Lesson 4: Secure your website
As Lesson 3 showed us, attackers use multiple means to hack websites and cause all kinds of havoc. Good news! You can make a secure website with a similar strategy of creating a multi-pronged approach to security.
In this lesson, we’ll cover 7 main defense layers: domain privacy, secure CMS, SSL, firewall, monitoring, malware removal/remediation, and website backups. We’re not going to lie, this information can be a bit intense. Think of this lesson as a resource that you can come back to in order to keep discovering ways to add layers of security to your site.
Domain privacy
To make sure your personal information is not used for junk mail, spam emails, robocalls, or identity theft, get a domain with privacy. This ensures that details like your name, phone number, and email address will be hidden if a bot or hacker searches your domain name purchase information. Already have a domain? You can check if it has domain privacy here.
Secure CMS
If you’re using a website like WordPress, you are using Content Management System (CMS) software to create your website. These CMS websites can be hacked when you add third party themes or plugins. To secure your CMS, be highly selective about the third-party themes or plugins you use. (Good news! If you use the GoDaddy website builder, your CMS is already secure!)
PRO-TIP
Add a security plugin. On WordPress, you can install Sucuri’s plugin, which increases your WordPress site’s security with multiple free features. These features include Security Activity Auditing and File Integrity Monitoring (monitor changes to your site and its files), Remote Malware Scanning, and Blacklist Monitoring. This plugin also walks you through the securing process.
Secure sockets layer (SSL) certificate
Another way to secure your website is to verify your site with SSL Certificate. SSL keeps sensitive information (like passwords, personal information, and payment details) from being intercepted. Install an SSL certificate and a padlock icon appears in your customer’s browser bar to show customers that you are protecting their safety. Remember, Google and other search engines reward websites with SSL by giving them better rankings. So, having an SSL is a win-win!
Firewall
Firewalls are an active defense measure that can stop attacks from being able to exploit weaknesses in your website. Firewalls are offered as premium (paid) services, so their setup is assisted by the provider. (Some plugins claim to offer a firewall that anyone can set up on their own, but they’re not very good as they simply lack the ability to detect various attacks). There are two types of firewalls:
- Web application firewalls. These firewalls block malicious requests or bot requests while prioritizing the good traffic. They work between your website visitor and your hosting servers. These tend to be more expensive, but they offer the best protection against most attacks.
- On-premise firewalls. These work on the same hosting server and inspect incoming requests. This is usually offered as a premium service through security plugins. These can slow down your website, though.
Monitoring
Website security monitoring refers to automated security checks performed on your website at regular intervals to detect abnormalities or signs of malicious activity. Monitoring also checks to see if your website has been blacklisted and alerts you so it can be resolved ASAP. Without monitoring, it can be difficult to know whether malware is on your website.
MONITORING YOUR GODADDY SITE
GoDaddy Website Builder websites are already secured, but they can still be injected with malware should a hacker be able to steal or guess your login information. This is because the hacker would now have access to the Builder through your login, so they can use it to modify the website in a malicious way. Thankfully, you can protect against these type of attacks using a couple methods:
- Two-factor authentication (2FA). This requires an additional authentication method on top of your usual username and password, usually a code delivered via text message (SMS) or Google Authenticator app on your phone.
- Password manager. A password manager makes it easier for you to use unique complex passwords for all of your accounts, so you avoid reusing passwords which can put your account at risk.
Malware removal/remediation
Free plugins on WordPress can offer automatic malware removal but they can fail to detect all malware. Opt for paid malware removal services, such as Sucuri, which can clean non-WordPress websites, too. It is possible to clean an infected website yourself, but, if you’re not comfortable with coding, it will be difficult to differentiate between malicious code and legitimate code.
Website backups
Make sure to keep a copy of your website stored safely because you can always restore back to this backup whenever an unexpected problem occurs. You will have to backup data separately from your hosting server, preferably with a server in a different geographic location. This provides protection should some disaster occur at your hosting location. Offsite website backups should be a part of your brand’s business continuity plan (BCP)–a set of guidelines for recovering from events that disrupt your brand’s business operations. Remember, planning is everything!
Whew! That was a lot to cover! But, don’t worry, you can start building your website security one step at a time. In the next lesson, we’ll provide resources to get you started.