of business within six months, due to the financial strain.
While some industries are more vulnerable than others (manufacturers seem to be frequent targets, thanks to their supply chains, which typically involve many third-parties), most experts agree that the majority of attacks are against companies that don’t take simple preventative measures.
It all starts with a good foundation. Here’s how you build a secure website from the very beginning, since prevention is more effective than a “cure.”
1. Choose a safe, reputable CMS
There are lots of different routes you can go when building your own website, from using a website builder to coding from scratch or hiring a professional.
If you go at it alone, be sure to use a reputable CMS (content management system) like WordPress or Drupal, or a well-known website builder like Weebly. The extra few bucks that these sites ask of you will be worth the investment, as they’re likely to have fewer security loopholes to exploit and more frequent security updates.
2. Pick a web host with security features
Your CMS is the platform you use to build your site, and your web host is where your site lives on the internet. Popular web hosts for small businesses include Bluehost, GoDaddy, HostGator, and DreamHost, but you’ll have many options to choose from.
When you do make your choice, make sure the host offers security features that are crucial to keeping your information and customer data safe. Important and necessary features include:
- DDoS Protection: A distributed denial-of-service attack can cause your website resources to appear unavailable or take so long to load that your users will flock away. Proper protection will help prevent your essential tools for daily operation from going offline.
- Web application firewall: A WAF filters, monitors, and blocks HTTP traffic to and from a web app, preventing attacks stemming from security flaws, including SQL injection, cross-site scripting, and security misconfigurations.
- Two-factor authentication (2FA) for login: When it comes to your business, don’t rely on a single password—use two-factor authentication (a password and another method such as a token from the user’s phone) in order to login and view sensitive data.
3. Ensure you’re paid up for your security subscriptions
Buying security measures like SSL certificates typically requires a subscription, such as for one year or five years. You may not want to invest in five-year coverage for a new website and business, but make sure you know exactly how long you’re covered for so you don’t leave your site unprotected for a moment.
Any other security patches and third-party providers should also be kept up-to-date and paid-in-full. Some SSL services automatically renew certificates for free.
4. Ensure secure connections to your site
Sites with an SSL certificate can be accessed with addresses that start with HTTPS rather than just the classic HTTP. You’ll want people to connect to your secure form pages, never your insecure pages.
To that end, you can use a HSTS (HTTP Strict Transport Security) to force browsers to use the secure version of your web site. You can also configure your site so that insecure pages are redirected to their secure counterparts.
5. Avoid excessive plugins and add-ons
CMS platforms like WordPress love to offer you fun, attractive, and helpful plugins to enhance your site’s usability and aesthetics. Typically these add-ons are safe and screened by the platforms themselves.
But every third-party app or add-on you install on your site is another possibly avenue for invaders to access your site. Keep unnecessary services to a minimum and stick to providing the best possible service with the fewest risks to your customers and users.
6. Partner with secure payment platforms such as PayPal
If you’re still feeling insecure about taking people’s private data and credit card information, you can use a secure website payment processing system like PayPal to handle purchases, if that’s something your site offers.
7. Educate your users on best practices early on
So much of what dooms websites to cyberattacks is human error. Make sure that other people who have access to your site’s backend, most notably other employees, are well-versed in best security practices from the jump.
Additionally, make it a habit to conduct frequent reviews of changes to servers and web traffic to ensure no one has made unapproved changes that could leave your site vulnerable.
The bottom line
Whether your business website is set up to sell your inventory directly to the public, or is more like a digital business card that directs people to your brick-and-mortar location, you should always be concerned with website security.
By following the above steps and staying informed on the latest trends and news in cybersecurity, you’ll be in a much better position to protect the data of you and your customers than by trying to save a few bucks by ignoring the possibilities and risks.