Articles & E-Books


10 Best Practices to Protect Your Website

Feb 25, 2019

No website is too small to get hacked. Whether you’re a big company, a nonprofit or a small local business, your site can have value to hackers.

Bad actors may use an insecure site to access data, gain valuable backlinks to their own site, spread malware to your site visitors or hijack your server for their own means. If your website is unprotected, hackers have an open door to change your site content. Sometimes these attacks can go undetected for a long time.

No website is entirely hack-proof, but if you take steps to make it difficult, hackers will often move on to an easier target. Here are some steps you can take to reduce your vulnerability:

1. Use a Quality Web Hosting Provider

Not all hosting providers are the same. When evaluating a web host, look for server-side firewall and encryption, antivirus and anti-malware software, real-time monitoring and mitigation, on-site security systems and SSL certificate availability. If you have an e-commerce site or HIPAA responsibilities, look for a host that provides compliance support for those security standards, too. 

2. Install Site-Level Monitoring and Security

A reputable hosting company will be monitoring its servers, but you still need to watch your site. Security plugins will block many automated attacks, scan for malware, monitor file integrity and more.

3. Keep Your Website Software Up to Date

You regularly update the software on your phone, and your security team is continually updating and patching your company network. Your website needs the same care. Make sure you are current with the latest anti-virus software and patches for your primary web platform, as well as any plug-ins and themes.

4. Enforce a Strong Password Policy

Passwords can be one of the weakest spots on your website. Any area of your site that requires a login is a target for hackers. Your back-end administrator logins, customer portals, e-commerce tools and the email accounts associated with your admin and hosting accounts are all areas of vulnerability.

WordPress allows you to enforce strong passwords for all site users. If you’re using another web platform, check for a similar security function and enable it. 

5. Add Protection With Two-Factor Authentication

With two-factor authentication, your website administrators and contributors will need more than a password to log in to your site. When it’s enabled, users will get an access code sent to their mobile phone, providing an extra level of verification. Codes may be sent via text or email or an authentication app like Google Authenticator.

6. Manage Contributors

Review your authorized website contributors regularly. If someone has left your organization or is no longer managing the site, remove their access. This eliminates one more pathway for hackers to get in.

7. Implement SSL Protocol

Secure Sockets Layer (SSL) is the standard technology for keeping an internet connection secure. SSL encrypts data being sent from a user’s web browser to your web server so it’s harder for hackers to read. (Without SSL, user information is sent as plain text, making it easy for hackers to steal.) You should also consider TLS  and LetsEncrypt or other Certificate Authorities that offer free and trusted certifications.

If you don’t collect sensitive data and your website tools are current, a quality hosting company will often provide a free SSL certificate for your site. If you run an e-commerce site or collect sensitive user information, you’ll need to invest in an appropriate SSL tool.

8. Change Your Defaults

Avoid any default login settings in your web system, such as using “admin” as the user name for site administrators. If you’re using a WordPress site, for example, the default login is your site address followed by /wp-admin. Lower your vulnerability to attack by changing the login URL.

9. Enable a Backend Activity Log

If a breach does occur, an activity log helps you trace the point of entry and gives your response team valuable information to mitigate the damage. Activity logs track information like page updates, code changes, plugin updates and login attempts.

10. Back Up Your Website

Make sure that processes are in place to back up your website and store its data. That way, you’ll have a version you can revert back to if your site is compromised. How often you back up your site depends on how regularly you make updates.

Don’t Wait to Secure Your Site

Security is one of the most important elements of a website. If you don’t keep your website secure, hackers could do significant damage. Many security options are easy to implement and don’t cost extra.

Wipfli can simplify the process by vetting your hosting company, securing an SSL certificate, enforcing strong password policies, adding two-factor authentication and otherwise improving the overall strength of your web security. We can also assist with site design, content and visibility.

Contact Barbara Irias with Wipfli Web Marketing or your Wipfli relationship executive to learn more.