How to Secure a Website: 21 Website Security Tips for Businesses

How to Secure a Website: 21 Website Security Tips for Businesses

1 Star2 Stars3 Stars4 Stars5 Stars (24 votes, average: 4.83 out of 5)
Loading...

17 website, IT and cybersecurity professionals weigh in on how to make a website secure (and things you should avoid doing) with their expert tips

If you’re not sure “how to secure a website” most effectively, then you’re not alone. As of the time of writing this article, there were literally more than 2.6 billion search results for that particular topic on Google alone! This is where our list of website security tips come in handy.

Of course, we have our own thoughts and opinions about the best ways to approach website security:

  • Using secure passwords
  • Patching and updating your software, firmware, and server
  • Using SSL/TLS certificates
  • Maintaining current website backups

But we all know there’s more to strong website security than just that, which is why I called in the cavalry to help answer your question. I’ve gathered 21 website security tips from 17 website pros, IT admins, and cybersecurity experts from around the U.S. and abroad. You’re welcome.

Now, I know that you’re chomping at the bit to get to those expert website security tips. But if you want to know more about who each expert, be sure to check out our list of experts by clicking on the “Meet the Website Security Tips Experts” link (#4) in the table of contents below.

Website Security Tips Table of Contents

  1. 17 website, IT and cybersecurity professionals weigh in on how to make a website secure (and things you should avoid doing) with their expert tips
    1. 14 Website Security Tips on How to Make Your Website Secure
      1. 1. Implement Strong Password Requirements and Follow Password Management Best Practices
        1. 2. Implement Strong Authentication Methods and Limit Access
          1. 3. Don’t Allow Unvalidated File Uploads to Your Website
            1. 4. Use Encryption and Secure Protocols to Serve Your Website via HTTPS
              1. 5. Use DNS Filtering to Restrict Access to Specific Sites
                1. 6. Have Visibility Within Your Servers, Databases, Networks, and General Infrastructure
                  1. 7. Keep Software, Firmware Up to Date and Patched
                    1. 8. Check Your Configurations to Ensure They’re Set Properly
                      1. 9. Use Reverse Proxies for Large Websites
                        1. 10. Reconsider Hosting Multiple Websites on One Server
                          1. 11. Keep Multiple, Current Website Files and Database Backups
                            1. 12. Keep Your Database Separate from Your File Server
                              1. 13. Use the Right Website Security Tools and Features
                                1. SQLMap
                                  1. ThreatRunner
                                    1. Zed Attack Proxy (ZAP)
                                      1. Multiple Solution Recommendations
                                      2. 14. Review Your Web Server Security Policies Regularly
                                      3. Website Security Tips: 7 Website Security Mistakes to Avoid
                                        1. Believing Cyber Security Is “All or Nothing”
                                          1. Being Negligent and Ignoring the Obvious
                                            1. Having Poor Password Selection, Management, and Policies
                                              1. Using Default Credentials, Site Addresses, and Database Prefixes
                                                1. Including Session IDs in URLS
                                                  1. Lacking Regular Website Testing
                                                    1. Trusting Their Security to One Product or Solution
                                                    2. Meet the Website Security Tips Experts (Listed in Alphabetical Order by Surname)
                                                      1. Final Thoughts on These Website Security Tips and How to Secure Your Website

                                                        14 Website Security Tips on How to Make Your Website Secure

                                                        Secure WordPress website using website security tips

                                                        1. Implement Strong Password Requirements and Follow Password Management Best Practices

                                                        Account security is often only as good as the passwords and management strategies that are used to manage them. If you’re using insecure passwords, or if you aren’t regularly updating them or managing them, then you’re quickly going to find yourself on a trip up a stinky brown creek.

                                                        To start off our list of website security tips, the experts also had a lot to say on the topic:

                                                        One of the most common website security threats is the usage of weak passwords. When passwords are not set using the correct procedures, they can be easily hacked by external actors which will allow them to infiltrate your website. The risk of weak passwords can easily be fixed by educating employees about the importance of strong passwords. By implementing a password manager tool or multi-factor authentication it can offer an additional layer of security against possible website attacks.”

                                                        Sivan Tehila, director of solution architecture of Perimeter 81

                                                        But what exactly constitutes “weak” passwords?

