The Beginner’s Site Security Checklist: How to Secure Your Website

Sarah is a Web Marketing Specialist at WebFX. Certified in Google Analytics and Google Ads, Sarah also specializes in content marketing, as well as marketing and advertising on ecommerce platforms like Amazon. In 2006, she was awarded Time Magazine’s “Person of the Year” award. When she isn’t polishing her award, she’s spending time with her flock of ducks. Follow her on Twitter @the_berry_bot.

Is your website secure? This beginner’s site security checklist will help you find out.

In this handy checklist, you’ll not only learn about the biggest security threats to mid-sized businesses but also how to defend against those threats. The best part? Most of the items on this website security checklist don’t require a developer!

Keep reading to get started on improving your site’s security!

P.S. Not sure your website is secure? Use our free security checker to find out instantly.

1.     Make passwords secure (and update them regularly)

Action Item: Use a password generator, like LastPass, to create ultra-secure passwords for your website. Better yet, use LastPass to save and store these passwords securely. Set a calendar reminder, too, to update your passwords regularly, like every month or quarter.

Around 80% of hacking-related breaches result from passwords. Your company can quickly boost its website security by creating stronger and unique login credentials, as well as updating those credentials more often.

While you can certainly create passwords yourself, a password generator can simplify the process.

Lastpass for site security checklist

LastPass, for example, offers a password generator that allows you to specify the password’s length and use of uppercase and lowercase letters. You can also decide whether the password should include numbers and symbols.

Use a password generator like this to secure your website.

For the best results, make sure you change these passwords regularly. Every month or quarter, for example, you could update these credentials to keep your site secure. If you want to make your life even easier, you could use LastPass to store all your passwords securely.

2.     Install an SSL certificate

Action Item: Purchase a Secure Sockets Layer (SSL) certificate (they cost anywhere from $0.80 to $125 per month) and use it on your site to make sending sensitive data, like credit card information, secure. Once you have an SSL certificate installed, you can make your website even more secure with HTTPS.

Every site security checklist includes getting an SSL certificate.

An SSL certificate helps protect your website by making data transfers secure. If someone places an online order on your site, for example, you want to protect their personal information, whether it’s their credit card number, address, or phone number.

For many online shoppers, as well as business buyers, an SSL certificate also serves as a trust signal.

Not secure example for site security checklist

That’s because installing an SSL certificate upgrades your look in web browsers.

Typically, a web browser, like Google Chrome, will display a padlock next to a website’s URL with an SSL certificate. If a website doesn’t have an SSL certificate, however, that padlock gets replaced with the following text: Not secure.

Checking this item off your website security checklist isn’t tricky, just follow these steps:

  • Purchase an SSL certificate from a reputable vendor, like GoDaddy, Comodo, or Symantec
  • Follow your SSL certificate provider’s steps for installing the SSL certificate
  • Implement the proper redirects for your pages, from HTTP to HTTPS
  • Verify the SSL certificate and redirects in Google Search Console

Depending on your experience with web development, as well as search engine optimization (SEO), you may have the means to complete this checklist item on your own, without the help of your company’s developer.

3.     Automate website backups

Action Item: Establish a schedule for creating website backups or automate the process through your website hosting provider, like GoDaddy. You can also use tools like Easy cPanel Backup and eBackupper, as well as WordPress plugins, like UpdraftPlus and VaultPress, to save and backup your site.

When it comes to website security, backups are your best friend.

With a backup of your site, you can respond to a range of issues fast, whether it’s a broken page or a hacked website. The problem, however, is that many businesses fail to back up their sites on a regular schedule.

It’s easy to solve this issue, though. Automate your website backups.

A few tools that can take care of backing up your site at regular intervals include:

If you use a CMS like WordPress, you can automate website backups with a plugin, like UpdraftPlus, Total Upkeep, and VaultPress. Should you use any of these plugins, keep them updated to the latest version.

4.     Limit user permissions

Action Item: Limit the number of people that can access and modify your website with user permissions. Take advantage of user permission settings in a content management system (CMS) like WordPress to provide as-needed access to your site, like for posting content versus modifying navigation menus.

Providing everyone with the ability to access and update your site creates a security vulnerability, especially if they fail to follow other items on this website security checklist, like updating passwords regularly.

That’s why, for the best site security, you should limit user permissions.

For example, if you use a CMS like WordPress, your business should use the different user permission levels available, like Administrator, Editor, and Author. These roles allow you to instantly set user permissions, like the ability to install plugins, publish posts, and more.

If your company doesn’t use a CMS, then you’ll want to limit access to your website’s login credentials. For instance, if you use password management software like LastPass, you wouldn’t share those credentials with everyone else at your business.

5.     Secure online checkouts

Action Item: Upgrade online checkout security with an address verification system (AVS), as well as a credit card verification value (CVV) form field for all credit card checkouts. Trusted AVS providers include Melissa and Loqate. Using a platform like Shopify can also help you implement CVV fields automatically.

Does your business accept online payments? Then you need an AVS.

