Website Security Checklist

Website Security Checklist cybergate your cyber security partner

Website Security Checklist


Website Security Checklist. 9 tips to ensure your website is secure.

Websites are an integral part of any business’ marketing mix, carrying out a number of functions. Websites vary in size, complexity and functionality, ranging from a simple e-brochure to a fully-fledged ecommerce website enabling transactions between parties. It is increasingly becoming difficult to ensure website security, with each passing year.

If security measures are not in place and best practices are not constantly followed any software can be hacked. Website security threats are now a frequent issue for companies with hundreds of websites getting hacked on a daily basis. (…and some of these hacks can be fatal to business!)

“Cybercrime is the greatest threat to every company in the world.” - IBM’s chairman, president, and CEO

Over the years we’ve experienced a shift onto online business and websites are no longer simple html brochures, simply depicting what a company has to offer. Websites nowadays serve as a key touchpoint in day-to-day business, attracting customers and converting web traffic into sales, requests and/or bookings. An increase in the number of businesses that run solely online platforms can also be seen.

Nobody wants to have a hacked website as it creates reputational damage, and if it leads to a data breach it can lead to heavy fines and lawsuits. From an SEO ranking perspective, the website can be blacklisted, losing its ranking and therefore its organic traffic.

Securing your website, blog or e-shop is a top priority for website owners and e-businesses. In this blog article we touch upon 9 tips to ensure your website is secure, irrespective of it being based on open source (say WordPress, Drupal or Joomla) or a proprietary backend.

Keep all software up-to-date

Around thirty thousand websites experience a cyber attack daily. You need to ensure that any frameworks, CMS software and plugins used in your website are kept updated with the latest patches, fixes and version upgrades. This will help you keep your website free from vulnerabilities due to outdated code. Hackers exploit such bugs, glitches and vulnerabilities to place malicious code. When using software with known vulnerabilities, it is one of the easiest ways to get hacked and possibly have your data compromised. Sign maintenance agreements with your web developers that keeps you on top of these constant upgrades.

When configuring your backend, always enable update notifications to keep aware of the latest update roll-outs of your CMS, plugins, add-ons and any other tools used to operate your website. When your website runs outdated components, it becomes vulnerable to attacks which can lead to stolen customer data, adverse media and lost customer loyalty.

Use secure credentials and change them regularly

Passwords should never be easily-guessed words or phrases. Use strong passwords and if need be use a password generator to create ultra-secure passwords. In addition to generating and using strong passwords, keep an eye on where they are stored. Best practice is to use a password vault. Passwords are to be updated regularly at least once every quarter. Avoid using the same phrase as both your login and password and also do not use the same password for different online services.

Companies specify and enforce policies which include how long a password should be, the use of special characters and symbols, the use of uppercase and numbers and not using a password which was already in use during the past 12-18 months.

Set up and configure an SSL Certificate

Not having an SSL (secure sockets layer) certificate properly set up for your website leads to warning messages which lead visitors to shy away from the site and tend to negatively impact search engine ranking (as well!). SSL certificates are a necessary security measure evenmore when web users are entering sensitive information, such as payment related data. So what does an SSL certificate do? SSL security certificates encrypt data going both ways between the web server and the user’s machine. Practical examples of encrypted data include login information, credit cards and subscription data.

Websites secured with an HTTPS show a padlock icon illustrating that an SSL certificate is in place. Making data transfers secure should top your priority list, therefore getting an SSL certificate for your website should be high on your security checklist. When setting up an SSL certificate, buy it from a reputable provider, follow the provider’s installation instructions and implement the proper redirects for all your web-pages (…verify through Google Search Console). As a side note… always keep an eye out for expired certificates.

Protect against DDOS?

Denial of Service (or as commonly referred to DDOS) attacks flood web servers with the malicious intent of overloading them to fail to respond to legitimate requests. It is impossible to prevent these types of attacks, since they use legitimate connectivity channels, but there are measures that can resist such attacks if and when they happen. Over the last few years the use of cloud mitigation providers such as CloudFlare became increasingly popular, to prevent DDoS attacks from causing issues.

These tools have strong identification and blocking mechanisms for malicious traffic, often based on AI algorithms and leverage huge cloud resources to offset the load of malicious traffic. Set monitors and mitigation services to safeguard your website from a possible barrage of fake traffic. These tools are excellent at identifying suspicious surges of web traffic. A number of premium web hosting providers offer DDoS protection as part of their offering.

Run regular Backups of all your data

Take regular backups of your websites so in case of a hacked website or broken webpages you can quickly reinstate a working backup (version). Automating your backup is the trend nowadays to stick to a daily schedule to backup your website. Do test and validate backups every so often. Some hosting providers offer this housekeeping service as a standard feature in their offering. In addition, CMS software such as WordPress has a number of plugins that automate backups. Best practice is to store backups on a separate server.

Protect against Injection Attacks?

Injection attacks, such as command injection and SQL injection, are commonly used attack types by black hat hackers, to access sensitive data and compromise the underlying server. The vast majority of web servers are managed by SQL so SQL Injection makes it more appealing to cyber criminals to attack using this methodology. SQL injection involves hackers placing malicious SQL code, which is treated by the server as ‘normal’ SQL, to access data illegitimately.

To defend against injection attacks, ensure user permissions are properly maintained, implement data storage procedures (ex. encryption) and strictly manage your server’s whitelist. Stored procedures should also be used to mitigate SQL Injection in particular.

Utilise anti-malware software

Cyber criminals use malware to wreak havoc on your website and also to infect your website visitors’ devices. Anti-malware solutions help prevent by detecting and removing malware from your website. Investing in antimalware software such as Sucuri can help you avoid stolen data, downtime and lost business.

Protect your website against malware infections. On average more than 350,000 malicious software programs get discovered daily! Opt for paid anti-malware protection software, as they generally offer better protection.

Use WAFs

Deploy Web App Firewalls to defend against cyberattacks such as SQL injections,XSS (Cross Site Scripting), and XXE (XML External Entity) . WAFs introduce an additional layer of barrier between the WWW and your website or web application. It monitors your traffic and protects against and filters malicious traffic. The three main types of WAFs are hardware-based, software-based and cloud-based. WAFs are to be constantly maintained and updated.

Ensure Webforms validate all input

Webforms, such as contact us, apply for a job, and request a quotation, are the most common ways to collect input from website visitors. Every input should be validated and only legit data is to be entered and stored in your website’s database. This is also a step to protect against injection attacks in general. A practical example is the use of ‘upload a file’ in web forms – file formats are to be validated before accepted as input, to avoid malicious files that would exploit your website. Anti-spam features should also be implemented to avoid spam entered via your web form(s) (ex. Captcha).

According to Builtwith there are around 27 million WordPress sites in the world. This massive popularity makes WordPress websites a top target for hackers. If your website is based on WordPress or any other technology, it is important to take on board the above tips and also consider password protecting important areas on your website, limiting access rights to your backend and always utilise reliable forms of online payments.

Get an overall assessment of your website or web application today. Speak to us!

    We are here to help




    Francesco Mifsud
    [email protected]

    I live and breathe cyber security and everything else in the discipline. With around a decade of experience in the industry I have had the opportunity to develop skills in penetration testing, cloud security, reverse engineering & exploit development, application security engineering, management and organisation-wide cyber security strategy. I hold a well-rounded set of security certifications such as OSCP, eWPTX and CISSP and have delivered training & workshops at some of the most prestigious hacking conferences such as DEF CON, BRU CON, BSides London and BSides Manchester.