                                                        You need to setup a secure password that isn’t associated with your or your lifestyle, hobbies, etc. You can use an on-line password generator. Be careful as there was a site that generated the same password for all users. This was a trap by hackers, who would then try this password for numerous accounts.

                                                        You can use a combination of dates, names and locations; merging them will make them a lot more secure than single terms. Use upper and lower case, alphanumeric characters, numbers and non-real life words.
                                                               
                                                        Ideally you should change your passwords. monthly, but if not, quarterly is reasonably safe, and don’t use the same passwords for multiple sites as you can be a victim of multiple hacks. Your email or user name can be tracked among multiple sites. If hackers gain access to one of your accounts then they will try the same password across all other sites. This is normal protocol for them.”

                                                        Dustin Vann, owner & website manager at Trusy Social (Trusy.co)

                                                        Of course, there are other considerations as well when it comes to website password security. In addition to the complexity of the passwords and how frequently you change them, another consideration is how to manage those passwords and keep them secure.

                                                        One big tip we have is ensuring you have multi-factor enabled, especially if you are using a CMS system like WordPress. It is so easy for someone to break your password through a phishing attack or WordPress vulnerability. They can use your credentials to mangle your website, install malware, and destroy your brand.”

                                                        — Nick Santora, co-founder and CEO at Curricula

                                                        When possible, it’s best to protect passwords with 2FA, or 2-Factor authentication. A Yubikey is ideal, but authenticator apps are useful as well. Doing so will provide an additional layer of protection in the off chance your password is compromised or your phone is SIM-swapped.

                                                        People are storing more and more value online and virtual items and assets like cryptocurrencies are becoming more mainstream, which has led to a huge surge in 2FA support across a variety of platforms, be it Twitter, Facebook, Coinbase, Amazon, iCloud and more. Every day there’s less of an excuse to not have Google Authenticator downloaded on your iOS or Android.”

                                                        — Corey Petty, senior security engineer at Status

                                                        2. Implement Strong Authentication Methods and Limit Access

                                                        When it comes to web authentication, you definitely have a lot of options. You’ve got the traditional two-factor and multi factor authentication mechanisms. But there also are hardware tokens and other types of measures available as well as using digital signatures. Make sure that you choose whatever authentication method works best for your organization and hardens your defenses.

                                                        Furthermore, regardless of what Pam in accounting says, not everyone needs access to everything. This is why limiting access to what users actually need is crucial to website security.

                                                        Enable secure access to your admin area via IP whitelisting or Two-Factor Authentication. Practice regular account auditing for admin accounts as well as API users and remove any that are unnecessary or adjust access to only necessary areas.”

                                                        — Brian Taylor, co-founder of Forix

                                                        Websites owner make a mistake in giving credentials to partners, Instead, if partners need to pull user data from your site, provide them with an OAuth based API. This is also known as the Password Anti-Pattern.”

                                                        Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

                                                        User and admin list should be reviewed and cleaned up if such people are no longer part of that project/entity/company/etc.”

                                                        — Ross Thomas, IT administrator at SectigoStore.com

                                                        Login functionality and session management are also important considerations in website security:

                                                        Check the session management, after login does not perform any user action for 15 mins, Let say your session timeout is 15 min, After 15 mins if you perform any user action, It should automatically be logged out from the website.”

                                                        Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

                                                        Avoid staying logged in to inactive sessions. Not only could data be being collected on you in the background, but it increases the chance of someone maliciously accessing your account. Additionally, if you’re using a centralized identity service like Google, Twitter, or Facebook as your login, if someone hacks one of those accounts, they’ll immediately gain access to your connected accounts too. Don’t reuse passwords, especially on valuable services like email, online banking, identity services. Use a password manager to help you.”

                                                        — Corey Petty, a Senior Security Engineer at Status

                                                        3. Don’t Allow Unvalidated File Uploads to Your Website

                                                        Even though the Open Web Application Security Project (OWASP) itself warns against allowing “just anyone” to upload files and other content to websites, it never fails to amaze me how many websites simply ignore those guidelines and do it anyway. The OWASP File Upload Cheat Sheet outlines some great principles to follow for secure file upload implementation (which we won’t go into listing them all here but thought it was worth mentioning in an article about website security tips).

