Your company’s reputation helps you attract new customers and employees to your organization.
Although reputation takes so long to build, it can be ruined very quickly.
There are many ways for a reputation to be damaged, but cybersecurity is an often-overlooked aspect of protecting your brand reputation.
Companies should consider the importance of keeping their website security up to par. Failing to do so can damage your reputation and lead to other consequences such as unexpected costs and stolen customer data.
In this article, we’ll provide you with a 17-point website security checklist so you can take the actions necessary to get your website protected.
Why You Need a Website Security Checklist
Your website is a reflection of your brand and serves various different functions for your organization. It may be used to provide information to customers, attract new employees, sell your products, and much more.
Your website should contribute to your success, rather than be a detriment to your organization.
A website security checklist will help you keep your website protected from downtime, data breaches, malicious content, data loss, and other cybersecurity threats.
Taking steps to proactively secure your site from threats can help mitigate future catastrophes. Don’t wait until an attack occurs; you should start prioritizing your security today.
To help you with the process, we’ve created a 17-point website security checklist so you can jump-start your cybersecurity.
The Complete Website Security Checklist to Keep Your Website Safe
- Implement a web application firewall (WAF)
- Run daily malware scans
- Backup your files and databases
- Review and update outdated software
- Apply hardening measures to strengthen weak points
- Log and review website activity
- Protect your login page
- Visually inspect your pages
- Check or install an SSL certificate
- Review and change weak passwords
- Review registered users and permissions
- Implement DDoS protection
- Protect against cross-site scripting (XSS)
- Protect against SQL injection
- Restrict sensitive pages with a password
- Choose a secure hosting provider
- Create an emergency response plan
1. Implement a Web Application Firewall
One of the best ways to protect your website from threats is by using a web application firewall (WAF).
A firewall monitors your incoming website traffic and filters out anything that it detects as potentially malicious. Your incoming visitors will be passed through the firewall before they access your website. This occurs on the backend and is not visible to the user.
The image below shows a geographic map of traffic that was automatically filtered using a WAF.
You can see that most legitimate traffic requests originated from the United States (the website’s target country). Traffic from Russia and India sent the highest number of potentially malicious requests.
2. Run Daily Malware Scans
It takes a typical website owner close to 200 days to notice that their site has been hacked (source).
Detection is an essential component of your website security. Malware is not easily seen by the naked eye, which drastically slows down detection and resolution times.
Automatically run malware scans every day to detect malicious files, scripts, and spam on your website.
Without detection, threats will continue to do damage to your website for an extended period of time.
3. Backup Your Files and Databases
Another core element of your website security is data protection.
A website hack could cause data loss or infected code. After patching a vulnerability that led to an infection, you’ll likely want to restore a backup of your website files and databases.
Of course, backups must be taken proactively to keep your site protected.
Take frequent backups of your website files and databases to protect your data in the event of a cyberattack. We recommend taking backups at least weekly, but daily is preferred.
These backups should be stored on an entirely separate server than your website to minimize risk.
4. Review and Update Outdated Software
Outdated software is one of the leading sources of website vulnerabilities.
Developers frequently release updates to their software to address vulnerabilities within their code. If your website is not updated with the newest versions of the software, you are exposing your company to known security risks.
Review and update any software that is currently outdated on your website, then make a plan to keep it updated moving forward.
We recommend updating your website software at least every two weeks. The frequency will vary depending on the number of software providers involved.
5. Apply Hardening Measures
Hardening is a general term used to describe anything that makes it more difficult for your website to be hacked.
Apply hardening measures to strengthen weak points in your website and reduce the likelihood of a successful attack.
This could include setting strong passwords, blocking PHP execution in untrusted folders, enabling a login captcha, and much more. The specific actions to take would be dependent on your website’s technology and configuration.
6. Log and Review Website Activity
Keeping an eye on your website activity is a great way to catch suspicious behavior that may otherwise be undetected by a malware scanner.
