How Secure Is My Website? 11 Ways To Find Out

How Secure Is My Website?

Scared by security statistics this spooky season? 🎃

Here are some current ones that make us flinch at small noises at night:

• 80% of businesses were hit by ransomware in 2021
• 85% of attacks are aimed at small- and mid-sized businesses

The scary part about the second stat is that you have no idea if that’s you.

You can’t help but think: okay, but how secure is my website?

Is your current protection really fine, or is it like:

via GIPHY

We’re not judging – it’s tough to tell when you don’t have a frame of reference.

So, look at this blog as a guide or checklist.

If you want to skip the introduction and get to the methods, this link will send you straight there.

…but we have a feeling you’ll be glad if you start with the 101.

Website Security 101

What do we mean by website security?

Website security, AKA cybersecurity, is a set of steps around your website to protect it from malware, viruses, and other evolving threats which could otherwise cause significant damage to your business.

As we’ve mentioned earlier, most companies experience security issues. That includes small businesses that don’t think of themselves as “highly prized” targets.

Statistically, it likely includes you, too.

So what can you do to avoid hackers and protect your business?

Here are some cyber-equivalents of locking the door and getting a guard dog that can help you prevent and contain cyberattacks:

• Creating a security policy for the entire company to follow
• Training employees to spot common dangers like phishing and follow best practices to protect your business, even if they’re working remotely
• Investing in proper website maintenance
• Using two-factor authentication and encrypting your data
• Installing a firewall

We’ll discuss these and other measures to fix an unsecured website in a minute.

But first, what exactly is in it for you, and what happens if you don’t prioritize website security?

What are the benefits of website security?

Your business may be well-established and your services top-of-the-line, but all of it crumbles without proper website security.

It’s the difference between building a fortress and a sandcastle.

So here are the benefits of investing in a fortress:

And let’s face it, if you were just thinking about these benefits out of context, you’d say yes to all without hesitation.

But we’re talking about an investment.

So, what’s the worst that could happen if you skip the website safety check and stick with the sandcastle option instead?

You’ll want to save this next part if you’re chasing approvals from the higher-ups.

What happens to unsecured sites?

Cutting straight to the chase here, the consequences of a successful cyberattack on professional services, eCommerce, and nonprofit companies may include any of the following:

• Compromised data (like emails, medical records, donors’ payment info…yikes!)
• Stolen money or having to pay a ransom to regain access to your site
• Lost customer trust and a damaged reputation
• Impaired SEO performance and lower rankings on search engines
• Decreased website traffic
• Lawsuits
• Bankruptcy

Capital One paid $190 million to settle a lawsuit filed by customers whose information was stolen in a breach.

Nonprofit company One Treasure Island suffered an attack in which hackers stole $650,000 via an email scam.

via GIPHY

We’ll stop painting the picture here.

You get it: the consequences can be dire.

Instead, let’s focus on how you can do a website security check and arm yourself against any cyber threats that come your way.

11 Ways To Check How Secure Your Website Is

Ideally, security audits should be handled by experts who know what they’re looking for and can spot weaknesses a mile away.

And they should be done regularly as part of your website maintenance plan – too much is at stake otherwise.

That said, there are things you can do to check how secure your website is right now, and it’s handy to learn a little about it before you reach out to a security expert.

So, we’ll start with the short version:

And now the same thing, but better.

1. Install a Secure Sockets Layer (SSL) Certificate

Before you furrow your brows, installing a Secure Sockets Layer (SSL) Certificate doesn’t mean buying some fake diploma to hang in your office or anything like that.

Have you ever received an update on a chat app saying, “your messages are now encrypted”?

Maybe you thought, “okay, whatever.” Or, “huh, what does that even mean?”

It means you’re now protected by an SSL protocol that takes the words you type and translates them into seemingly random symbols that only you can decipher using your key.

That way, if a hacker intercepts your messages, sensitive information they could have used against you becomes useless gibberish on their end.

You should have an SSL for your business.

It’s a simple defense system that will let you answer your clients’ payment questions or text a password to a colleague without risking the data being leaked.

But just in case, it’s still good to delete that information once you’ve resolved the matter.

2. Use a web application firewall (WAF)

A firewall is a defense mechanism that analyzes each data pocket that tries to enter your network, determines whether it’s safe based on pattern recognition, and then lets it in or blocks it accordingly.

It’s one of those things you should just have for your website.

It won’t exactly prevent all types of attacks, but at the very least, you’ll get notified if a breach happens, and the firewall will stop all outward traffic so nothing can be stolen.

Then, you have a moment to react, trace the source of the attack, and fend it off.

But make sure you use a firewall that scans and monitors your site, not just your network – a web application firewall (WAF) or next-generation firewall (NGFW) is a safe bet.

For example, StateWP (that’s us!) uses Sucuri.

3. Update your themes and plugins regularly

Your site is as safe as its weakest link.

Updating your website core doesn’t guarantee 100% safety when you have unsupported or abandoned plugins waiting for a hacker to take advantage of them.

Your website maintenance needs to cover all bases, so ensure your package includes regularly updating plugins and themes.

Aside from that, it’s good practice to keep an eye out for better options that could replace your current solutions.

Still using the same forms you picked out in 2017?

Take a look at what other companies are doing, and you’ll spot a better alternative fast.

4. Use security tools to check if your site has been compromised

Okay, so you might not yet have an expert by your side to point at things and say, “this needs to change” or “you need these three programs.”