                                                        But why is this such a critical move for website security? Let’s ask one of the pros:

                                                        Here is one way that a lot of websites get hacked. A lot of websites will allow unvetted file uploads to their website. The grave mistake website owners make is that they only check the file extension and determining if it’s safe based of that. This is a huge error since the extensions can easily be faked and .exe files aren’t the only thing that can cause damage. For example, images can have dangerous PHP code in the comments. There are some workarounds that website owners can do. One is to simply not allow the users to execute any files that they upload. This means that the files will be stored in the database, outside of the server where your website is stored. Make sure that the files uploaded are using a secure mode of transportation with SFTP and SSH ports. The second one is to do a quick check to verify that the file extension is the correct one by simply changing the extension name.”

                                                        — Mark Soto, owner of Cybericus

                                                        4. Use Encryption and Secure Protocols to Serve Your Website via HTTPS

                                                        Oh, yeah. You knew this would make our expert website security tips list somehow. Using SSL/TLS certificates for your website and server to facilitate a secure, encrypted connection between two parties (i.e. your site visitors’ clients and your web browser) is essential. We don’t only say that because we happen to sell such certificates, but because serving websites via HTTPS is actually required by Google and the other major browsers to avoid being slapped with a tacky “Not Secure” label.

                                                        Thankfully, we’re not alone — David Alexander, Alexander M. Kehoe, Dave Hatter, Ross Thomas, and Greg Rogozinski also agree. In their website security tips, they emphasize the importance of SSL/TLS protecting users’ sensitive information.

                                                        Probably the two who put it best, though, are Luka Arezina and Sivan Tehila:

                                                        One good tip for any website owner, especially eCommerce websites, is to set up SSL security on the domain. Having an SSL-secured domain lets your future customers know that they are visiting a website where the data is coming from a secure source. This is visually displayed as a “green padlock” icon on the website address field, in the top-left corner of your browser. 

                                                        A secure domain also lets visitors on your website know right from the landing page that your company takes cybersecurity seriously. It also prevents “content warning” and “unsecured connection” messages from spooking away your potential customers. Additionally, it adds another layer of data protection to transactions on the website, which is critical for doing business online.”

                                                        Luka Arezina, editor-in-chief at DataProt

                                                        When it comes to best website security tips, the first one that comes to mind is making sure your website has an SSL connection. An SSL connection is an encryption method that is used when a visitor makes a connection to your web host server. This is one of the easiest ways to ensure your customer’s information is secure. Additionally, Google warns visitors when they’re entering a site without SSL.”

                                                        — Sivan Tehila, Director of Solution Architecture of Perimeter 81

                                                        5. Use DNS Filtering to Restrict Access to Specific Sites

                                                        If only there was a way to protect your employees from accidentally downloading web-borne threats… Oh, wait, there is! It’s called using a DNS filter. The domain name system (DNS), which (in a roundabout sort of way) is used as an intermediary between browsers and servers to convert “google.com” or “apple.com” into an IP address that the server can retrieve, also has some handy filtering capabilities.

                                                        So, why is it such a great option for cybersecurity? Sivan Tehila is, again, quick with an answer:

                                                        One of the best website security tools I recommend to implement is a DNS filtering feature. DNS filtering offers businesses the option to restrict employee access to certain URLs, by defining which are either permitted or blocked sites. One of the key reasons why every business should adopt DNS filtering is to prevent employees from gaining access to websites that don’t help them with their jobs, or sites that can create major security risks for the organization. By limiting access to certain URLs, it helps employees be more productive and helps to fight off potential security risks such as data loss, malware, or even legal issues.”

                                                        — Sivan Tehila, Director of Solution Architecture of Perimeter 81

                                                        6. Have Visibility Within Your Servers, Databases, Networks, and General Infrastructure

                                                        Website and IT admins worldwide face a very real and frustrating conundrum every day: They’re expected to keep networks, computer systems, and websites safe from the reach of hackers and cybercriminals. Heck, you’re probably one of them. But how can you protect what you don’t know you have? This is where having strong visibility is key:

                                                        In short, know what is being deployed in your infrastructure. If you can’t tell when a new device is added anywhere on your network, there’s an issue. Organizations are compromised everyday via third-party systems or shadow IT that they didn’t know was on the network.”