With an AVS, your company can provide an additional level of security to your online checkout process. These systems work by preventing fraudulent payments, which can cause your business not only headaches but also lost revenue.

Some reputable AVS providers include:

In addition to using AVS, your company should also add CVV form fields to your checkout process.

CVV example for site security checklist

With a CVV form field, you require shoppers to enter their credit card’s security code, which usually appears on the back of the card. Having a CVV form field offers another layer of protection against credit card fraud.

Depending on how your business sells online, your website may already use CVV form fields. Shopify, an ecommerce platform that allows companies to build a custom online store, includes CVV form fields, which makes upping your website’s security easy.

6.     Update plugins, CMS, and more

Action Item: Install the latest version of your CMS, as well as plugins, add-ons, and any other tools and services that help operate your website. Set a reminder to continually check for updates or turn on update notifications, if possible, to keep your site secure and protected from security vulnerabilities.

If you’re like most businesses, you probably rely on a CMS like WordPress to run your website.

With a CMS like WordPress, you get access to a variety of tools and plugins that make your life easier. Yoast SEO, for example, is one plugin that helps companies optimize their sites for search engines, which can help them attract more website traffic by ranking higher in search results.

The problem, however, is that many businesses end up with outdated, insecure WordPress plugins.

When that happens, your website becomes vulnerable to attacks, which can lead to stolen customer data, lost customer loyalty, and substantial financial losses. That’s why it’s critical to update your WordPress plugins and uninstall outdated ones as part of good website security best practices.

If your website operates on another CMS that allows plugins, follow the same process.

No matter what CMS your company uses, you should also make updating your CMS a priority. When a new version launches, for example, install the latest version after a week or two. This approach will allow you to have the latest security protection, but without the bugs that made it to the initial launch.

7.     Invest in anti-malware software

Action Item: Get anti-malware or malware detector software to protect your site against malware infections, which can result in stolen customer data, lost money, and more. A few trusted malware software providers (both free and paid) include Quttera, SUCURI, and Astra Security.

Malware is a serious website security problem. Every day, more than 350,000 malicious programs get discovered, which is why anti-malware software is vital to businesses operating online, even if they don’t accept online payments.

Malware scanner for site security checklist

Protect your company and your customers by using a malware detector software like:

While you will find some free anti-malware software, you’ll likely need a paid program to give your website complete coverage. Consider this cost an investment, as it’ll protect your business, brand, and clients.

8.     Get a DDoS mitigation service

Action Item: Invest in a distributed denial of service (DDoS) mitigation service, as well as a web host with built-in protections against DDoS attacks. Providers of DDoS mitigation services include Akamai, Cloudflare, and Nexusguard.

Depending on your web hosting provider, you may already have DDoS protection.

With DDoS protection, your business can defend against DDoS attacks, which involve a hacker overloading your website’s bandwidth to make your site inaccessible. These kinds of attacks have happened to both small and well-known brands, so don’t undervalue the need for DDoS protection.

A few trusted companies that offer DDoS protection or mitigation services include:

Partner with one of these companies to keep your website not only live but also secure.

9.     Minimize XSS vulnerabilities

Action Item: Lower security vulnerabilities within your website’s code, also called cross-site scripting (XXS) weaknesses, by “cleaning” your HTML code with a tool like HTML purifier. If your website doesn’t use HTML, your website developer can add a string of code to reduce vulnerabilities.

Every website security checklist should include an item about reducing your XSS vulnerabilities.

This task, which will likely require the help of a developer, helps prevent hackers from inserting malicious code into your website’s code directly. If a hacker does add malicious code to your website, it will not only harm site visitors but also prove challenging to remove.

Luckily, developers can use a tool like HTML purifier to “clean” and “sanitize” your website’s HTML code, which will remove any malicious code. Developers can also, for non-HTML sites, add a piece of code to every page on your website to reduce XSS vulnerabilities.

10. Defend against SQL injection attacks

Action Item: Prevent SQL injection attacks, which allow hackers to steal user data, by taking several proactive steps, including limiting user permissions, implementing data storage procedures, using whitelist input validation, and more. These steps will likely require a developer’s help.

Bring your developer back, because you’ll need them for this site security checklist item too!

While less common than other security vulnerabilities, SQL injection attacks can cause just as much damage by taking over database servers and stealing sensitive customer data, from addresses to credit card numbers.

That’s why it’s worth implementing some protections against SQL injection attacks, including:

  • Use whitelist input validation so your database can detect unauthorized inputs
  • Limit user permissions to your server database
  • Create stored procedures for users to reference
  • Establish parameterized queries so your database can differentiate code and data

Your developer can help you review these options and choose the best ones for your website.

How secure is your website? Find out now!

With our free website security checker, you can find out how secure your site is — instantly!

Try it now and get an overall assessment of your website’s security.

If you need help working through your results, WebFX features an in-house, U.S.-based team of web developers. They can create a custom website security checklist for your business, as well as complete it for you.

Contact us online or call us at 888-601-5359 if you’d like to learn more!