The ultimate security checklist for your website.
Securing your website seems difficult, but if you go through this checklist and actually apply it, the security of your website should be completely in order.
How to protect my website?
Good security of your website not only ensures that your website will not be hacked, but also protects the safety of your visitors. Fortunately, more and more website owners take the security of their website seriously. This has been happening since there’s stricter legislation (the obligation to report data leaks) and since Google started penalizing non-secure websites and sites with malware.
What should we protect ourselves against?
- Hackers who seek sensitive information of our visitors. This is one of the biggest threats. Fortunately there were some legal changes in recent years. New laws that oblige companies and organizations to report a data breach. Series of large data breaches where data were stolen and fines that were issued when security was not in order.
- Hackers who are out to take over your website. In this case, you usually don’t notice the hack and your website is used in a D.D.o.S. attack. In general, these hacks make use of known weaknesses of your content management system (C.M.S.) or the plugins of your C.M.S.
- Spam bots that misuse forms or comments to post spam links. This problem is often underestimated, but the links that are placed often go to websites that have phishing or malware active. If you leave these links on your website, you actually facilitate the installation of malicious software among your visitors.
This checklist is intended for anyone who manages a website. From the website of the local sports club to the website of a multinational.
We all deal with hackers and spam bots and we must show responsibility when it comes to the data of our visitors and our sites.
You do not need to have programming knowledge or web development knowledge to get the security of your site in order. However, for many of the checklist items it is useful if you know how to back up your site and how to install a plugin or module.
You can’t do this, but are you responsible for the site? Consult this list with the person who built or maintains your site.
This checklist is not aimed at developers or engineers who are responsible for the security of the code of a website and its servers. Okay, let’s start.
Keep your C.M.S. and all plugins, modules and themes up to date.
Especially with an open source C.M.S., it is important that your C.M.S. and the plugins are up to date. Open source offers a lot of advantages, but one of the disadvantages is that, if your software is outdated, it is likely that it contains vulnerabilities that hackers can use to take over your website, for example.
Do not make changes to the core of your C.M.S.
Or instruct your web designer not to do this. By making (or having made) adjustments to the software of your C.M.S., you may be able to adjust the C.M.S. to your own liking, but the disadvantage is that you can sometimes only partially use security updates or not at all. Your website is becoming outdated and chances are that you will be hacked.
Limit the number of plugins and modules.
A chain is as strong as its weakest link. By using many plugins or modules you add extra risks. Only one of these plug-ins or modules needs to contain a vulnerability to ensure that your website can be hacked. Therefore, use modules and plugins in moderation.
Remove plugins and modules that you no longer use.
You may have installed certain modules or plug-ins when building your website that are no longer used. That does not mean that the code is no longer available to hackers. This applies to plug-ins and modules of your C.M.S., but also to other software. For example an old version of the website. Old versions are often accessible to hackers and are usually no longer maintained. For WordPress and Drupal there are plugins and modules that can tell you exactly which plugins or modules are no longer used and can therefore be removed.
Use HTTPS (S.S.L. certificate).
This is the lock that you see with secure websites, to the left of the website address. It means that traffic between browser and server is encrypted. Fortunately, this is now standard security. Partly because government organizations are obliged to use HTTPS and also because Google places websites without an S.S.L. certificate lower in the search results.
Install anti-spam tools.
You can combat spammers in various ways within your website. Known are the captchas where the visitor is shown a picture of letters and numbers and has to type in which letters and numbers are displayed. But there are also many other user-friendly methods. You could, for example, create an invisible input field that is not visible to your visitors, but is filled in by spam bots. This way you can separate visitors and bots. Several modules for Drupal work this way. Another way is to check that the person who comments or fills out a form on your website is not on a spam blacklist. Project Honeypot is an example of an initiative in which site owners keep a blacklist of spammers. Do you still get spammers on your site after using easy-to-use anti-spam tools? Then the Google reCAPTCHA is the answer.
Change the login URL of your CMS.
Content management systems such as Joomla, Drupal and WordPress have a known login URL such as /administrator, /user and /wp-admin. You stop a lot of hackers and bots who try to create fake accounts on your website, for example, by adjusting this URL. You can easily change your login or admin path via plugins and modules in WP, Drupal and Joomla.
Require users to use a strong password.