                                                        — Brad Pierce, director of network security at HORNE Cyber

                                                        Whether it’s a mobile device, an SSL/TLS certificate, or an IoT device like a smart printer, you need to know what’s connected to your systems at all times to prevent data leaks and to improve your website security efforts (and general cybersecurity) as a whole. Shadow IT and unknown digital certificates for websites not only leave your business at risk, but it can cost you time and money as well in terms of downtime and noncompliance penalties.

                                                        For obvious reasons, this is one of the most important website security tips we could include in this list.

                                                        7. Keep Software, Firmware Up to Date and Patched

                                                        This next point nicely follows the last in our list of website security tips. While it’s not only important to have full visibility of your network, IT infrastructure, and tech components, it’s also essential that you make sure everything is current. I’m talking about updates and patches here.

                                                        At one point or another any software or server is going to require updates and/or patching. Keeping everything up to date not only enables you to operate using the newest everything, but it also helps you to patch any gaps in your cybersecurity defenses that manufacturers fixed with those updates. You can do this manually, or you can rely on automatic updates.

                                                        One of the first tips I start with is making sure your server isn’t using an old version of PHP like the 5.x generation. I see this issue on a regular basis when PHP 5.x has been retired and not receiving security and bug fixes since 1 January 2019.”

                                                        David Alexander, designer, developer and digital marketer at MazePress

                                                        8. Check Your Configurations to Ensure They’re Set Properly

                                                        Taking the time to periodically check your site configurations is simple and is a best practice. For one, this expert tip helps you to ensure that not changes were made to your existing configurations. Secondly, it also gives you a chance to review what your current configurations are in case you do need to make some changes.

                                                        But what do they experts have to say about it?

                                                        One of the biggest gaps that I see is the lack of security around website configurations (database credentials, API tokens, etc.). Most websites store their configurations either un-encrypted on their servers, or even worse, directly in code. And developers typically share the configs through unsecure channels like Slack or Email.

                                                        A solution to this would be to encrypt configurations, however managing how to decrypt and inject that configuration securely is a huge challenge. I run a startup that is building a product called “Courier” (CourierConfig.com) that helps users secure their application configuration for deployment and securely share their configuration. This was really born out of the difficulty of managing websites’ configuration.”

                                                        Yoseph Radding, software engineer and Cofounder of Shuttl LLC

                                                        9. Use Reverse Proxies for Large Websites

                                                        Although not everyone thinks it’s necessary to go to the trouble of implementing them, using reverse proxies is a practice that’s been known to secure multiple web servers from web application vulnerabilities. These proxies are typically used to not only increase security, but they also increase performance and general reliability because they often have greater resources at their disposal.

                                                        While I would agree it is easier said than done, reverse proxies are a great security-related solution for larger websites or clusters of websites. A reverse proxy is a server that handles requests (typically the public facing 443 and 80 requests) to webserver(s) that the proxy sits in front of. When it is time to handle requests to the public, the reverse proxy will get the information (typically cached) from the webservers and then serve it to the requestors. So, a user would not be requesting directly from the webserver, but it would be requesting from the reverse proxy.

                                                        This adds another layer of security between and the requests made from reverse proxy to webserver can be way more secure without worry of breaking access or adding tons of overhead during high-traffic times.”

                                                        — Ross Thomas, IT administrator at SectigoStore.com

                                                        10. Reconsider Hosting Multiple Websites on One Server

                                                        Image of a server room, which would be impacted by SSL offloading

                                                        While there is not necessarily anything inherently “bad” about hosting multiple websites simultaneously on a server, there is security concern that the sites might have some limited level of access to each other. Basically, the issue here is the risk of cross-site contamination in shared hosting environments.

                                                        Cross-site contamination results when websites in a shared server environment aren’t properly isolated.

                                                        You should avoid running multiple websites on one server and I’ve seen this mistake done numerous times. Secondly, you should create a separate database for each site instead of using prefixes. This will help you keep your websites isolated.”

                                                        — Mihai Corbuleac, information security consultant at StratusPointIT

                                                        11. Keep Multiple, Current Website Files and Database Backups

                                                        The importance of regularly creating and maintaining up-to-date website and database backups should go without saying. Basically, if crap hits the proverbial fan and you don’t have your files, content, plugins, and anything else related to your website backed up, then you’re really going to regret it.