However, those horror stories we’ve talked about sound like something you don’t want to be a part of.

Even if you’re not a karate master, it’s still important to learn a thing or two about self-defense.

And the first step in any martial art is assessing your surroundings.

So, how do you check your situation now? How do you know if somebody’s already infiltrated your database?

Don’t panic.

You can examine the situation independently with the help of security tools.

For example, Virustotal requires only the site’s URL and can detect malware or other breaches immediately.

If any of these security tools highlight a problem area you’re unsure about, or you simply want a more thorough website security check, you can always contact us for support.

5. Make sure you use random and uncrackable passwords

It’s a red flag if your employees are copy-pasting passwords, using obvious firstname-lastname combos, or the famous “QWERTY” combination.

Are your employees…

• Copy-pasting the same password on every account?
• Using obvious firstname-lastname combos, any hacker worth his salt would guess?
• Even worse, people who think “QWERTY” is an uncrackable password?

Red flags everywhere.

And what about you?

We understand, though. It’s annoying and inconvenient to change an old habit, and much more to remember a new number and letter combo for every account you create.

So, here’s how you can make it less of a drag and avoid company-wide pushback:

1. Use a tool with robust encryption algorithms and local-only encryption to keep track of your passwords for you – like 1Password. This way, you don’t have to remember anything, and you don’t risk employees using easily-accessible notes on the phone to keep track of passwords or having a hard time changing their habits
2. Regularly change them – just to be sure, and since now you don’t have to think too hard about it, make sure you switch up your passwords every once in a while – and don’t forget to update your central password safe

6. Be aware of common scams hackers use to get access

And teach your employees about them.

Phishing is a widespread trick that, unfortunately, works way too often due to a lack of employee training (and of firewalls to contain the damage).

Employees who don’t know about it might download a dangerous link, send money to a fake account, or provide sensitive information, thinking they’re emailing their superior.

That’s how a small Indiana-based nonprofit got hacked a few years ago.

One mistake is enough for a hacker to get in.

You can prevent it by creating a mandatory security course and updating it regularly.

But for extra protection, here’s what else you can do:

1. Manually accept all comments to keep spam and dangerous links off your site
2. Use Captcha to block spam messages that you might accidentally click on
3. Take precautions when accepting file uploads

So… are you finally totally safe?

Unfortunately, with cybersecurity – there’s no such thing. That brings us to…

7. Set up a regular backup schedule just in case something goes wrong

If you’re asking, “how secure is my website?” but not backing it up in case the results aren’t stellar… that should be one of the first things on your to-do list.

You can tell you’re on the right path if you’re backing up your website and not assuming things will always go according to plan.

If not, and something happens, you might not be able to restore your data.

And in that scenario, any additional worry could be one too many – remember all the other data breach consequences we’ve talked about earlier?

Thankfully, this is another easy fix. A security expert can easily set up regular backups as part of your maintenance plan, so you never have to worry about it again.

8. Implement multi-factor authentication for backend and frontend users

So what does that mean?

Multi-factor authentication means you require more than one piece of information to access the data.

The idea is, even if a hacker got a hold of your password, they won’t get easy access due to the extra layer of verification you set up.

And how does that play out in real life?

For example, when you try to log in, the site asks you if you want to confirm your identity via email or input a short code sent to your phone number.

This helps protect both the site and potentially compromised users.

And yes, it’s an extra step to log in – but if your employees understand why it’s important, they’ll have an easier time adhering to it.

9. Make sure you’re using a secure web host with a good reputation

What’s the worst that could happen if your web host isn’t great?

Well, if your provider isn’t meticulous about security on their end, it could result in frequent issues like recurring downtime or slow loading speed on your end.

In the worst case, if the provider gets hacked, you could be at risk, too – for reference, even popular hosts, like GoDaddy, have been hacked in the past.

This isn’t to say that you shouldn’t use them for your website.

But do diligent research, and don’t settle for the first option you find.

10. Check user access and make sure everyone only has access to what they need

It’s the good ol’ principle of least privilege.

If you’re unfamiliar with the term, it basically means giving people access:

1. Only to things they need to complete a task or function, like specific documents, passwords, or account information
2. Under the condition that what you share remains confidential and they don’t keep or share the data
3. Only for the duration of the task or function, meaning you’ll relinquish the privilege after the work is done (the employee will no longer have access to those details)

This point is linked to how well you’ve trained your employees on cybersecurity but with an extra layer of security.

The rationale is simple:

There’s no need to risk security to share all the data with all the employees – they don’t require it anyway, and you’re all safer if they only have what they need.

11. Follow web servers best practices

Some best practices for web servers include:

• Protecting sensitive locations like admin areas or CMS configuration files that store database login information
• Preventing image hotlinking – not allowing other websites to display images hosted on your server, so they don’t eat up your space
• Preventing directory browsing – limiting the content people can see, so hackers don’t get access to all of your data even if they get through

That’s pretty much the end of our list.

It’s a lot at once, but that’s why experts exist – they’ll illuminate the way for you, so your website doesn’t start feeling (or behaving) like a haunted house.

Get Experts to Run Your Website Security Checks

Security is the foundation of your website and, by extension, your business.

It’s crucial. But it doesn’t have to be scary. 👻

If you’re concerned about your website security and need an expert to take care of maintaining your site, reach out to StateWP.

That way, you won’t have to worry about all the things that could go wrong or fend off attackers on your own.

And if you’d like to learn more while you’re here, here’s how you can improve website security right now in three simple steps.