Best Tips To
Secure Your Website

Cyber security threats have grown in the recent past, making it important to adopt preventative measures to protect your website, especially if online transactions are involved or if the website is popular like WordPress. Currently it is reported that companies with dedicated cybersecurity teams also face frequent attacks. So, having the right safeguards is essential.

It can save time and money by guarding sensitive customer information and other crucial data. Here are some tools, best practices and tactics you can adopt and follow to be as secure as a blockhouse.

Install an SSL Certificate

Secure Socket Layer or SSL creates an encrypted link between a server and a web browser, securing data exchange between the website and its visitors. This is an unignorable need for WordPress websites, particularly if it’s an ecommerce platform since it has customers’ sensitive payment information.

To break it down in simpler words – if you have sensitive user information or any financial information, SSL certificate is a must. It is the Hypertext Transfer Protocol Secure or HTTPS you see at the start of most website URLs.

Additionally, if you hover over the lock icon on the top left corner of your browser bar, you will see the text “Connection is secure,” making you aware if the website can be trusted. It is the bare minimum you would want your users to have in you.

You can obtain an SSL from a domain registrar, hosting provider or certificate authority (CA). Many hosting providers include it in their hosting packages. But, if that doesn’t happen, you can get it from CA’s that provide it for free, example: Let’s Encrypt. Additionally, you can buy it from a low-cost authority; price ranges vary. However, like most things in life, you will have to pay a premium to get premium service.

Work with a
Reliable Hosting Provider

A good hosting provider won’t just keep your website safe but would also provide you with good uptime, fast load times and an easy set-up. Yet, first time site owners get intimidated with the wide array of choices.

Here is what you have to look for in your hosting provider: do they provide an SSL certificate, automated back-ups, malware scan, domain privacy and server firewalls.

Some of the most secure hosting providers in 2023 as per CyberNews are SiteGround, DreamHost, Hostinger, A2 Hosting and Interserver. Top10.com calls Hostinger exceptional and also adds IONOS by 1&1, web.com and Network Solutions.

It’s worth noting here that website owners sometimes feel that secure web hosting is expensive and is reserved for high-traffic websites and big-shot companies. But, the truth cannot be further because not only is it for everyone because all of us need to protect our users.

Use strong passwords

The biggest mistake people make on their website and email is setting guessable passwords. Names combined with date of birth or a simple number sequence and an exclamation are invitations to hackers into your database. Ensure you have a strong password by including a combination of numerical characters and alphabet letters—uppercase and lowercase—and special characters.

Most browsers can suggest strong passwords and free password managers such as Dashlane can control and manage passwords on various devices.

Additionally, website security is strengthened with a two-factor authentication (2FA) that works with two kinds of structures to block malicious hacking attempts by binding your password to a second security layer – text code, facial recognition, dual-sided puzzle, fingerprint scan or retina scan etc. For a limited number of users, providers such as Duo allow 2FA set-up for free.

Frequently Asked
Questions

Can I make my website secure for free?
Yes, almost. To do it, keep your passwords hard to guess and do not have your username as Admin. Find a reliable hosting provider, preferably one which includes a firewall and anti-malware software. Get an SSL certificate from a certificate authority such as Let’s Encrypt. You can also find anti-malware software free of cost or at discounted prices.

How do I secure my website on Chrome?
Go to the top right corner of your screen and click on the three dots. Then, click on settings and select privacy and security on the left-hand side. Click on security on the right and choose your setting to enhanced protection. Also, in the security panel itself, click on “Always use secure connections”.

Make sure you click only on secure websites; these will have HTTPS in the URL box next to a padlock icon. HTTPS and padlock should also be on your website to protect you and your users. Install an SSL certificate to get the feature.

Further, Chrome notifies you if any passwords in the browser are compromised. It also flags malicious extensions. Keep an eye out for this notification or check it out manually under the Security tab.

How do I make sure my website is secure?
Steps to take: Install SSL, use anti-malware software, keep your website updated and passwords unguessable.

Additionally, make sure you don’t click on fishy links – check the domain name of emails to know if it comes from a trusted source. You can also call the source to verify the links. Run regular backups ready yourself for the worst-case scenario. Also, form a shield between your website and the internet via web application firewall.

SSL vs.
Website Security

Having a website today is way easier than it was 10 or 15 years ago. Tools like content management systems (CMS), website builders, static site generators and alike remove a lot of the friction around building and maintaining sites. But, is there a price for such convenience?

I would dare to say that one of the downsides to bringing such facilities to the masses is the creation of misconceptions. The biggest misconception is about what makes a website secure versus not secure. For example, with the introduction of Google Chrome version 68, websites that do not use SSL certificates are marked “Not Secure” in the address bar.