                                                        Our web and IT experts are in agreement with their website security tips on the topic:

                                                        They say prevention is better than the cure, but having a fallback plan is also a good idea. You should back up your website regularly in the unlikely event that it gets compromised. Luckily for you, some hosting providers do it for you automatically. However, this is no excuse to not do it yourself, since this is your website after all. Having an off-site backup somewhere might just be the magic cure that resurrects your website from the dead.” 

                                                        Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

                                                        Also, is crucial to back up your website regularly. Of course, some hosting providers do it for you, automatically, but for improved security it’s best to keep off-site backups.”

                                                        — Mihai Corbuleac, information security consultant at StratusPointIT

                                                        12. Keep Your Database Separate from Your File Server

                                                        There are different reasons why someone would choose to host their files on the same server as their database. One of the most common is convenience or to save on cost. However, there are some regulations that may require a separation of duties (SoD). The Payment Card Industry Data Security Standard (PCI DSS) is one of them.

                                                        PCI DSS Rule 2.2.1 of the most recent Requirements and Security Assessment Procedures doc (version 3.2.1) specifies that PCI DSS compliance businesses must “implement only one primary function per server to prevent functions that require difference security levels from co-existing on the same server.” So, this means that any database containing sensitive financial data, such as credit card details, must be separate and can’t communicate directly with the internet.

                                                        So, if you don’t need to be compliant with PCI DSS for some reason, what other reason could you have for wanting to separate your web or application servers from your database? Some experts argue that running a multi-server environment can actually be beneficial because it increases the number of resources and connections you can support, and that it also can make monitoring more effective.

                                                        I highly recommend that you separate the database from the file server. It might be costly at first, but doing this will ensure that no attacker will have access to sensitive data found in your database. You might have a compromised website but at least information like bank accounts, credit cards, and personal information.”

                                                        Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

                                                        Depending on what your site is doing, user data is always a big point of contention and can lead to the dreadful lawsuits/PR embarrassment. Do right by your customers/clients and protect their data.

                                                        One thing that should always be practiced, no matter how small the site, is to offload any database related to the website onto a different server. The amount of code added to makes calls/queries to the database server is often minimal, but moreso than making calls to the local machine. And, as long as you have your database being accessed through a local network, as in no public facing network interfaces, that immediately complicated any hackers’ attempts to gaining access to that data. Though, it is certainly not impossible.

                                                        Things like tokenization or encryption can help protect the data itself. Consider using these if you are holding sensitive user information, such as addresses or payment information. Encryption makes a lot of sense when the database is only be accessed by a few things.”

                                                        — Ross Thomas, IT administrator at SectigoStore.com

                                                        13. Use the Right Website Security Tools and Features

                                                        Every website owner or administrator should be using secure architectural design and coding practices. Furthermore, it’s crucial that they also use standard defense and threat detection mechanisms as well, including vulnerability scanning tools and web application firewalls.

                                                        But what other software, plugins, extensions, etc. would be useful? We posed this question to the experts as well for our list of website security tips. Here’s what they had to say:

                                                        SQLMap

                                                        SQL injections have become really trendy lately, and I believe that most hackers are prone to using this especially with the rise of cloud-based systems like Microsoft Azure. If you didn’t know SQL injection is effective for cloud-based systems which is why a lot of security experts are finding ways to stop this vulnerability. SQLMap is an open-source testing tool that can detect SQL flaws in the system allowing you to fix potential areas that are targets for SQL injection. I highly recommend that anyone with a website get this.”

                                                        Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

                                                        ThreatRunner

                                                        Being proactive and taking an offensive approach to ensuring online security is the better option, as compared to waiting to see if an attack comes. Threat Runner is a penetration tool that is designed to safely simulate a malware infection on an organization’s network. Through reverse engineering and the de-weaponization of authentic malware samples, it mitigates the risk of damage of an attack through knowledge and context of vulnerabilities within the network, strengthening security posture.”

                                                        — Brad Pierce, director of network security at HORNE Cyber

                                                        Zed Attack Proxy (ZAP)

                                                        ZAP is also a web security application that every website owner should get. It’s open-source software that simulates an attack allowing the program to find vulnerabilities in your systems such as missing anti-CSRF tokens, private IP disclosure, SQL injections, and XSS injections. ZAP is also very intuitive, making it usable for both beginners and pros alike.” 

