How can I secure my business website?

So you have a website – congrats!  Even the simplest website requires basic security to ensure your data and client data remain safe when interacting with your site.  With a laundry list of acronyms, website security can be confusing.  Some web and domain hosting sites provide security certificates and services, but not all of them, so how do you know you’re protected?   Here are simple steps to securing your website that anyone can understand.

Why do I need to protect a website?  What risks are there? 

Websites can get hacked.  When a bad actor gains access to your website administration portal, they have access to everything you do – payment information, account information, client email addresses, names, addresses, and account information for 3rd party linked services that may support your site.   Worse, those who gain access to your website may hold it for ransom, locking you out of it altogether.  More often, criminals will gain access and remain undetected, purposefully staying under the radar to maintain access and use it at their convenience.   They may install malicious code to steal financial information you or your site visitors enter. 

What is SSL?

What do I need to do?   

1. Use HTTPS and SSL Certificates

Why: HTTPS ensures that all data transferred between the user’s browser and your website is encrypted.  You get the HTTPS designation by installing an SSL certificate on your site.  SSL is a must-have if you accept client payments directly on your site.

How: Obtain an SSL certificate from a trusted provider.  Most major web hosting platforms offer this service for an extra cost.  You may be able to purchase an SSL certificate and have support set it up for your site.  
 
If your web host doesn’t provide this service, you’ll need to purchase it through a trusted source.  Here’s a brief list of SSL cert providers.  Most providers will provide instructions and support for installation after purchase.

• Cloudflare
• GoDaddy
• DigiCert
• Entrust
• SSL Corp
• GlobalSign
       

2. Use Strong, Unique Passwords and Multi-Factor Authentication (MFA)

Why: Weak passwords that contain a variation of your business name are the easiest to guess. Having easy-to-guess passwords and no backup identity verification leaves your account vulnerable.

How: Use strong, unique passwords for all user accounts, especially admin accounts.  Use a 14-18 character password and use a unique passphrase or password generator to create it, if needed. Store the password securely using a password manager.  Enabling MFA on your account doubly secures the account.  You can find this setting in your admin account profile or security settings section. 

3. Consider a Web Application Firewall (WAF) 

Why: A WAF filters out malicious traffic and protects your website from attacks such as cross-site scripting (XSS), SQL injection, and DDoS attacks. The methods by which criminals gain access to websites are constantly changing, and having a WAF helps your site have the most up-to-date protection and alert. 

How: Use a cloud-based WAF service like Cloudflare or Sucuri to purchase and set up a Web Access Firewall using their support and documentation.

4. Consider Website Backups

Why: Regularly backing up your website and its data allows businesses to quickly restore sites and sales if a cybersecurity event or attack occurs. Backups prevent businesses from becoming victims of ransom and safeguard against a variety of scenarios in which business owners may lose access to their website and client data.

How:  Backup services can be purchased through platforms like Securi and SiteLock, which provide easy click-and-go solutions. You can also manually back up your website data by following these instructions from Web.com:  https://www.web.com/blog/how-to-backup-a-website/ 
 

Implementing these practices helps reduce the risk of cyber-attacks and data breaches, ensuring your business website remains secure and trustworthy for visitors.