C.H.I.'s new website shows outstanding 12-month impact
Dec 12, 2024
Your website isn’t just a representation of your business, it’s an extension of it. So it must remain secure. Issues such as a security breach can significantly impact website performance and user trust.
Cyberattacks are increasingly sophisticated. 68% of business leaders say that their cybersecurity risks are increasing. So, in an ever-changing digital landscape, you must keep pace with potential threats and vulnerabilities that can impact your website.
In this blog, we'll explore how to secure a website, so you can improve cybersecurity across your:
Your CMS contains code that controls the behaviour and functionality of your B2B website. It also lets you manage your content. Some popular examples of a CMS include WordPress, Drupal, and Umbraco. There are also CMS platforms like HubSpot and Shopify.
Platforms such as HubSpot and Shopify are beneficial because they package up your CMS, servers, and infrastructure into one central product. This removes the hassle of disparate responsibilities.
Mike Thomas, Technical Director, Blend
To secure your CMS, you should:
Your web developers are usually the first point of contact if something goes wrong. But do you know exactly who has ownership of your CMS system in a worst-case scenario?
Confirm that you have the correct contact details and service hours for your point of contact. This could be your web developer. Additionally, check if you have defined service level agreements (SLAs) in place.
Keep your CMS, 3rd party plugins, and applications up to speed with the latest core updates.
Cybercriminals can quickly find vulnerabilities in plugins and apps that aren't being maintained, so stay alert to this risk.
Create backup data of your B2B website, including website files, databases, and configuration. This data should be periodically tested to ensure it's always functional, if and when it's needed. This should be stored 'offsite', meaning not on your website or the same server.
Consider 'war gaming' your backup data to test its viability. Ask your web developer to restore your backup data to a testing area. Was it effective? How long did it take?
This simple exercise will show you how resilient your website security backup is. Mike Thomas, Technical Director, Blend
An SSL certificate encrypts the connection between a user and your website. This means that no one can intercept this data.
It protects your users' privacy and your website. It's mandatory for search providers like Google, so not having one will critically impact your SEO standing and brand reputation.
Ensure your SSL certificate is valid and automatically renewed. There are free services that you can use to get your SSL certificate.
Strong passwords are a necessity to secure a website. You should generate a secure password or change existing passwords that are vulnerable.
Ideally, 2FA is best practice to add an extra layer of security. This requires your users to provide a second method of authentication.
Who is responsible for your server? It could be your hosting provider, partner agency, or someone in your internal team, such as your web developer.
If you're using a full-service provider, such as HubSpot or Shopify, then congratulations - you're covered by site reliability engineers. They manage your server security for you.
You'll be using shared, dedicated, managed, or cloud hosting. Each one will come with inherent risks. For example, shared hosting means you're sharing resources with other tenants. And dedicated hosting, although you have reduced risks, puts responsibility for security in your hands. You need the internal resources and knowledge to manage this.
Managed hosting is the best option. It provides fully managed security and your system is configured to your specific needs.
Cloud hosting has become more common in recent years. It includes providers like AWS, Google Cloud Platform, and Microsoft Azure. This is more suited to running complex web applications.
Minimise root access (known as Shell or SSH) only to those who need it. Even web developers rarely require access via SSH directly into your server. By restricting access, you know who is responsible, and this improves your security.
HTTP/1.1 200 OK
Date: Thu, 12 Jun 2014 14:15:01 GMT
Server: Apache/2.2.21 (Win32) PHP/5.4.7
Content-Length:226
Connection: close
Content-Type: text/html; charset=iso-8859-1
This example from an Apache/PHP server is telling anyone who knows where to look exactly what version of which software it’s using. This is like an attacker looking for known security exploits.
There's no point in having the best combination of locks and deadlocks on your front door if you leave a spare key under the doormat. Similarly, many failings come down to simple common sense and governance issues that could have been avoided.
Here are some practical security tips that will help you understand how to secure a website:
A domain registrar is a company that you purchase your website domain from. Using a registrar control panel, it can repoint your domain name to new hosts, apply various verification records, and ultimately manage business-critical functions for your company, including email. This can cause disruption if this access falls into the wrong hands.
Lack of governance of your DNS and domain registrar information can jeapordise your business.
Mike Thomas, Technical Director, Blend
It's important to know where and how this can be accessed. Without this knowledge, you are vulnerable to cybercriminals. For example, access could be with a previous partner agency, contractor, or internal team member who has moved to another company.
It's no good having security protocols in place if your people are careless with their passwords and access details. To improve your password policy, you can:
Once you think your website is secure, you can employ the services of professional penetration testers (PEN) to really test your defenses.
They use a mix of manual and automated tools to look for kinks in your armour. The report you receive is categorised by risk and gives you a good indication of where further effort is required.
Without knowing how to secure a website, you'll leave yourself vulnerable to cyber threats. Website security is also a factor that affects website performance. This is why security should underpin everything you do.