A Website Security Checklist for Small Businesses

A website is essential for modern businesses. It’s used by 64% of small business owners. Many companies operate almost entirely online and make their income through e-commerce, advertising and selling services to customers. Hacking a website would cause major disruption to businesses and negatively impact their revenue. It’s becoming more difficult to keep your website secure with the increasing number of hacks. This is a list of 12 tips to help you protect your website from being hacked.

1. Use strong passwords, and make sure to change them often. 81% Data breaches are caused when passwords are compromised, weakened or reused. It is common for people to attempt to crack or guess user passwords. This is why it’s so important to secure your data. Password generators are a great way to accomplish this. Many browsers have password generators that will ask you to create a secure username. This is a controversial practice for some who fear that if someone steals their laptop, they will be able to access their accounts. You should be more worried about hackers trying to hack into your website than you are about someone you don’t know. However, there is a way to have both. You can combine your secure password with 2-factor authentication. This code is sent to you via email or phone every time you log in. Hackers will not only be able to guess your password, but will also have access to your phone and email. If you are concerned about someone you know, such as a spouse or sibling, they will not have access to the code sent directly to your phone and they will not be allowed to login with the autofill password option. You should also change your password every six months, especially if you have a website that is a business.
   
   
2. Website Backups: It is possible to set up a schedule to create backups of your website on a regular basis. If something goes wrong or something is lost, you will only lose the information from your last backup to the current day. Depending on which platform you use (squarespace, wix, etc.), how you backup your data will vary. For example, wordpress users can use vaultpress or easy cpanel backup to automate backups. It may be more difficult to find reliable plugins for other platforms, but these plugins are available and may suit your needs. If you have a blog, you can write your articles in Google Docs and then copy it to your website. This will give you a copy of every article and any photos.
   
   
3. Limit Contributors Permissions Security experts refer to this as using a least permissive system. This means you want to restrict the permissions users have to your website to what is necessary to allow them to complete their tasks. You don’t have to be an administrator to give permissions to users. Users can also use other roles such as editor, author, contributor, etc. You can reduce the chances of someone doing something wrong to your website, either intentionally or unintentionally.
   
   
4. Secure online checkouts: These features prevent fraud by asking for additional information. They also save you time and money.
   
   
5. All plugins should be updated: It is important to regularly update all your plugins. Popular plugins can be vulnerable to security flaws. Usually, once a vulnerability has been disclosed, the vendor releases an update to fix it. Your website could be vulnerable for months, years, or even decades without an update. This can lead to hackers hacking your site. Hackers use computer robots (controlled machines that scan the internet 24 hours a day for vulnerable plugins). A cyberattack occurs approximately every 39 seconds. It doesn’t matter if or when your website is found. It’s therefore important to create a schedule that allows you to check for updates and enable notifications whenever possible.
   
   
6. Anti-malware solutions are essential: Malware can be introduced to websites in many ways. Hackers can sometimes inject malware into websites through input forms. Or, you could accidentally infect your website with malware by copying and pasting custom codes to give your site a special feature. It doesn’t matter what, it’s worth investing in anti-malware software that can detect malicious code on your website. You can also look into astra security, sucuri, and quttera anti-malware solutions.
   
   
7. DDos protection: is a term that stands for distributed denial-of-service. This attack involves hackers flooding your website with data requests, making it unavailable to the users. It makes your website inaccessible to users by overloading its ability to process requests. Although some web hosts offer ddos protection as a default, you should still make sure you have it. DDos attacks can happen to small and large brands alike.
   
   
8. Cross-site scripting attacks: Cross site scripting attacks are a form of injection attack in which a hacker inserts malicious codes into a webpage so that other users can view it. The code will execute automatically whenever another user visits the infected website. This can be prevented by making sure all input forms on your website are cleaned. It filters out any unwanted commands and runs the code instead. Also, ensure that your website’s html code is secure. You can review it manually but most people prefer to use automated tools to scan the website.
   
   
9. SQL Injection: SQL injection inserts SQL query into input forms to steal data from your databases. This could include customer addresses, credit card numbers, and phone numbers. SQL defense is very similar to XSS. You need to make sure that the input forms are properly filtered. You can find tips to stop an SQL injection here
   
   
10. Use security scanner tools: There’s a lot of plugins that can automatically scan your website for potential security threats and alert you to them. These tools make it easier to determine where your attention should go and what you should be concerned about. If you’re on WordPress, you can use WPscan, sucurisitcheck, and WordPress security scan.
    
    
11. Hide your web hosting provider and version: This information makes it easier for hackers to exploit known vulnerabilities associated with the web provider or that particular version of the software (if you are running WordPress). Copy and paste the following code into your functions.php file to hide WordPress version.
    
    
12. File uploads are a security risk, be careful: Even if the intention is innocent, allowing someone to upload files can lead to malicious code being uploaded to your website’s web server. Even if someone is allowed to upload jpg files for changing their profile picture, hackers can easily bypass that by renaming the file image.php.jpg to upload a PHP file to the server.

If you decide to allow this functionality, do your research about how to secure it. Some things you can to do include restricting the type of files you can upload, changing permissions of the uploaded files to ensure that no files can execute post upload, changing the directory that the files are uploaded to so that it cannot be easily guessed (for example securitymadesimple.org/uploads is too obvious) and if possible making it so regular users cannot access the directory holding the uploaded files even with the URL.