For example, if an unauthorized user manually gains access to an administrator account and deactivates a plugin, a malware scanner would not detect this because there is no malicious code involved. However, an activity log would detect this change:
To protect yourself against malicious user actions, implement and monitor an activity log so you can keep a close eye on your website activity.
7. Protect Your Login Page
Your login page is the target of many brute force attacks. You might be surprised with how many login attempts are made on your site each day (it could be hundreds or thousands).
There are a few different ways to make it more difficult for bots to crack your login page.
We recommend setting stronger passwords and implementing a captcha. You can also set a different administrator login page than the default.
Protecting your login page is a simple, but effective cybersecurity measure for your website.
8. Visually Inspect Your Pages
Malware scanning is very effective, but it may not detect malicious activity performed manually by a user. Or perhaps there is a way that a hacker has hidden their code from your malware scanning system.
We recommend visually inspecting your webpages to find issues that your malware scanner might have missed. You should look for:
- Suspicious links
- Malicious redirects
- Missing pages
- Spam pages
- Spam comments
A combination of manual visual inspections and automated scanning ensures that no threat is left undetected.
9. Check or Install an SSL Certificate
An SSL certificate verifies ownership of a website and encrypts website traffic to keep your visitors’ data safe.
If you do not currently have an SSL certificate, you will see a warning (example below) and your website will be preceded with “http” instead of “https”.
You should install an SSL certificate and redirect your website to HTTPS to protect data as it is sent between your visitors and website.
10. Review and Change Weak Passwords
Weak passwords are a simple, but effective way to keep hackers out of your website.
Review your administrator passwords and change them to something stronger. Encourage your team to do the same.
If your passwords are weak, a hacker is more likely to be successful during a brute force attack, where they attempt numerous username and password combinations to crack your login page.
11. Review Registered Users and Role Permissions
Most website have registered users that log in to the site to perform certain actions. This could include site administrators, editors, customers, and more.
Review your list of registered users and eliminate any suspicious users. Also, check your user roles and the permissions associated with them to ensure that your users have the appropriate level of website access.
If you don’t review your users, you could have unneeded administrator accounts or users that have more control over your site than they should.
12. Implement DDoS Protection
A DDoS attack is when a hacker disrupts your website by sending larges amount of traffic requests in a short period of time. This could crash your website or prevent users from accessing it.
To protect against these attacks, you should implement a DDoS prevention tool such as Cloudflare to control these traffic spikes.
13. Protect Against Cross-Site Scripting (XSS)
During an XSS attack, a malicious script is injected into your website to target the visitors of the site.
If your website is attacked by XSS, your visitors could have malicious code executed upon them, which could compromise their safety.
Protect your website from XSS attacks by implementing a web application firewall, hardening measures, and malware scanning.
14. Protect Against SQL Injection
An SQL injection allows an unauthorized user to add, delete or modify your databases. This could result is data loss or sensitive information exposure.
Implement a website firewall block malicious SQL injections. For more advanced defense measures, read here.
15. Restrict Sensitive Pages With a Password
Some websites contain sensitive pages that should not be accessible to the public. This could be a page containing customer information, financial metrics, etc.
Restrict any sensitive or important pages with a password or assign view permissions to a specific user roles.
16. Choose a Secure Hosting Provider
Your hosting provider is the foundation of your website security since they manage your entire website infrastructure.
Contact your current hosting provider and ask how they are taking measures to keep your site well-protected. If you don’t feel comfortable with the security of your current provider, consider switching to a new web host.
17. Create an Emergency Response Plan
Responding quickly and effectively to a website vulnerability or hack is an important element of your website security measures.
Create an emergency response plan that you will execute in the event of a website hack. Consider the following:
- What steps will be taken to identify, contain, fix, document, and learn from the incident?
- What experts do we have ready to address a website hack on short notice?
- How will we communicate a website hack or vulnerability to our employees and customers?
Jonathan is a WordPress expert with 10+ years of experience building and managing websites. He owns WPCharger, a service business that specializes in managing WordPress websites for small and midsize businesses.