Some C.M.S. already require the use of at least 8 characters and a combination of numbers and letters. You can usually extend the C.M.S. that cannot do this directly with a plug-in or module, which makes this stricter.
Add two-step authentication.
Even better than a powerful password is two-step authentication. In addition to the correct login details, you must then enter a code that you receive via S.M.S. or that appears in an authenticator app. For example, Google has such an authenticator app and more and more services are offering this as extra protection. You can use this app to better secure your website. You can use modules for Drupal. And for WordPress, there are plugins to do this.
Do not allow visitors to upload files.
Useful with an application form, but it does pose a security risk. Not only for the server or the C.M.S., but also for people who need to download and open files. In addition, it often concerns files with a lot of personal data, such as resumes, that you absolutely do not want to be out in the open.
Create a security buffer via Cloud Flare.
Cloud Flare is a service operating between your visitor and the server of your site. As a result, it can stop unwanted visitors, secure your website with an S.S.L. certificate and even stop D.D.O.S. attacks. It’s free and makes your website even faster.
Link your website to Google Search Console.
Usually this is done from an S.E.O. perspective. Within the Search Console you can, for example, see which keywords visitors use to come to your site. But the Search Console also checks your website for security issues.
Install a security plug-in or module within your content management system.
There are plugins and modules that only monitor and give advice. These look for instance at directories that are open in terms of rights for outsiders and report this. But you also have plugins and modules that add an extra layer of protection. The advantage of these security plug-ins and modules is that they specifically look at weak spots within your C.M.S. For Drupal you have modules for this function. There are several plugins for WordPress. For Joomla there are also security extensions for this purpose.
Do a security scan or have it done.
These scans are usually limited in the sense that they do not look for weak spots within your C.M.S. In general, they look for errors in your HTML, unsafe settings on your hosting server or incorrect configuration of your S.S.L. certificate.
Invest in a good web hosting provider.
It is of course difficult to determine whether a web hosting provider is good or not. Usually you will only find out if the site has been running with the provider for a while. Price doesn’t say much and neither does the size of the company. But you could do a little research. For example, check out their twitter tweets; if this is more about promotions and discounts than about security and innovation, then in principle you already know a lot about the company. The same goes for their website, blog and Facebook page. And then of course there are reviews that you could check. You can have everything in order from your side, but if your site is with a web hosting service not keeping its servers up to date, your security efforts will be in vain.
Ask your hosting provider for help and advice.
Web hosting companies of course know everything about problems surrounding hackers and spammers. Some web hosting providers offer extra security services such as security audits or tools that periodically scan your files for malware.
Keep your admin accounts limited.
We often see that admin accounts are distributed too easily and too often. These admin accounts can do everything within your C.M.S. Install plugins and modules, delete users, make exports of your database or take the site offline. That is why it is important to be careful with this role within your content management system. Create a more limited role for users who can manage all content, but cannot install modules or plug-ins, for example. Reserve the admin role only for people who really have to be able to do everything and can be trusted 100%. Keep an overview of all admin accounts. Are they no longer used? For example, because an employee no longer does anything with the website or has another job, delete these accounts. Also, never let users share admin accounts by logging in together with the same login details. Create a separate account per user.
Do not store an unnecessary amount of personal data within your website.
Of course it could be useful to see who registered for that conference three years ago. But these data can also be stored outside of your website in an Excel file or Customer Relationship Management System. Of course this does not prevent a hack, but if your website is hacked, it greatly limits its impact.
Make a backup plan.
With a backup plan, consider how the backups are made, how often, where they are, who can restore them and how to do that. If you cannot do this yourself, it is advisable to ask your web hosting service for advice. Don’t assume that backups are part of your hosting by default. In many cases automatic backups are not included.
Come up with an emergency plan.
This is not the same as a backup plan. You can restore a backup. But if you have been hacked as a company or organization and your website contains private data that has been stolen, you have to report this. It is therefore not a bad idea to come up with a few scenarios and decide in advance who will take the lead in these cases, and, if costs have to be incurred, to what maximum amount this can be done.
That was it. The ultimate security checklist for your site. At least now you know the answer to the question “how to protect my website“. As you can see I just linked to an article written by Ruald Gerber, Toby Compton, and Tim Perry. The post presents 9 extra and essential security tips for website protection. If you have questions about one of the items in the list or an addition to the checklist, please publish that in the comment section below.