How to Secure a Website 2021: Things You Must Do That Have Been Proven
When people ask me how to completely safeguard a website, I tell them the answer is simple: keep it offline.
They’ll usually turn the subject to website builders and content management systems (CMS) once they’ve stopped yelling at me to see which choice has the best security.
What they don’t realize is that whether you use a website builder for your blog or a CMS to run your business, there will always be some level of danger.
The actual issue here is that you are responsible for controlling that risk. If that wasn’t awful enough, attempting to do everything yourself could lead to disaster. Extremely quick. How to Secure a Website 2021.
That’s why, in this essay, I’ll provide some of my best website security advice. Don’t worry, these aren’t the kinds of suggestions that require a doctorate to implement.
They’re simple, effective methods that you can put into action in an afternoon. Even better, they work. Regardless of the technique, you select, each alternative has previously proven its worth in real-world hacker and bot clashes.
Let’s get this party started!
When it comes to website security, there are few assurances. Given that there is no one-size-fits-all solution to keep you safe from hackers indefinitely, your best bet is to use these tactics to reduce vulnerabilities while raising your chances of a speedy recovery.
1. Use HTTPS everywhere after installing an SSL certificate
If you’re just getting started with your website, you might think data encryption is something only huge companies or investigative journalists require.
However, if you want to obtain traffic from Google, you’ll need an SSL certificate in order to rank well. You’ll even need one to gather email addresses for a newsletter. How to Secure a Website 2021.
If all of this seems a little much, remember that the cloak-and-dagger is for a reason. Previously, any sensitive data transmitted to your server by your users was sent in plain text. Anyone who gathered up that data would be able to read everything. That includes passwords, bank account information, email addresses, and anything else.
An SSL certificate encrypts all of the sensitive data, making it virtually hard to read. Having a secure website begins with the use of an SSL certificate. Otherwise, your visitors will get the following message:
That’s why all of the big website builders, such as Wix and Squarespace, use HTTPS as the default for all of their clients’ websites.
Most web providers now provide simple tools that allow you to install an SSL certificate in a matter of seconds. If that’s the case, ask them how to set it up. I’m sure it’s straightforward. Let’s Encrypt certificates are available straight in the control panel at Bluehost.
If your server doesn’t provide a simple tool, you can use Let’s Encrypt to generate a free domain validation certificate by following their instructions. When you’re finished, install it using cPanel or your host’s custom dashboard.
If you’re using WordPress, the Really Simple SSL plugin can help you set up your site to use the SSL certificate once it’s been installed.
2. Ensure that your login page and process are secure
There’s a lot of territories to cover when it comes to login security. However, with only two easy implementations: strong passwords and multi-factor authentication, you can go a long way.
Because good login security is constructed on at least two layers, this is the case. Something you know (strong password) and something you have will suffice for us (code send to email, phone, or call).
Strong passwords are excellent since they are nearly impossible to guess and effectively impossible to brute force.
However, first and foremost, get yourself a password manager. I’ve been using 1Password for the past three years, and it’s been a game-changer.
Why? There are two reasons for this:
- The password and pass generator makes creating (and changing) passwords a breeze.
- I was able to get rid of all the “remember this password” and automatic login hassles thanks to a password database.
While all of the aforementioned measures are excellent for safeguarding your passwords, what about your users? To develop enforced strong password policies on WordPress sites, I recommend utilizing Password Policy Manager for WordPress.
Set up multi-factor authentication logins once you’ve created a safe password. This simply means that anytime someone wants to log in to your website, they will be required to input a code, which is normally transmitted to a smartphone.
Most website builders make it simple to set up Google Authenticator and Authy. For example, you may locate the option in Squarespace’s Settings.
I prefer Wordfence for WordPress, but you could also try miniOrange’s Google Authenticator plugin. In addition, we have a WordPress two-factor authentication instruction.
3. Make regular backups of your website
Creating a backup schedule is an easy way to learn how to safeguard a website.
You undoubtedly believe that a backup has never deterred a hacker. Backups are a preventive step, and you’d be correct. They do, however, provide you with a safe haven to retreat to during a crisis.
Each of the well-known website builders takes a unique approach:
- Wix backs up your site automatically every week.
- One of a few backup apps is Shopify’s popular Rewind app.
- Squarespace only offers a few backup alternatives, such as duplicating your site or exporting the XML file.
- WordPress users can choose from a variety of plugins that help them create secure backups.
