<img height="1" width="1" src="https://www.facebook.com/tr?id=1557891970907070&amp;ev=PageView &amp;noscript=1">

How to Conduct a Security Audit On Your Website

By June 12, 2015 6 Comments

Nexxtep <3’s Security.

You might have noticed. After all, we’ve devoted dozens of blog posts to this subject.

We talk about how to stop viruses and malware from infecting your computer, how to avoid phishing scams in your email inboxes, and of course, the importance of strong passwords! But did you know that your business website can fall victim to all of these threats too?

Your website can be infected with malware.

Your website can be hijacked.

If you have a lot of important content, or a valuable domain name, these threats could cost you dearly.

According to a recent survey from WhiteHat Sentinel (a website security firm), “86% of all websites tested by WhiteHat Sentinel had at least one serious vulnerability, and most of the time far more than one—56 to be precise,” and “Serious vulnerabilities were resolved in an average of 193 days from the first notification."

If your website is hacked and you don’t take action to fix it, Google will probably blacklist your site, hiding it from search engine results or blocking traffic to your website. If you generate leads and revenue with your website (which you should be doing in this day and age), then you do not want this to happen.

Even worse, if someone with malicious intent hijacks your website, your image could suffer as a result of them posting damaging text and images.

Protecting your computer network is extremely important, but don’t forget to protect the face you show to the outside “Internet-world.” If your image is damaged, your business is damaged.

How can you keep your website safe? You can conduct an internal website security audit with these five steps.

1. Use secure passwords for all website-related accounts

We cannot stress this point enough. Using unique, strong passwords is the most important thing you can do to keep ANY part of your online identity safe (bank accounts, email logins, etc.). With a service like LastPass, you can manage all of your strong passwords without having to remember all of them.

Your website will likely have these types of accounts that require passwords:

  • Your website host will have an FTP account you can use to access your website files using a file service like FileZilla or through a web-based portal called a cPanel
  • If you use WordPress, Joomla, Wix, or any other CMS or blogging platform, you will have a login to edit your website from a web-based dashboard (this makes things easier than having to edit individual files through a file service)
  • Your domain is often hosted with a different company than your actual website. GoDaddy, Network Solutions, and Register.com are examples of popular domain registrars.

What you can do:
For each of these accounts, you should know the following:

  • The username and passwords.
  • Who has access to these accounts.
  • Are there any sub-accounts? For example, with WordPress and many other CMS platforms, multiple users can have accounts they can use to update the website.
  • For these sub-accounts, what are the privileges? For example, can they erase all of the content on the website, or only the content they publish? Do you need to decrease the privileges these users have?

What Nexxtep does:
We use unique, strong passwords for every account we manage. With our clients' website dashboards, we use a plugin (an add-on) that limits the number of times someone can try to log in to a website. This will prevent hackers from being able to guess your password over and over again (Automated bots can do this indefinitely).

2. Keep tabs on your domain registration

If your business has a website, you should have ownership of and access to your domain registration account. If you are not sure if you have access, you can check to see where your domain is registered using WhoIs.net.

Yes, you can have a technical person or web developer maintain your domain registration and make updates for you. I recommend that you do, but in the event you lose contact with your web developer or IT person, how will you be able to access your domain account to renew it? If you have a very popular or coveted domain, someone might be waiting for it to expire and take the opportunity to steal it away from you.

What you can do:
If you don’t know where your domain is registered, check using WhoIs.net. Set a reminder on your calendar to renew your domain registration a few weeks ahead of the expiration date.

What Nexxtep does:
We keep documentation of all of the domain accounts we have access to, and will freely give that information to the account owner if they lose or misplace it.

3. Use a proxy service to block threats

We use a service called CloudFlare that acts as a shield between your visitors and your website. CloudFlare can identify threats and block them from ever seeing your site. You can even block specific users if they pose an especially harmful threat.

What you can do:
You can sign up for a free Cloudflare account and setup your website with the service.

What Nexxtep does:
If you have given us access to manage your domain, your website is already using Cloudflare to ward off threats.

4. Perform regular security scans on your website

Even when you do everything right, there is no way to eliminate your risk exposure. You can reduce it dramatically, but never eliminate it. With that said, there is always a chance for you to fall victim to a security breach. In that case, you need to identify the threat as quickly as possible.

What you can do:
You can use a service called Succuri to scan your website for free. If you are infected, they can clean your site for $199.

What Nexxtep does:
Our websites are automatically scanned for malware every day. If a threat is identified, it is removed at no charge to you.

5. Keep daily backups

Again, you can never be completely immune from risk. By keeping daily backups of your website files and databases, you can republish your website if you are hacked, or if your website goes down for another reason (e.g.- human error, incompatibility with an update).

What you can do:
Check with your website hosting provider to make sure they are keeping regular backups of your website. Ask how easy it would be to restore a previous version of your site in the event it goes down.

What Nexxtep does:
We keep daily backups of your website and can restore an undamaged version with a click of a button. We also use uptime monitoring, which means we get an email if and when your website does go down so we can address the issue and take action as quickly as possible.

Protect your website. Protect your business.

Run through these items and see how safe your website is. If you need help protecting your website, contact us here.

Dynamic Quest Acquires Nexxtep Technology Services Security
July 22, 2020

Dynamic Quest Acquires Nexxtep Technology Services

How to Use Microsoft Teams to improve Collaboration In Your Company
June 10, 2020

How to Use Microsoft Teams to improve Collaboration In Your Company

COVID-19: Tips For Staying Connected To Your Customers Security
April 29, 2020

COVID-19: Tips For Staying Connected To Your Customers