How to keep your website secure

When it comes to website security, 9 times out of 10, it’s something that you leave in the trusty hands of your website development agency. After all, it’s complex and boring, right? Well, it doesn’t have to be. And we’re not saying you need to know everything about keeping your website secure but, ultimately, you are responsible for your website’s security. Plus, it certainly helps to have some knowledge of why it’s so important, especially when it comes to having conversations with your agency.

Why worry about website security?

To put it bluntly, you wouldn’t leave your house or car open to theft would you? So, why do it with your website? Cyber attacks are rife. 39% of businesses and 26% of charities have reported a cyber breach or attack within the last 12 months (Cyber Security Breaches Survey 2021). Not only are you putting your own website at risk, you are also risking the protection of other websites (if you are all hosted on a shared platform), and the protection of your visitors’ personal information too.

What is a cyber attack?

Cyber attacks are attempts to compromise or take down computer systems, including websites. Without adequate website security, you’re leaving your website vulnerable to such attacks. Cyber attacks can include:

Stealing website data or traffic
Stealing customer data such as payment details and personal information
Either slowing down your website or crashing it completely
Removing your website from search engines so no-one can find you

Recovering from a cyber attack is costly, not to mention how much damage it’ll do to your reputation. You, therefore, need to do everything you can to lessen the chances of your website experiencing a security breach.

Ways to keep your website secure

Install an SSL Certificate

You may have noticed that some website URLs begin with HTTPS rather than HTTP. And this is how you determine whether a website has an SSL certificate or not; if it ends with an ‘S’, it’s secure. But, what is an SSL certificate? In short, it’s a way to certify that the website is genuine and that any data passed to and from the website is encrypted and secure. SSL stands for Secure Sockets Layer which is a representation of what it is - an extra layer of security to ensure that all data passed between the user and the website owner is private and secure.

Having an SSL certificate helps to keep information secure such as:

Bank account/credit card information
Account login details
Personal information i.e. name, address and date of birth
Medical records
Legal documentation

There are actually differing levels of SSL certificates available, depending on the sorts of transactions that take place on your website. For example, if you handle sensitive data, you should be looking at an Extended Validation SSL certificate which is the highest level of security. A good way to spot this is in your browser when it goes green.

And, did you know that search engines penalise websites without SSLs? So you could be reducing your chances of being highly ranked in the search results. Your hosting provider or website development agency will be able to arrange a private SSL certificate for optimum website security.

Update your website platform

No, we don’t mean change the content management system (CMS) you’re using although, while we’re here, have you heard of Umbraco before? We thoroughly recommend you check it out… In all seriousness, using a reputable CMS like Umbraco means there will be no stone left unturned when it comes to website security. To read more about what Umbraco is, check out this blog post.

But, regardless of the platform your website is on, it’s important to make sure that it’s updated regularly. You may think it’s just a ploy by your website agency to install the latest version, but it’s actually vital in order to keep your website safe. Older versions will no longer be maintained as heavily and so this means they’re more vulnerable to security breaches.

Enable two-factor authentication

Two-factor authentication (2FA) provides extra security for your website logins. It is no longer enough to have a ‘secure’ password and your email address to log in, especially if you use the same details to log in to multiple websites! If a hacker manages to gain access to your details, chances are they’ll use it on all of the websites you log in to so that they can get as much information about you as possible.

So, 2FA requires two pieces of authentication about you, the user. For example, you may need to log in using your username/email address and password, but the system will also send you a verification code to your mobile device. Or, this extra layer of security may involve face ID or a fingerprint scan. When it comes to your website security, you can enable two-factor authentication for yourself, as an editor of the CMS, and you can also offer it as extra protection for your customers too.

Have a Content Security Policy (CSP)

Having a defined set of rules in place, such as a Content Security Policy (CSP), helps to prevent code injection attacks like cross-site scripting (XSS), SQL injection and clickjacking. These types of cyber attacks involve things like malicious code being added to your website, online forms being compromised, and harmful buttons being added to web pages that are disguised by existing elements on your website. And, because the user’s browser believes it is on a trusted website, it isn’t flagged as a security breach.

With a CSP, you can actually specify, or ‘whitelist’ as it’s known as, the domains that a browser is able to load scripts from. For example, if your website has YouTube videos on it, you would need to have the YouTube domain added to your whitelist to ensure that it doesn’t get blocked. This mitigates the risk of hackers planting malicious code on your website. You can speak to your web developer and request that it’s implemented on your website.

Enable DDoS Protection

DDoS protection is recommended to mitigate the risk of a Distributed Denial of Service (DDoS) attack. This is a method used by cybercriminals to flood your website server with traffic requests which, ultimately, crashes your website and makes it unavailable to users. Although it is nigh on impossible to completely protect your website from such attacks, there are many things your website development agency can do to limit the chances. Without getting too technical (you can leave that to us!), you need to make sure that the architecture of your website is solid and naturally incorporates DDoS protection.

You can also arrange for external anti-DDoS protection which is normally through your hosting provider. Just make sure they offer 24/7 protection because a lot of attacks happen overnight -- when there’s less likely to be anyone around to rectify the issues caused!

Install a Web Application Firewall (WAF)

A WAF monitors traffic between the internet and your website. Any incoming traffic that looks suspicious is filtered and obstructed to ensure your website remains secure and stable. It can actually be used to protect your site from DDoS attacks, so the two go hand-in-hand. A WAF, essentially, operates as a force-field around your site. Pretty cool, huh?

You can also set specific rules such as blocking traffic from a particular country or IP address. This is particularly helpful if you have been unlucky to experience fraudulent activity on your site already. A WAF can also test potentially malicious incoming traffic by sending users a CAPTCHA challenge to ensure it’s genuine. Installing a WAF can prove to be costly, so it’s vital you consider all options when it comes to keeping your website secure.

This is just a brief summary* of the different options available to you to keep your website secure. Make sure you don’t leave choosing your website security options until the last minute; you can’t just install a piece of antivirus software and leave it to do it’s thing!

Speak to your website development agency about the security features you currently have to protect your website because the last thing you want is a cyber attack! And remember, security improvements are like insurance. You may not ever need them but if there is a security issue, it’s best to have them in place to protect you.

*Seriously, blog posts about the intricacies of website security can go on for days…

Is your website currently built on Umbraco? Would you like a FREE security audit from an Umbraco certified partner? Fill in the form below and we’ll be happy to take a look and advise on where your website is vulnerable.

Don't worry, we've made it easy for you to get in touch with us! Choose your preferred method of contact and request your FREE website security audit today.

Purpose/Activity	Type of data	Lawful basis for processing including basis of legitimate interest
To register you as a new customer	(a) Contact	Performance of a contract with you
To process and deliver your order including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us	(a) Contact (b) Financial (c) Transaction (d) Marketing and Communications	(a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy (b) Asking you to leave a review or take a survey	(a) Contact (b) Profile (c) Marketing and Communications	(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	(a) Identity (b) Contact (c) Technical	(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation

Cookie	Name	Purpose
Cloudflare CDN	__cf_bm	CDNs are used to store external files that we may need to run the website
Google Analytics	_ga	Used to track page views, visits time on site
Google Analytics	_gat_gtag_UA_74413774_1	Used to track page views, visits time on site
Google Analytics	_gid	Used to track page views, visits time on site