Want to secure your website? Here's where to start

(Image credit: https://pixabay.com/en/sever-digitization-3100049/)

Some of your website’s security may be covered by your hosting company and they should always be your first call if anything were to happen. 

However, you should always check what they do and don’t cover because at the end of the day you are responsible for your website’s security. Even the smallest of SMEs and micro-businesses require security.

It’s not always the case that the person or bot that is hacking you is after your business. You could be the weak link in a chain that leads to the real goal. Your business may be in a nice office on a brand new business park but your website is in the meanest, most corrupt part of town there is.

(PS: Don't forget to check out list of the best web hosting services as it includes providers that have been tested and verified by us).

The Internet. It’s not a matter of if; it’s a matter of when. So let’s look at what matters in  your quest for enhanced security.

1. Who or what am I protecting?

This is the first thing you need to ask yourself when adding security to your website. What is the most business critical aspect and what can you realistically afford to protect it. In terms of who, there are two main groups you need to think about protecting.

  • Your neighbours : Chances are you will start out on a server with a few neighbours, either through shared hosting or VPS. If you or a neighbour gets hacked, others on the server can become affected. Hacks can take up huge resources which slows the other sites down.
  • Your visitors : There have been examples in the past of websites having malware attached to their pages without the business being aware. This has resulted in malware being downloaded onto the visitor’s computer stealing everything from passwords to personal information. Beyond the reputational damage, you may be liable for any data protection breaches. Which brings us to the “what am I protecting?” part.
  • Data protection : Data protection is vital to any business. Not only are you liable for any loss or abuse of personal data, there’s also the issue of business critical information. If you lose data, such as client information or payment information, how long will it take for your business to recover? And how much will that cost you financially especially after the GDPR roll out?

2. SSL certificates

SSL stands for Secure Sockets Layer. It’s a protocol that creates secure connections between a server and the person who is accessing the site, known as the client. SSL use a cryptographic system to encrypt information being passed between the client and server. Generally you can tell if a website has a valid SSL Certificate as the URL begins with HTTPS rather than HTTP and contains the padlock symbol.

  • When do I need SSL? If you collect any credit or debit card details you absolutely need SSL certificates. If, however, you use third party payment processors, such as PayPal, you don’t need to. This is because your website won’t actually hold any of the financial information. Similarly if your website collects any personal information or has a login form for visitors, you should have SSL. This ensures any information gathered by your site is secure, encrypted, and protects the privacy of your visitors. Additionally, Google offers a ranking boost for sites with an SSL Certificate.
  • Shared versus private? Most hosting providers will offer shared SSL certificates. Shared SSL is intended to be used in situations where you want a secure connection to your server that is not used by the public. This is because shared SSL does not use your domain name. Instead it will use the URL of the hosting company you use. Although cost effective, it can be confusing for visitors and may make them uneasy about sharing their information. Private SSL certificates are matched to your own domain name. Your URL will appear in the address bar of a browser. If you need SSL because you are collecting personal information through your site, you should probably look at getting a private SSL certificate. 

3. Web application firewalls (WAF)

WAFs (Web Application Firewalls) monitor the traffic before it reaches web application, analysing requests to filter harmful traffic or traffic patterns. WAFs are a common security control utilised by businesses to protect against impersonations, zero-day threats, and other known vulnerabilities and attackers.

Not surprisingly, they are usually offered as an option for bigger websites as they can be tricky to put in place (due to the level of expertise require) and are relatively expensive especially for SMBs.

4. Use anti-malware software

An anti-malware is one of the most essential mechanisms for securing the communications to and from your website. The good hosting provider will include this protection as part of their offerings, but you should definitely invest in one if you are opting for dedicated hosting. 

There are several options available including several free ones that are good enough for basic websites, though you should look at the paid options if you are hosting a traffic intensive website.

5. Keep your website platform updated

Irrespective of the content management system (CMS) you are using to power your website, always make sure you are running the current release, since old, unmaintained ones are easy targets for exploits. 

Most of the popular CMS like WordPress are open source, malicious users spend a lot of time reading through the source code of older versions hunting for vulnerabilities that they can use to take control over your website. The simplest way to thwart this is to ensure you are always running the latest version of the CMS.  

  • This is an excerpt from an eBook called "The ultimate guide to web hosting", published by TechRadar Pro in association with Planet Hippo
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.