However, a website with an SSL certificate is not necessarily a “secure” website. SSL encrypts the data sent between the visitor and web server but does not actually protect the website itself from hackers. There is more to it website owners need to understand if they want a truly secure website.

SSL Certificates

SSL is the acronym for Secure Sockets Layer. It is the standard security technology for establishing an encrypted link between a web server and a browser. SSL certificates have become a best practice in website security for good reason.

We have recently written an article to showcase why websites should switch to SSL. In short, Google, Mozilla, and other web authorities are pushing for website owners to adopt HTTPS. One of the ways Google can enforce SSL is by flagging sites displaying a warning that the site is “Not secure“ on Chrome, starting with Chrome 68.

SSL certificates help protect the integrity of the data in transit between the host (web server or firewall) and the client (web browser). They make sure no one is able to see or modify the data, what is known as a man-in-the-middle attack.

All types of SSL certificates verify the domain name of the website.

Domain Validated
SSL Certificate (DV SSL)

DV SSL Certificates are the most popular SSL certificates on the Internet, even though they only validate the domain name.

Organization Validation
SSL Certificate (OV SSL)

OV SSL Certificates require more documentation for a Certificate Authority to certify the organization making the request is registered and legitimate.

These certificates will display the name of the organization if you click on the padlock that appears on the top left corner of a browser.

Premium Extended Validation
SSL Certificates (EV SSL)

EV SSL Certificates require even more documentation for a Certificate Authority to validate the organization making the request. These certificates will be more visible because besides displaying the padlock in the address bar, they will also display the name of the organization.

EV SSL Certificates require even more documentation for a Certificate Authority to validate the organization making the request. These certificates will be more visible because besides displaying the padlock in the address bar, they will also display the name of the organization.

SSL Certificates &
Malware Infections

SSL certificates cannot protect a website from a malware infection, nor can they stop a website from spreading malware.

Ironically, infected websites served over HTTPS will ensure the integrity of the malware until it reaches its potential victims, aka the website’s visitors. That is something both webmasters and Internet users need to be really mindful of.

It is important to make sure to force HTTPS after you install an SSL certificate on your website. If attackers compromise your site and link to malware assets over HTTP, browsers will display mixed content warnings.

A website’s padlock in the address bar does not mean the website is secured. It only means that the information between the website’s server and the browser is secured.

What is
Website Security?

Defining website security is hard because it depends on the necessities of each organization. For example, a personal blog does not have the same concerns as an e-commerce store or the site of a web development agency.

There are no turnkey solutions to security; instead it’s a combination of people, processes, and technology that help create a manageable and scalable approach to security for any organization.

Believing that a website is secure because it has implemented an SSL certificate can become a real problem. A website with SSL is not secure if it does not have other layers of protection, such as a Website Application Firewall (WAF), or access controls. An HTTPS website could still be hacked and dangerous to visitors.

No matter if it is HTTP or HTTPS, if a website is infected with malware, some internet security companies can put warnings on it and in search results, letting everyone know that the site contains malicious code.

These are the top 10 blacklists:

  • Google Safe Browsing
  • Phish Tank
  • SiteAdvisor McAfee
  • SpamHaus DBL
  • Yandex (via Sophos)
  • Norton Safe Web
  • Opera
  • Sucuri Malware Labs
  • Bitdefender
  • ESET

What is the Difference Between
SSL & Website Security?

Website security is more comprehensive than HTTPS/SSL alone and should be treated as such. HTTPS/SSL is one of many security controls to consider when thinking about your website’s security. Deploying HTTPS/SSL on your website does little to ensuring your visitors are safe if you do not take other actions to ensure a secure environment.

We can imagine that the reason why some people get SSL confused with website security is because HTTPS/SSL provides:

  • “non-repudiation” of the party – answering the question is that really you?
  • integrity check (unchanged)
  • privacy (unseen) of the data in transit.

To sum it up, in an HTTPS website, data in transit is protected, but the website itself can still be vulnerable.

We see website security as a conjunction of protection, detection, response, and backups. SSL certificates are only a part of the puzzle. Data encryption is vital to having a good security posture, but it is not everything.

SSL Conclusion

Security is not a constant. You need to invest time and resources to create a plan that fits your needs. HTTPS is great for the Internet as a whole because it helps keep communication secret between users and the websites they visit. SSL is what secures that data in transit only, not the website.

SSL certificates only account for a small piece of the website security puzzle.

We encourage website owners to think about website security holistically and consider leveraging a Website Security Platform that offers a complete suite of security controls: protection, detection, monitoring, and incident response.