M I S T E R S C A N N E R
Site Tips Security

Some of the best tips to secure your website with expert recommendations.

With a constant increase in the number of cyber attacks across industries, business owners struggle to find answers. On average 30,000 new websites are hacked every day.

How should website owners prepare for this? We asked the industry experts for their top recommendations.

1. The Cybersecurity Basics

Many data breaches are the result of human error or outdated software. The number one tip is to keep these components up to date. 

For a more proactive approach, I try to advise website owners to block access to website administration portals with htaccess. This involves whitelisting each IP address that requires access. A small extra step for a more secure environment. Another perk to doing this is that a lot of open-source CMS systems suffer regular brute force attacks. This can slow down a website and in extreme cases, temporarily knock it offline. Blocking access via IP will block these bad bots and save your sites bandwidth and server resources. 

Perry Toone, Founder of Thexyz Inc

2. The Encryption Basics

HTTPS is for everyone!  HTTPS establishes a secure connection between browser and your web server by layering encryption on top of it to safeguard the traffic sent.  This protects your website’s users from “man-in-the-middle” attacks where hackers steal sensitive information like user information, credit card numbers, or logins.

Neil Kittleson,  Founder/CEO, Nkrypt

3.  Input Validation

This is a big security issue and one that often occurs, especially with websites that are often built in a D-I-Y route by the small business owner themselves.

Some designers inherently trust whatever input they get from their visitors.

And while most users to your site will be benign, there will be a few who won’t be. And those are the ones who can take down your entire site.

Never trust input from users of your forms or other systems that require visitor input and make sure to validate them thoroughly and aggressively for any signs of malicious input.

Bryan Osima, CEO,  Uvietech Software Solutions Inc.

4. Block Bad IPs

If your website is one of the 35% who uses WordPress, security is essential. We recommend using a free web application firewall (WAF) like WordFence, which will block bad IP addresses and stop brute force attacks automatically. 

As an agency, we install this on all of our WordPress websites.

James LePage, Founder, Isotropic.co 

5. Upload Checks

If you’re going to allow file uploads on your website then be sure to add a check on what is allowed to be uploaded and be careful what is done with these files. You shouldn’t just be looking at the file extension, but also what is contained in the metadata. 

For example, images can have bad PHP code inserted in the comments. To avoid this simply prevent any files from executing when uploaded and prevent certain files with dangerous extensions like .exe from being uploaded in the first place. 

Mark Soto, Cybersecurity Developer, Cybericus

6. Free Firewalls

 A Firewall is an additional layer of security software that can protect your web connections or your WordPress installation by detecting and analyzing incoming connections. Firewall plugins are very effective and easy to manage, since everything is configured from a single plugin.

WAF

Hristo Pandjarov, WordPress Initiatives Manager at SiteGround

7. Secure Headers

Take the time to understand and implement security headers such as Content-Security-Policy. This is an effective way to mitigate some of the OWASP top 10 vulnerabilities without requiring expensive network or endpoint security systems.

Jon Rasiko, CyberSecurity Analyst, DeepCode

8. Update Everything 

As a security evangelist, one tip I always preach is update everything! Your first line of defense is always going to be your antivirus, operating system, and hardware. Make sure you religiously update them. As an added insurance, keep offsite backups. The easiest way to fix a problem is by restoring to a previous backup. 

Michael Miller, CEO and Security Evangelist, VPN Online Multimedia Inc

9. Frequent Testing

There are several important steps on the way to application or website security. Authorized APIs and SDKs, reliable frameworks, data encryption, high-lever authentication are just some of the things one should keep in mind in terms of app/site safety. Also, thorough testing is crucial to ensure security.

Website Testing

Vladlen Shulepov, CEO at Riseapps 

10. Hire A White Hat Hacker To Test Your Website or App

If you are worried about a hacker infiltrating your website or app, hire a white hat hacker. They will conduct a series of penetration tests to uncover any vulnerabilities that arise. If any vulnerabilities are found, they will provide your business with advice on how to improve your website or application from hacking attempts.

Holly Zink, Cybersecurity Expert, Safeguarde

11. Two-Factor Authentication

If you want to secure your website and app, one of the best features to implement is two-factor authentication. That way, your customers will always have a way to retrieve their account info, even if someone attempts to steal their data. 

Dennis Vu, CEO and Co-founder of Ringblaze

12. Threat Modeling

Threat modeling is activity security architects and developers apply to the technology development life cycle to identify threats and define security requirements needed to mitigate threats in IT architectures in the design stage. A good threat modeling approach should be automated, collaborative, and scalable, helping to reduce security debt.

Dennis Sebayan, ThreatModeler Software Inc.

13. Take Regular Backups

Cybercriminals are increasingly targeting SMBs, and with phishing and ransomware attacks on the rise, consider using a backup solution to store your data on a third-party platform. Using a point-in-time restore and automatic database/website backup solution like CodeGuard can minimize the impact on availability in the aftermath of a breach. 

Lumena Mukherjee, Cybersecurity Researcher, Sectigo Store

14. Fail2ban

If you are using a VPS hosting with a Linux distribution, never forget to install fail2ban. fail2ban scans log files and bans IPs that are acting suspiciously, like many failed password failures. Additionally, consider using a vulnerability checker like vulnx, which detects vulnerabilities in multiple types of CMS, including WordPress.

Burak Özdemir, Web Developer

15. Five Quick Lessons

Many small businesses create their websites in WordPress. It is easy to set up and operate and it can be as cheap as you want.

Then, usually they just use the website to update some content … and eventually they may get the nasty surprise of seeing they have been hacked.

This is often not obvious for them, unless your website looks different than it should. Sometimes some code may have been injected in the source of the page and it’s hidden for hte general public. Some others, additional pages might have been added to the server without you  knowing.

Easy tips to overcome this:

– Do not use an easy password on your hosting login or your website admin panel. Use https://passwordsgenerator.net/ to generate strong passwords and download this program https://keepass.info/ to store your passwords securely.

– If you are using WordPress, configure your hosting to update it automatically to the latest version. Or hire an agency to do this process in a managed way carefully checking that nothing breaks.

– Also in WordPress, install a security plugin such as https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ which will help you improve the security of the website.

– For any type of website, you can move your DNS management to Cloudflare https://www.cloudflare.com/. It’s free and they add a layer of security to your website, minimizing the attacks that reach your website and server..

Juan Pineda, Technical Director, Sofyma

16. Password Protection

It’s important to change your passwords on a six month – especially after potential data breaches. It’s better to be safe than sorry and this guards against any nasty security leaks.

Rob Shavell CEO of Abine/DeleteMe

17. Free Security Plugins

If your company’s website is built on a CRM like WordPress, you can look into the plugin market for security plugins to bolster your defences. Plugins like Wordfence are easy to install and block threats like malware, brute force attempts, DDOS, and other hacking techniques from getting through to your website.

Colton DeVos, Resolute Technology Solutions

Do you have more such tips to help our readers secure their web assets? Drop them in the comments below.

Related Post

Leave a Comment