Ensuring your website and online security: key practices for protection
As business owners, we put a lot of effort into building our brand presence online. But all that hard work can be undone in moments if your website or emails are hacked. A lack of digital security can harm your reputation, lead to financial losses, and create significant stress while trying to resolve the fallout.
Recently, we’ve worked with a number of clients whose reputations were put at risk by various incidents:
- A new client came to us after losing their website to a hack.
- One client’s site was injected with malware, which has since been cleaned and secured for visitors.
- Another client’s website showed suspicious activity, and our investigation revealed their login credentials had been compromised.
- In another case, we believe a client’s email password was compromised as their business mailing list started receiving bogus content from them.
So what can you do to keep your online presence secure?
01. Create unbreakable passwords
Your password is your website’s first line of defense, so make it a strong one. As of October 2023, the recommendation is to use at least 12 characters, combining upper and lowercase letters, numbers, and symbols. Avoid using words or phrases tied to your business or personal life – they’re easier to guess.
Over the years, we’ve tested various systems to help clients create secure passwords without causing frustration. With so many passwords to manage, keeping track of them all can feel overwhelming. That’s why we now recommend using a Password Manager.
A Password Manager generates and stores complex passwords securely, so you only need to remember one master password. There are plenty of options available at different price points – find the one that works best for you.
02. Two factor authentication (2FA)
We strongly recommend activating two-factor authentication (2FA) wherever possible. This adds an extra layer of security to your login, requiring a potential hacker to access not only your password but also a secondary system, such as an authenticator app, linked email or phone, or even a dedicated hardware device.
Yes, the secondary login can sometimes feel like an inconvenience, but it’s a small price to pay for peace of mind. If your password is ever compromised, 2FA acts as a safety net, making it much harder for someone to gain unauthorised access to your accounts.
03. Use a secret email for login
After a client began receiving frequent phishing emails attempting to reset their website password, we introduced a policy for added security: website admins should use a dedicated, secret email address solely for logging into their website.
This email should never be shared online or used to sign up for anything else. Hackers often target public email addresses, so keeping your login email private creates an extra layer of protection.
By limiting exposure, you significantly reduce the risk of falling victim to phishing attempts or accidentally clicking a malicious link that could compromise your login credentials.
04. Limit login attempts
A brute force attack on your website occurs when hackers repeatedly try different combinations to guess your login details. Not only does this give them a chance to crack weak passwords, but a sustained attack can also overwhelm your website, making it temporarily inaccessible.
One simple yet effective way to protect against this is by installing a login limit plugin. These plugins lock out anyone who exceeds the allowed number of login attempts, preventing brute force attacks from continuing.
It’s an easy step to take, but it can make a big difference in securing your website and keeping it accessible to legitimate users.
05. Use SSL encryption
An SSL certificate encrypts the data exchanged between your website and its visitors, making it much harder for hackers to intercept sensitive information.
Google has required SSL certificates for several years now and won’t list websites without one, meaning it’s essential for your site’s visibility and credibility.
There are different levels of SSL certificates depending on the type of information your website handles. For example, if you store bank details or sensitive personal information, you’ll need the highest level of SSL encryption to ensure maximum security.
07. Install security software
Security software acts like a guard dog for your website and computer. It scans for malware, monitors potential threats, and alerts you to any suspicious activity. Even free versions offer significant protection, so there’s no excuse not to have this in place.
A website security plugin adds an extra layer of defense, ensuring hackers can’t break in and protecting against malware and brute force attacks.
Similarly, antivirus software safeguards your computer, protecting it from malware that could compromise your systems and jeopardise your work or emails. Together, these tools are essential for keeping your business safe.
08. Back up regularly
Backing up your data regularly is one of the simplest and most effective ways to protect your business from unexpected setbacks.
Keep a recent backup stored offsite or in the cloud. Whether it’s your website, emails, messages, or business systems, regular backups ensure that if something goes wrong, you can restore everything without losing critical data.
09. Stay up to date
It’s easy to think, “I’ll update that later,” but we can’t stress enough how important it is to keep all your systems up to date. Developers release frequent updates for your computer, website, apps, and more to fix core vulnerabilities that hackers could exploit.
A quick note – updates can sometimes cause conflicts (though these are usually addressed quickly by developers), so be mindful when updating. We update client websites every two weeks and always leave a day before updating our own computer systems to allow developers time to resolve any conflicts.
If you don’t have the time to keep up with regular updates, turn on auto-updates. This way, you can be sure you’re always protected.
10. Restrict access
When working with multiple people or teams, it’s easy to pass along access information and forget who has it.
Limit access to website admin or important email accounts to a small number of trusted users. Grant restricted access to everyone else.
It’s also a good idea to regularly review who has access to your accounts. We’ve lost count of the times we’ve been asked to look at a new client’s website, only to discover that former employees still have access.
11. Be email savvy
This one’s caught us out before. We started an email conversation with who we thought was a client, only to realise it was a phishing attempt. It was the second email, which asked for sensitive information, where we noticed something was off. Not only should the client know we didn’t have the data they were after, but the email sounded odd – the tone of voice unlike the client we were used to.
Phishing emails are sneaky and can be incredibly convincing. Always double-check the sender (look at the email it has come from), and never open links or attachments unless you’re 100% sure they are safe.
It’s better to be overly cautious than to regret a quick click.
#designtip – Educate your team. If you have employees, associates, or collaborators, make sure to train them on cybersecurity basics so everyone is on the same page and follows best practices. This helps ensure your whole team is aware of potential risks and knows how to protect your business from threats.
These 11 recommendations might seem overwhelming (and there are more), but keeping your website secure doesn’t have to be. By following best practices, you can protect your brand, your business, and your peace of mind. Trust us – it’s absolutely worth the effort.
Have questions or need help implementing these tips? Let us know – we’re here to help.
Don’t forget to follow us on Instagram and LinkedIn for more #designtips
Photo by Markus Spiske on Unsplash
Sign up for practical design & marketing advice
straight to your inbox