You are here

IT Services, Contributed

How to Secure a New Website

October 18, 2019

The security of your website might not be at the top of your priority list right now, but it should be. The consequences of your website falling victim to a hack or data leak can be severe.

At the most basic level, not securing your site might allow your website to be hijacked and then ransomed back to you. If you are holding data on the users of your site, things get even worse: there are hefty fines to pay if you lose this information, and a data leak is also likely to fatally undermine trust in your brand.

Taking a few minutes to secure your site is going to save you a lot of hassle and time further down the road, and there are some easy ways to do this. Let’s take a look at some.

7 Ways to Secure Your Website

  1. Ensure Web Host Security
  2. Update Website
  3. Use SSL Certificates
  4. Use a Firewall
  5. Lock Your Forms
  6. Use HTTPS
  7. Rename Admin Folders

1. Make Sure Your Web Host Is Secure

Before you do anything else, make sure that the company that hosts your site takes security as seriously as you do. If you’ve already set up your website, you might think that this piece of advice has come too late, but that’s why I put it first!

Security is one of the most important factors to consider when choosing a web host, so don’t start building a website with a host that doesn’t take this seriously. Be particularly careful if you are using cheap web hosting, because some cheap (or even free) web hosts are pretty good when it comes to security, and some are definitely not.

2. Keep Your Website Up to Date

Even if you've just created a new site, it's likely that you'll have some security updates to install. Just like the software on your desktop or laptop, you should keep your website up to date with the latest security patches

This is true for both software updates from your web host, and for any security software, you run on your dedicated server. You should also make sure that your security certificates are up to date, which I’ll explain next.

3. Install an SSL Certificate

Though taken advantage of in recent months by hackers, SSL certificates are still used with great success to ensure that your website is legitimate and secure. They also allow users to exchange encrypted information with your site, keeping this safe from hackers. 

While SSL certificates used to be deployed only on the most secure websites, they are now a necessity for almost every site, if for no other reason than Google likes them. 

Gary Stevens, CTO at community-supported research group Hosting Canada, had this response to a question on the topic: “SSL certificates became a lot more popular when Google decided the existence of one on your site would gain you brownie points in the search engine results. If it’s something Google likes, and you’re serious about your site, you should do it.”

You can see here what a “secure connection” looks like in the google search bar. 

You can see here what a “secure connection” looks like in the google search bar.

The notation by Google ensures users know the site they’re using is secure, making them more trustworthy and likely to be visited.

There are plenty of options around when it comes to getting an SSL certificate. GoGetSSL and SSLs.com are paid options, and there is also a free service called "Let's Encrypt" which will also issue you a certificate. 

When choosing the certificate, you have three options: domain validation, business validation, and extended validation. Google will need either business validation or extended validation in order to show the green "Secure" bar next to your site's URL, so get one of those if you can possibly afford it.

4. Use a Firewall

Installing a firewall for your website is easy, and greatly reduces how vulnerable it is. A quality firewall will monitor the connections made to your site, and automatically shut down any that look suspicious, working essentially like the brick wall in the image below. 

Firewalls block suspicious websites.
Source

Though there are plenty of options out there, all standard firewalls will function like the image above.

Sucuri Firewall is a good paid option, and you should be able to find free firewall or security plugins for WordPress, Weebly, Wix, and other hosting services.

5. Lock Down Your Forms

Anywhere that your users can enter information or (worse) upload files is an automatic security vulnerability. If you've built your site using a quality website builder, it should have options for limiting what users can upload to your site.

This can get a little tricky if you need users to be able to upload more complex files, like cover letters or portfolios.

In that case, a good solution is to set up an email form and have files emailed via a secure email provider that will scan attachments for viruses.

6. Use HTTPS

Once you’ve got an SSL certificate, you can start using HTTPS. This is a more secure version of the standard information exchange system on the web (called HTTP) and encrypts data passing between your users and your site. 

Like SSL, using HTTPS has benefits beyond providing security. Most modern browsers will warn users about going to sites that don’t use HTTPS. So unless you want an ugly (and terrifying) warning to pop up every time someone tries to go to your site, you should use HTTPS.

Keep in mind there is an important difference between an SSL certificate and a VPN, which you also might have heard of in discussions about online privacy and encryption and thought, “encryption is encryption.” 

The latter - a virtual private network, or VPN for short - is a commonly used privacy tool that works by encrypting the connection between your computer and the internet, but does nothing to guarantee the legitimacy of a site you visit. 

Some people might think that if they have one they don’t need the other. In fact, the two perform different, critical functions so plan to use both.

7. Rename Your Admin Folders

One final tip, but one that is not often found in guides about securing websites, is to rename your admin folders.

This sounds like a simplistic way to avoid getting hacked, but it works. If you leave your admin and root folders called ‘admin’ and ‘root’, they are easy to find for hackers.

Instead, rename them something boring like "New Folder (2)," and they won’t attract the attention of automated vulnerability scanners. Just remember what you called them, in case you also forget where your admin folder is!

Secure Your Site and All Other Systems to Ensure Top-Notch Security 

These tips are a great start to securing your site, and will hugely reduce your vulnerability to cyberattack. If your website grows, however, and you begin to link it to other systems, you should make sure that these are also secure. 

In particular, you should make sure that you are using secure cloud servers and a quality e-commerce platform. If either of these systems is insecure, they give attackers a way of infiltrating your website

In addition to these timeless tips we’ve just covered, here are a few more up-to-the-minute cybersecurity tactics that should be at the top of every site owner’s mind this year in particular. 

And then all the work you’ve done to secure your new website will be in vain.