How to secure a website

Your website isn’t just a representation of your business, it’s an extension of it. So it must remain secure. Issues such as a security breach can significantly impact website performance and user trust. 

Cyberattacks are increasingly sophisticated. 68% of business leaders say that their cybersecurity risks are increasing. So, in an ever-changing digital landscape, you must keep pace with potential threats and vulnerabilities that can impact your website.

In this blog, we'll explore how to secure a website, so you can improve cybersecurity across your:

• Content management system (CMS)
• Server
• Governance processes

How to secure your website: the 3 areas of focus    

Your content management system

Your CMS contains code that controls the behaviour and functionality of your B2B website. It also lets you manage your content. Some popular examples of a CMS include WordPress, Drupal, and Umbraco. There are also CMS platforms like HubSpot and Shopify.

Platforms such as HubSpot and Shopify are beneficial because they package up your CMS, servers, and infrastructure into one central product. This removes the hassle of disparate responsibilities.

Mike Thomas, Technical Director, Blend

To secure your CMS, you should:

1. Assign responsibility 

Your web developers are usually the first point of contact if something goes wrong. But do you know exactly who has ownership of your CMS system in a worst-case scenario? 

Confirm that you have the correct contact details and service hours for your point of contact. This could be your web developer. Additionally, check if you have defined service level agreements (SLAs) in place. 

2. Keep software and plugins up to date

Keep your CMS, 3rd party plugins, and applications up to speed with the latest core updates. 

Cybercriminals can quickly find vulnerabilities in plugins and apps that aren't being maintained, so stay alert to this risk. 

3. Set a backup policy

Create backup data of your B2B website, including website files, databases, and configuration. This data should be periodically tested to ensure it's always functional, if and when it's needed. This should be stored 'offsite', meaning not on your website or the same server. 

Consider 'war gaming' your backup data to test its viability. Ask your web developer to restore your backup data to a testing area. Was it effective? How long did it take?

This simple exercise will show you how resilient your website security backup is. Mike Thomas, Technical Director, Blend

4. Check your Secure Sockets Layer (SSL) certificates 

An SSL certificate encrypts the connection between a user and your website. This means that no one can intercept this data. 

It protects your users' privacy and your website. It's mandatory for search providers like Google, so not having one will critically impact your SEO standing and brand reputation. 

Ensure your SSL certificate is valid and automatically renewed. There are free services that you can use to get your SSL certificate.

5. Implement secure passwords and two-factor authentication (2FA)

Strong passwords are a necessity to secure a website. You should generate a secure password or change existing passwords that are vulnerable. 

Ideally, 2FA is best practice to add an extra layer of security. This requires your users to provide a second method of authentication. 

Your server 

1. Assign responsibility 

Who is responsible for your server? It could be your hosting provider, partner agency, or someone in your internal team, such as your web developer. 

If you're using a full-service provider, such as HubSpot or Shopify, then congratulations - you're covered by site reliability engineers. They manage your server security for you. 

2. Understand your server risks

You'll be using shared, dedicated, managed, or cloud hosting. Each one will come with inherent risks. For example, shared hosting means you're sharing resources with other tenants. And dedicated hosting, although you have reduced risks, puts responsibility for security in your hands. You need the internal resources and knowledge to manage this. 

Managed hosting is the best option. It provides fully managed security and your system is configured to your specific needs. 

Cloud hosting has become more common in recent years. It includes providers like AWS, Google Cloud Platform, and Microsoft Azure. This is more suited to running complex web applications. 

3. Improve your general server security

• Minimise root access (known as Shell or SSH) only to those who need it. Even web developers rarely require access via SSH directly into your server. By restricting access, you know who is responsible, and this improves your security.

• Enforce key-based authentication. Passwords can be guessed, sometimes by brute force, so you need a secure password. Key-based authentication is like a very large password, it's very hard to guess and ultimately more secure. 
• Disable HTTP connections in favour of strict HTTPS. This protects your users from 'man in the middle' attacks. 
• Use scope-limited access rights. Root access rights can be like using a chainsaw to crack a walnut. Work with your administrator to ensure that any access is logged, recorded, sensible, and authorised. 
• Stop using FTP. You should use a secure alternative, like SFTP that transfers files securely. 
• Use firewalls. A properly configured firewall blocks many common attacks. This deters attackers because your server will not respond to unknown traffic. especially in 'stealth mode'.
• Hide your web server identity. Your average website will signpost all kinds of information that is helpful to an attacker. 

HTTP/1.1 200 OK 

Date: Thu, 12 Jun 2014 14:15:01 GMT 

Server: Apache/2.2.21 (Win32) PHP/5.4.7 

Content-Length:226 

Connection: close 

Content-Type: text/html; charset=iso-8859-1 

This example from an Apache/PHP server is telling anyone who knows where to look exactly what version of which software it’s using. This is like an attacker looking for known security exploits. 

Your governance processes

There's no point in having the best combination of locks and deadlocks on your front door if you leave a spare key under the doormat. Similarly, many failings come down to simple common sense and governance issues that could have been avoided. 

Here are some practical security tips that will help you understand how to secure a website:

1. Find out where your DNS is and who your domain registrar is 

A domain registrar is a company that you purchase your website domain from. Using a registrar control panel, it can repoint your domain name to new hosts, apply various verification records, and ultimately manage business-critical functions for your company, including email. This can cause disruption if this access falls into the wrong hands. 

Lack of governance of your DNS and domain registrar  information can jeapordise your business. 
Mike Thomas, Technical Director, Blend

It's important to know where and how this can be accessed. Without this knowledge, you are vulnerable to cybercriminals. For example, access could be with a previous partner agency, contractor, or internal team member who has moved to another company. 

2. Set company-wide password policies 

It's no good having security protocols in place if your people are careless with their passwords and access details. To improve your password policy, you can:

• Provide a company-wide password management solution. This avoids your employees from picking personal passwords, which could be risky.
• Have a general 2FA policy for all services, where available.
• Provide cybersecurity training.

3. Consider PEN testing 

Once you think your website is secure, you can employ the services of professional penetration testers (PEN) to really test your defenses.

They use a mix of manual and automated tools to look for kinks in your armour. The report you receive is categorised by risk and gives you a good indication of where further effort is required.

Great security, great website, great success

Without knowing how to secure a website, you'll leave yourself vulnerable to cyber threats. Website security is also a factor that affects website performance. This is why security should underpin everything you do.