Website security checklist: what actually matters in 2020

Do you know how secure your website really is? This 11 part security checklist will help you keep your data safe and out of reach from hackers.

Jeff Cardello
January 14, 2020
Resources

About 30,000 websites experience a cyber attack daily. As your website grows, it's inevitable that someone will try to hack it. So, what are you doing to keep yourself safe in 2020?

We've all gotten caught up in the buzz of building a website. Seeing visuals and content fill out a design, having prototypes transform into functioning pages, and getting closer to going live are all exciting. But amidst the anticipation of flipping the switch, the realities of dealing with hackers and those with bad intentions need to be addressed. 

The list of companies that have experienced a cyber attack has some pretty big names on it. Yahoo, Equifax, and Sony are but a few corporate behemoths felled by the hands of these digital criminals. However, most hacks don't involve huge corporations and the shakedown of colossal amounts of data. Independent businesses and small companies are also at risk. 

According  to Verizon's 2019 Data Breach Investigation Report, 43% of hacks happen to smaller companies.

Any business may have their web space targeted by hackers. There’s a multitude of security threats like malware, brute force attacks, SQL injections, and DDoS attacks they can use to steal your customers’ data and other sensitive information. A security checklist should have all of the security measures needed to ensure that both you and your customers stay out of their crosshairs and remain safe.

11 step checklist to make sure your site is secure

Before you go live, go through this checklist, and make sure your website is safe from the variety of security threats that are out there.

1. Prevent spam

It’s a terrible feeling to write a fantastic blog post, full of creative prose and helpful information, only to have it besmirched by spam comments. Like someone scrawling graffiti over a masterpiece painting, all people see are these errant marks offering herbal supplements, sketchy links, and other bunk comments by fake users. Bogus comments are one of the most common ways that hackers can mess with your website. Having a plan intact in how to deal with them should be a part of any website security checklist for those that allows user comments. 

Not only do spam comments diminish the trust of people visiting your page, but Google crawlers hate them as well, docking important SEO relevance. Just as Google doesn’t tolerate spam, neither should you. Take the right security measures to make sure that your page doesn’t become a spam free-for-all.

If you built your website with Webflow, using Disqus, or similar integrations or plugins can help you identify and moderate comments with a quick code embed. Disqus does a great job of filtering out spam, and many webmasters and cybersecurity experts rely on it for its protection.

2. Protect your website from Denial of Service (DDoS) attacks

ddos attack diagram

This graphic from Wikipedia illustrates how hackers enlist an army of computers to perform a DDoS attack.

DDoS attacks work by pummeling a website with fake requests. Overwhelmed by this barrage, servers go down, taking the website offline and sometimes even opening security vulnerabilities for hackers to go in and inject malicious code. When your website goes offline for any period of time it affects your reputation and bottom line.

Protection from DDoS attacks start with using a reputable hosting provider. Good hosting companies will do things like regular pen testing, which is a controlled way to test for vulnerabilities, as well performing diligent and consistent network monitoring. 

webflow hosting stack
Webflow's web hosting stack

If you host your website with Webflow you get the protection of Amazon’s Web Services (AWS) Shield. This strong layer of protection circumvents and prevents any DDoS attacks that may come its way. Whether hackers are unleashing a User Datagram Protocol (UDP) reflection attack, SYN flood, DNS query flood, or HTTP flood/cache-busting attacks, AWS has measures in place to thwart these security threats.

3. Block brute force attacks

Brute force attacks are often mentioned along with DDoS attacks. Though both involve repeated requests on a server, brute force attacks are more focused, attempting over and over to crack login credentials or expose encrypted data. 

There's a few ways to mitigate or stop these threats. Webflow does this by tracking the IP addresses on form submissions and monitoring them for repeated attempts. Whoever you choose for your web hosting provider, make sure that they provide a line of defense against these.

4. Safeguard from XSS cross-site scripting

Another tactic that hackers use to damage and compromise websites is XSS cross-site scripting. This shoves bad code into unassuming websites, where it can be passed onto people's computers and proceed to capture their data and private information.

XSS cross-site scripting may be a sneaky way for hackers to abscond one’s information but Amazon Web Service’s (AWS) Shield is a solid line of defense against this. When you host with Webflow you get this automatically, so you don’t have to worry about this potential threat.