I recommend (and utilize) UpdraftPlus for WordPress users. You may backup directly to the cloud, including Google Drive, Dropbox, Amazon S3, and others, using the free version. In an emergency, UpdraftPlus can even assist you in restoring your site.
4. Make sure all of your software is up to date
To be honest, I adore WordPress since themes and plugins make things so simple. Do you want to have a recipe section on your site? There are probably a few hundred plugins dedicated to this aim. It’s not just WordPress; Wix and Shopify both have apps that allow you to accomplish a lot without having to type a single line of code. Isn’t that fantastic? Kinda. How to Secure a Website 2021.
They also make it difficult to protect your code. Even one badly coded third-party product can enhance your website’s attack surface. You’re also generating a lot of vulnerabilities if you don’t update on a frequent basis.
However, you can lessen the risks if you:
- Remove any programs that you aren’t using.
- Update any programs you use on a regular basis.
- Use only applications, plugins, and themes from developers who have demonstrated that they can keep their goods up to date.
- Investigate any networks you intend to join.
If you’re using WordPress, you’ll get reminders in your dashboard when the software and any themes and plugins you’re using need to be updated. You can also use the auto-update feature, which covers everything mentioned above.
Consider a managed hosting plan for the most secure alternative. Not only will you have hardened security, but someone will also be in charge of updating your entire WordPress site. When you’re ready to take the plunge, you can discover more about managed WordPress hosting.
5. For proactive security, use a web application firewall (WAF)
Get a web application firewall if you wish to secure a website like Arnold Schwarzenegger (WAF).
Firewalls are recognizable to anyone who has used the internet in the last 25 years. Because it employs pre-defined rules to identify and block attacks, a web application firewall is comparable to the firewall on your PC. This makes them particularly effective at detecting typical threats like cross-site scripting (XSS), cross-site forgeries, and SQL injections, to name a few. How to Secure a Website 2021.
Even with the ever-changing threat landscape, a WAF is a must-have. One thing you’ll notice is that most modern WAFs can quickly adjust and apply rules in response to new vulnerabilities.
WAFs are available in three different types as the initial line of defense:
- Network-based with a hardware firewall — Easily the most powerful firewall, available from high-end hosts such as Kinsta and website builders such as Squarespace.
- Host-based — Any WAFs that are incorporated into the application itself via a plugin or an app is covered.
- The most popular and simple-to-integrate security alternative is cloud-based.
Wordfence is, once again, the greatest option for WordPress users.
6. Become a successful site administrator
There are many little things to keep track of as a website administrator, but staying on top of them will have a huge impact on how secure a website is.
Let’s take a brief look at all of them:
- Keep track of user roles so you know who has access to data, who has the ability to make changes, and what other privileges they have. Users should only be given the roles they require to fulfill their responsibilities. Anything more than that exposes you to risk.
- Keep an eye on what users are doing and remove inactive users: WP Activities Log can help you keep track of your users’ actions to prevent malicious activity.
- Remove automatic approvals from all comments and moderate them manually.
- Any comment that contains a link or code should be rejected. Malicious code in comment sections was historically common, but it is no more.
- Limit the types of files that can be uploaded in comments and forms.
- Every upload should be scanned and verified. For this, Sucuri is the best option.
7. Stay alert
You’ve already decreased the attack surface that hackers can exploit to take over your site if you’ve adopted the preceding methods.
If you want to keep it that way, you’ll need to examine your website and any external content you put on it, such as adverts, on a frequent basis.
Working with reliable ad networks and screening and testing all ad creatives before they go live on your site, for example, can help you avoid malvertising. How to Secure a Website 2021.
Sucuri SiteCheck, one of the market leaders, is also free and will detect any viruses, spyware, or harmful code affecting your site’s frontend.
It’s better if you create a regular security assessment for mission-critical sites that uses a two-layer approach:
To determine the size of your attack surface, use penetration testing tools like the Pentest Tools website scanner. You’ll find faults with your network, sensitive pages indexed by Google, and even the strength of your SSL connection using over 25 distinct scanning tools.
Vulnerability assessments should be cross-checked against a checklist that includes common security flaws:
- Check for inactive plugins, themes, or other third-party items on a regular basis.
- Check to see if your tools have been updated recently.
- Individuals are filtered based on their recent activity, with inactive users being considered for removal.
- Make a list of people who have special access, such as FTP and SSH, and assess if they require it and for how long.
These strategies may be excessive for a tiny hobby blog, but they can help you avoid problems on more essential websites. How to Secure a Website 2021.