                                                          Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

                                                        Multiple Solution Recommendations

                                                        And some experts believe there is never just one solution that should be put to work:

                                                        I don’t think the professionals limit their selves with one or two tools, so it is not possible to have favorite ones. It is all about to clarify what do want to do and what is your goal, because every tool has its own specificity.”

                                                        Ben Hartwig, chief security officer and head software engineer at InfoTracer

                                                        Duo Two-Factor Authentication is a great service that allows you to securely log in without being restricted by location or IP address. On the fraud prevention front both Kount and Signifyd provide great services for verifying identity and protecting businesses from fraudulent credit card use, which is rampant in this day and age.”

                                                        Brian Taylor, co-founder of Forix

                                                        14. Review Your Web Server Security Policies Regularly

                                                        While this should be part of your regular responsibilities relating to website security, it’s surprising how many people try to put it off for another day (that, ultimately, may never come). Reviewing your security policies is something that should be done on a regular basis — quarterly, ideally.

                                                        Security policies can encompass a lot of things, but the main points are who has access to what and how do they do it. Of course, the ‘why’ is the reason why we even do all of this….

                                                        Reviewing the access policy (basically like a lower level firewall) for your webserver is a good way to close the roads of the unwanted requests. Typically, you’d want your public-facing traffic going through port 443 (HTTPS) or port 80 (I guess) but specifying admin access (typically using something like SSH) to certain IP addresses will really limit access to the backend and parts outside of the website.

                                                        Review patches for critical software that are (likely) improvements in the software’s security. Unless the flaw is critical and propagating quickly, I would also wait on patches and review feedback so efforts to secure a problem are not doubled.”

                                                        — Ross Thomas, IT administrator at SectigoStore.com

                                                        But, wait, there’s only 14 website security tips listed here! Yes, I know. That’s because the experts also had some suggestions about things you should avoid doing to improve your website security (and general cyber security as a whole) as well that I’d like to share.

                                                        Website Security Tips: 7 Website Security Mistakes to Avoid

                                                        Now that we’ve covered some of the website security best practices that should be implementing or following, I thought it would be fun to also ask these experts what sort of website security mistakes that people should avoid. Of course, there are the usual things — don’t ignore your security, make your budget match your security efforts, etc. But, surely, there are other recommendations, right?

                                                        Needless to say, I wasn’t disappointed. Here are some of the insights from these website and cybersecurity experts about what you should not do when it comes to website security:

                                                        Believing Cyber Security Is “All or Nothing”

                                                        The biggest mistake we see in cyber security is the mindset that it is all or nothing. You don’t need to budget a million dollars a year to have a full time cyber-security consulting firm watching your every move. For most businesses, especially small businesses, all they really need is some very minor protection from firewall software, an SSL certificate, and 2-factor authentication of their passwords. You can absolutely find free and cheap tools to protect your website from 90% of attacks without bankrupting your company.

                                                        Once you can afford a more robust security apparatus, then you can buy one. Don’t be afraid to take a few minor steps, because those may be enough to save your business from the majority of attacks.”

                                                         Alexander M. Kehoe, Co-founder and Operations Director at Caveni

                                                        Being Negligent and Ignoring the Obvious

                                                        It’s usually a matter of not bothering with the obvious things. Not making sure you’re up to date on PCI vulnerability scans, not limiting access to your admin area due to inconvenience, and not investing in staying up to date with the software versions are the most common reasons we’ve seen for breaches.”

                                                        — Brian Taylor, co-founder of Forix

                                                        IT security consultant Dave Hatter says that some of the most important things to consider when securing web applications can be found on OWASP’s Top 10 and CWE’s Top 25 lists.

                                                        Of these lists, the things that seem to be most often overlooked and most easily corrected are:

                                                        – Injection attacks (SQL, Command): Validating ALL input against a whitelist and disallowing dynamic queries (requiring parameterized queries or stored procedures)

                                                        – Broken authentication: Ensuring that all secured pages require a unique token along with complete mediation, ensuring that each and every access to a secured object is checked for authorization can solve this issue

                                                        – Sensitive data exposure: Encryption, least privilege and least common mechanism can solve this issue

                                                        – Hardened systems: CIS Benchmarks can help admins harden and secure on-premises systems, and Cloud based platforms like Azure, when configured correctly can provide additional security for web apps.”