5. Defend against SQL injection

Here's another little nightmare that hackers like to use to get access to sensitive information. Most web server databases are managed by SQL. SQL injection involves hackers shoehorning in their own SQL code, inputting it and gaining access to sensitive data. Servers that fall victim to this type of attack aren't able to tell the difference between normal SQL requests and those that aren't legitimate. This is another security threat that the use of Amazon’s (AWS) shield can provide a defense against.

6. Install a SSL security certificate

People tend to freak out when they go to a website and don’t see a lock symbol or https. Getting those anxiety inducing pop up messages, warning of potential security risks, doesn't inspire one  to navigate any further. Websites without SSL certificates also tend to rank lower in Google searches. An SSL certificate is a necessary security measure for any type of web page to have installed and should be a standard.

SSL security certificates encrypt data going both ways between a server and someone’s computer. An SSL encrypted connection prevents sensitive information like login information, credit cards, and other customer data that’s been inputted into forms from being exposed.  

Of course, Webflow offers SSL certificates for free. 

7. Backup your website and all of its data

website backup

There’s no reason for you to have to manually do this. Reputable web hosting services offer this as a free service.

If you need an old version of a web design, they’re easy to access in Webflow, with the free version offering the last two versions and the premium edition offering unlimited access to all of the revisions. Along with old versions of a website, all of the data is automatically backed up too.

8. Follow ISO 27018 compliance

Okay, this isn’t the most exciting named tech innovations, but ISO 27018 compliance is actually pretty cool. Everything that’s in the cloud doesn’t float out of reach of hackers. ISO 27018 is a list of measures and protocols that ensures that this technology is safe for everyone to use, keeping users’ personally identifiable information unobtainable by the bad guys.

Any website hosted among the thousands of others on Webflow gets this layer of protection, with Amazon Web Services’ (AWS) shield imparting ISO 27018 compliance to every website that falls under it.

9. Use HTTP/2

Some web hosting companies don’t offer HTTP/2 hosting, which is shocking considering how much faster it is than regular old HTTP. Where in the past the flow of data could only go in one direction at a time, HTTP/2 opens things up, allowing for information to flow both ways. This decreases the amount of time that is exchanged between the server and client. Data requests don’t just have a single lane, but have multiple in a TCP (Transmission Control Protocol) connection, speeding up the flow of information.

Not only does it facilitate a better exchange of data, but https is automatically enabled. We’ve talked about Google docking websites for certain things, but Google loves HTTP/2, giving websites that use it a nice organic boost in SEO — given they have great web content and follow SEO best practices. Webflow already has HTTP/2 integrated into it, giving your website an advantage in both speed and security.

10. Utilize a reliable form for online payments

webflow payments

Whether you’re processing credit or debit cards, web payments, or PayPal payments, you want this to be done through a trusted provider. Use services like Stripe and Paypal, the two leaders of online payments. This will give you and your customers two secure ways to pay when it’s time to check out.

11. Password protect important pages

Keeping your admin credentials out of the hands of bad actors is tantamount for web safety. But along with this, it’s a good idea to password protect other content, page folders, and CMS collections.

password protected page

Only give permissions to those who need access. Make sure your website has a feature to password protect individual pages and folders. This will give you precise control over who is  allowed to go in and possibly make changes.

Stay safe

Keeping you and your users protected from hackers is an ongoing process. Just as technology evolves, so do new ways of stealing people’s data. Finding a hosting provider that puts security first is a smart way to go. If you have any security questions about Webflow, feel free to ask in the comments below!

Jeff Cardello

Advocate for better design and professional writer excited by tech, entrepreneurship, and branding. Writes the occasional joke on Twitter.

You might also like...

More

Join the conversation

What's Webflow?

Try it for free
Designer

Designer

The power of CSS, HTML, and JavaScript in a visual canvas.

Interactions

Interactions

Build website interactions and animations visually.

CMS

CMS

Define your own content structure, and design with real data.

Ecommerce

Ecommerce

Goodbye templates and code — design your store visually.

Editor

Editor

Edit and update site content right on the page.

Hosting

Hosting

Set up lightning-fast managed hosting in just a few clicks.