Best Website Security Checklist for 2020
Not everybody visits your website with good intentions. Hidden among your loyal visitors who genuinely love your website are hackers, phishers and data miners. These people work overtime coming up with new ways to make mischief, steal sensitive information, and corrupt your website.That’s why it’s essential to check website security and this website security checklist can help! But if you keep putting this off, you’re not alone. We can’t tell you how many people procrastinate on making sure their website is secure. But we want to keep you from suffering the heartache faced by hundreds of thousands of website owners who wake up on ordinary days only to find that their website has been compromised.
Why use a website security checklist?Lurking in the dark corners of the internet, are hackers and people with malicious intent ready to compromise the websites of innocent hard-working website owners. Without sugar-coating things, here are four ways hackers can compromise your website:
- Brute-force attacks: Brute-force attacks are the hacking equivalent of using a battering ram. In this kind of attack, a hacker uses a special software that tries millions of password combinations until it eventually stumbles upon the right one.
- SSL stripping: SSL stripping is a kind of attack in which a hacker intercepts your visitors’ attempt to visit to your website and sends them to an unsecure website that looks almost identical to yours. This identical website does not have an SSL certificate to encrypt their data (more on SSL certificates later), but your visitors won’t know that. They’ll just keep feeding their sensitive information to this impostor website.
- Malware: These are malicious programs that include viruses, trojans, keyloggers and spyware, and they’re designed to steal information and to infect your visitors.
- Non-targeted website hacks: Most people with small websites think they’re safe from hackers, but it’s easy to get caught up in a general hacking effort that’s not aimed at your website in It might, for example, be aimed at websites with a specific plugin or template vulnerability.
9 Things to Limit Access and Check Website Security
- Get an SSL certificate (and keep it up to date)
- Update plugins and remove out-of-date plugins
- Update your website
- Remove dormant older accounts
- Back up your website
- Scan your files
- Develop a good strategy against brute-force attacks
- Protect your email with hosted exchange
- Limit the number of people who can access your website files
1. Get an SSL certificate (and keep it up to date)An SSL certificate is crucial for your website’s security encrypts data, so it can’t be read by third parties. This means that if you don’t have one, hackers can read the sensitive data that visitors send to your website. SSL certificates expire after a while, so you can’t just buy them once and forget about it. Companies that sell SSL certificates aren’t just making you renew your certificate so they can milk you for every dollar you’re worth. They do it because hackers are constantly coming up with new ways to get access to your data, so your SSL encryption needs to keep changing to keep beating them. Don't have an SSL cert on your website? get yours here.
2. Update plugins and remove out-of-date pluginsIf there are any plugins on your site that you’re not using, get rid of them. This goes double for plugins that haven’t been updated by their creators in a while. The risk with out-of-date plugins is that they might fall into the hands of a hacker, who will modify them with code that’s designed to hurt your website. It might be a bit tedious to do check your plugins, especially if you’ve installed a lot of them, but it’s an essential part of your website security testing.
3. Update your websiteIf you host a website on your own server, you need to update your website’s software as part of your website security testing. But if you use our website builder, you get more than just a clean website design. (Although, a clean website design converts better than a cluttered one, so clean website design is nothing to sneeze at, either.) When you use our website builder, in addition to our gorgeous website designs, you also get to skip this item on the checklist. We take your website’s security so seriously that we update your website for you.
4. Remove dormant older accountsHave you ever visited a website once, just to see if you’d like it, but then they made you get a username and password? How carefully did you think about your password, then? If you’re like millions of other people, we’re willing to bet you just chose the first thing that popped into your head. On your website, just waiting to be exploited by hackers, are dormant accounts with weak, easy-to-guess passwords. When you’re performing your website security testing, remove these old accounts that haven’t been used in ages.
5. Back up your websiteIt’s the worst feeling in the world to have something go wrong with your website when you don’t have a backup. Think of the blog posts lost, the images vanished, and the precious email addresses evaporated into thin air. Spare yourself some heartache. Back up your website. Nobody ever thinks this is necessary until something goes terribly wrong. Don’t wait. If you use a sitebuilder or a web hosting provider, make sure they offer cloud-based backup.
6. Scan your filesEven innocuous-looking files like .doc, .pdf and .txt files can be corrupted. Scan your files to make sure they haven’t been maliciously modified.
7. Develop a good strategy against brute-force attacksBrute-force attacks are scary because they’re so relentless that they’re bound to stumble upon the right password eventually. But there are steps you can take to protect your website against them. Try these:
- If you get a report of a brute-force attack, change your username and password.
- Choose a strong password (randomly generated passwords are best) and be sure to update your password frequently. We recommend doing it every six months. It’s easy to forget to do this, so either set a reminder on your phone, or make it a tradition to update your password in two particular months, e.g., every January and June.
- Never write your password down.
- Install a plugin that alerts you if a user tries to access an account too many times in a second – and then blocks that user.