                                                        — Dave Hatter, IT security consultant at Intrust IT

                                                        Having Poor Password Selection, Management, and Policies

                                                        Common mistakes people make with passwords that make them easily hackable is people using notable people, pets and dates personal to them, which of course these words will be the first passwords that a hacker will attempt!”

                                                        — Dustin Vann, Owner & Website Manager at Trusy Social (Trusy.co)

                                                        Using Default Credentials, Site Addresses, and Database Prefixes

                                                        My tips to help protect websites from one of the most popular security problems that is breaking into the admin system using brute-force. Oftentimes, when e.g. bots try to guess the admin password and you have a standard “wp-admin” panel address and a default “admin” username, it is easy for them to break into your system. The following tips will help prevent it.

                                                        What I recommend is to, first of all, change the default login admin panel address to one made by yourself, e.g. “/wp-admin” to “/my-own-secure-cms-panel”. The next step is changing the default administrator name, e.g. from “admin” to “mylogin2746”. If you are using an open-source CMS, change the default database prefixes e.g. “wp” to “hj34”. WordPress’ users should additionally install a security plugin, such as Wordfence or iThemes Security. Another good practice is to introduce two-step verification of users when logging into the admin panel.”

                                                        — Greg Rogozinski, co-founder and CEO of Cut2Code

                                                        Including Session IDs in URLS

                                                        Session-Id should not be passed to URL. It may allow an attacker to login to the system and perform unauthorized operations.”

                                                        Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

                                                        Lacking Regular Website Testing

                                                        One of the most common mistakes that I see a lot of website owners make is that they don’t test their website regularly. Scanning can help detect problems, but testing the website itself will reveal problems with the code itself. You’ll be able to see which parts are vulnerable to attack and which areas to improve. Testing your website regularly after a new update is a must to ensure that no one will take advantage of poorly written code.”

                                                        Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

                                                        Trusting Their Security to One Product or Solution

                                                        Be wary of security products and solutions that are marketed to completely protect your organization. I’m not talking about the traditional requirements of firewalls, intrusion detection/prevention, but rather the “automagic” and “silver bullet” cybersecurity solutions of the world. There’s no easy button — cybersecurity is complicated and cyber threats are constantly evolving and so should your security tools.”

                                                        — Brad Pierce, director of network security at HORNE Cyber

                                                        Now that you’ve had a chance to hear from all of these incredible industry experts, you may be wondering: Who the heck are they and why should I listen to them?

                                                        Wonder no more! Let’s introduce our experts for this website security tips list.

                                                        Meet the Website Security Tips Experts (Listed in Alphabetical Order by Surname)

                                                        David Alexander, designer, developer and digital marketer at MazePress

                                                        As a web developer and WordPress expert with 14 years of experience, Alexander has had to deal with his fair share of hacked websites and offers a malware removal service. He works with clients globally across a variety of markets.

                                                        Luka Arezina, editor-in-chief at DataProt

                                                        DataProt is an online publication that’s dedicated to teaching users how to stay safe online and teaches the ins and outs of cyber hygiene.

                                                        Mihai Corbuleac, information security consultant at StratusPointIT

                                                        StratusPointIT is an IT support company providing professional IT support, cloud and information security services to small and medium businesses across the United States since 2006.

                                                        Ben Hartwig, chief security officer and head software engineer at InfoTracer.

                                                        Hartwig is both the IT guru and the self-proclaimed digital overlord at InfoTracer. He authors guides on marketing and cyber security posture — he also loves sharing best practices to enhance website security.

                                                        Dave Hatter, an IT cybersecurity consultant at Intrust IT

                                                        Hatter is a software engineer and educator with more than 25 years in IT. Throughout his career, he’s focused on software development and cybersecurity.

                                                        Alexander M. Kehoe, Co-founder and Operations Director at Caveni

                                                        Kehoe is both the co-founder and operation director at Caveni Digital Solutions, a leading digital marketing agency in Philadelphia. He’s also a co-author of the book “Navigate the Digital Realm” and frequently speaks and consults in the fields of digital marketing, web design, artificial intelligence, and other areas of expertise.

                                                        Corey Petty, a Senior Security Engineer at Status

                                                        Petty is a technology enthusiast as well as a privacy and security evangelist who co-founded The Bitcoin Podcast Network. He previously served as a senior blockchain scientist, SME at Booz Allen Hamilton and has a Ph.D. in chemical physics. Status is an encrypted messenger application that also function as a crypto wallet and Web3 browser.

                                                        Brad Pierce, director of network security at HORNE Cyber

                                                        Pierce has 15 years of IT and cybersecurity experience. He manages the cybersecurity operations center where he, along with a team of cyber analysts, monitors live network traffic for clients in search of active threats. He also creates information security awareness programs for organizations to help guide them on how to best address cyber risks and remediate organization-specific vulnerabilities.

                                                        Yoseph Radding, software engineer and Cofounder of Shuttl, LLC

                                                        Radding is a professional programmer, hobbyist hacker, and web developer. He also is the co-founder of Shuttl, LLC and developer of the mobile app LykeMe.  

                                                        Greg Rogozinski, co-founder and CEO of Cut2Code

                                                        Rogozinski is the CEO of Cut2Code, a company that specializes in web development based on CMS platforms. He is a specialist with 8 years of experience in digital business, and an expert in Magento and WordPress. He has worked with such agencies as Global4Net, Lemon Sky and JWT Poland.

                                                        Nick Santora, CEO and co-founder of Curricula, a cyber security education company.

                                                        Santora previously spent seven years as a cybersecurity advisor for the North American Electric Reliability Corporation (NERC), the enforcement agency that’s responsible for regulating the U.S.’s power grid. He also is a cybersecurity expert who speaks regularly at conferences across the U.S. on the topic of the psychology of influencing employees via security awareness programs.

                                                        Brian Taylor, co-founder of Forix,

                                                        Taylor is vice president and head of business development at Forix, a Portland-based digital agency that focuses on ongoing eCommerce website support and conversion rate optimization.

                                                        Sivan Tehila, Director of Solution Architecture of Perimeter 81

                                                        Tehila is a cyber and information security expert with 13 years of experience in cyber management, defense industries, and critical infrastructures. She is dedicated to promoting women in cybersecurity, having founded the Leading Cyber Ladies community in NYC and Cyber19w in Israel. Perimeter 81 is a Zero Trust Network as a Service provider designed to secure network access for the modern and distributed workforce.

                                                        Ross Thomas, IT administrator at SectigoStore.com

                                                        Thomas started his IT career in high school, completed a bachelor’s degree in management information systems at Florida State University, then a master’s degree in IT security from the University of Liverpool. He has more than 20 years of experience working across many facets of the IT world.

                                                        Mark Soto, founder of Cybericus

                                                        Soto is the founder of Cybericus, a small cybersecurity company in Wisconsin. He holds a degree in computer science and worked as a security analyst in the banking industry for 8 years where he saw the rise of ransomware. Sensing an opportunity, he left the corporate world and started his business, which focuses on ransomware data recovery.

                                                        Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

                                                        As the head of GeekWithLaptop, an online review publication with 100% remote workers, Trinh understands the complexities of working remotely and values the importance of having strong cybersecurity mechanisms in place. He is the managing editor of both tech-focused publications, which review tech and gadgets and aim to help users gain knowledge about everything tech. As a tech enthusiast, Trinh’s been building computers and coding since he was a child. He also has a bachelor’s degree in it.

                                                        Dustin Vann, Owner & Website Manager at Trusy Social

                                                        Vann is a social media and branding genius who serves as president of digital & ecommerce ventures at Comer Companies.  

                                                        Final Thoughts on These Website Security Tips and How to Secure Your Website

                                                        The bottom line here is that having an ecommerce website is a golden opportunity for many businesses. It’s also a great way for other organizations to get their name out there and to promote their missions. But without the proper protections in place, websites are inherently insecure, which leaves your data — and that of your site users who provide their information via transactions and forms — at risk to the world of cyber threats.

                                                        This is why it’s crucial for organizations, regardless of size, to do everything within their power to secure their websites.

                                                        After reading these website security tips from many industry experts, I’m sure that you have some additional recommendations of your own. Be sure to share them in the comments below to add them to the list!

                                                        About the author

                                                        Casey is a writer and editor with a background in journalism, marketing, PR and communications. She has written about cyber security and information technology for several industry publications, including InfoSec Insights, Hashed Out, Experfy, HackerNoon, and Cybercrime Magazine.

                                                        No comments

                                                        Leave a Reply

                                                        Your email address will not be published. Required fields are marked *