The ultimate webpage security primer for law firms

Keep the bad guys away

Webpage security is a hot topic, especially among small law firms and practices. Your law firm or private practice handles a lot of sensitive legal material, and a data breach can topple any client trust you’ve worked so hard to obtain — not to mention potential legal issues you might have as a result of poor webpage security.

Data breaches are also quite common among small businesses. In fact, 43 percent of small businesses are targeted for cyberattacks. Why? Most small businesses, like your law firm or private practice, don’t have the expertise or time to research how to combat cyberattacks.

Related: What is the cybersecurity skills gap?

7 steps to webpage security

The good news is there are steps you can take to keep your site secure. To keep your law firm or private legal practice safe from website security threats and malware, I have compiled a list of seven essential security tactics I employ for the law firms I work with every day.

  1. Protect your website with SSL certificate.

  2. Choose a credible hosting provider.

  3. Use secure passwords and password managers.

  4. Keep WordPress and WP plugins updated.

  5. Perform regularly scheduled website backups.

  6. Limit admin access to your website.

  7. Perform regular security (malware) scans.

Let’s dive right in!

1. Protect your website with an SSL certificate

In July, Google Chrome 68 began implementing the Secure Sockets Layer (SSL) certificate rule. This new must-have for site owners marks all websites without SSL as unsecure sites. Essentially, this was put into place to enhance online user security, as well as the security of sites.

Great, right? Well, not so great if you haven’t been keeping up with the latest Google security trends. Most lawyers are way too busy for this, which means that many law firm websites have been left vulnerable without SSL certificates.

This might even hurt your Google ranking, although there’s no real proof of that. But it stands to reason that Google Chrome will satisfy search queries with secure sites before not so secure ones.

Check to see if your website is secure like this:

Web Page Security Indiana HTTPS

You can also click on “Secure” and get more information:

Web Page Security Indiana Secure

Editor’s note: Another easy way to see if your site is secured with SSL? Use GoDaddy’s nifty (and free) SSL Checker tool.

If your law firm needs an SSL, contact your hosting provider or your website manager to get secured. If you’re using GoDaddy as your hosting provider, you can manage your SSL and webpage security by going to your hosting dashboard.

Web Page Security Security SSL

2. Choose a credible hosting provider

Speaking of hosting providers, it is absolutely vital to ensure your host is credible. Using a not-so-credible hosting provider can result in a number of webpage security issues, as well as user experience problems for your law firm.

Related: How to find the best hosting company


A credible website hosting provider has server security protocols in place to ensure the server your site is on doesn’t get hacked. Malware and malicious code can be easily injected into your site’s server or database by a seasoned hacker.

Uptime issues

If your website is experiencing increased page load times and uptime issues, you might want to find a more credible hosting provider.

Speed and uptime problems provide a poor user experience, and might hurt your site’s Google rankings as well.

Related: Are slow website load times costing your money and pageviews?

Revenue loss

Losing profit is another issue that can arise from using a non-credible host. The cost of a cyberattack can be overwhelming. You can lose your clients, but also be liable and open to lawsuits is legal information is leaked.

Server cyberattacks are bad news for your law firm and your clients.

If a server is compromised, your client’s case and personal information can be stolen and used by hackers.


This will destroy your firm’s credibility, something you’ve worked diligently to build. Don’t become a statistic. Choose a credible hosting provider that makes security a top priority.

3. Use secure passwords and password managers

Are your passwords safe? If you answered yes to that leading question, think again. Hackers spend their days coming up with innovative ways to steal your credentials and cause irreversible damage.

A few ways your passwords can be compromised include:

  • Using unsecured WiFi networks
  • Visiting unsecure websites
  • Using your phone number for “Forget Your Password” features
  • Not having an updated operating systems (OS)
  • Opening spam email

The list goes on and on. The good news is that by making password security a priority for your law firm, you can thwart hackers. Using more secure (encrypted) passwords and implementing password management systems can enhance security.

For example, a password manager platform, like LastPass, lets you use more complicated passwords since you don’t need to remember them. Password manager platforms also help you manage who has access to what. This is essential for law firms with more than a handful of employees.

Web Page Security Google AuthenticatorYou can, and probably should, set up two-factor verification to further enhance your law firm’s website. Google Two-Step Verification is easy to set up and use. It essentially adds an extra layer of security, requiring a would-be hacker to have possession of your mobile phone when logging in. Here’s how to set it up on your devices:

First, download the Google Authenticator app.

Then simply follow the setup process. The authentication process works like this:

Web Page Security Authentication

Web Page Security Authentication 2

Heighten your level of password security to protect your firm’s site, legal data and your client’s personal information. It’s too simple not to.

4. Keep WordPress and WP plugins updated

Similar to not having your OS updated, not updating your WordPress (WP) website to the current version can invite security issues. The same goes for WP plugins you are using on your WordPress site.

Related: How to update WordPress like a pro

If you are using WordPress for your law firm, you might have automatic version updates set. If not, you might need to be on the lookout for new versions. Normally, you will get an alert on the top-left part of the dashboard screen.

The alert to update your site to the new version looks like this:

Web Page Security Update WordPress

Staying up to date on WordPress webpage security updates is also important to protect your law firm website. To find the latest security updates issued by WordPress, you can visit their Security Category Archive.

Web Page Security WordPress Archive

Updating your WordPress plugins is also a vital step in enhancing law firm website security. There are two ways you can accomplish this. The first way is to select “Updates” under your “Dashboard” setting:

Web Page Security Select WordPress Updates

Once you pull up your updates, simply select all and update in one click. The second way is to select “Plugins” and update each individually:

Web Page Security Update WordPress Plugins

Quick word of caution: Prior to updating your WordPress version, be sure your site is backed up so you don’t lose any recent changes. Keep reading to learn more about website backups. It’s also a smart move to test updates on a staging site first.

Related: How to check for WordPress security updates in 2 simple steps

5. Perform regularly scheduled website backups

When was the last time you backed up your website? If you’re not sure, this should be at the top of your list. Why? If your law firm website is hacked and/or injected with malware, you could lose all your site’s content and data.

That is, unless your website is backed up. Having backups of your website allows you to quickly get your site up and running. This can cut down on revenue loss, as well as keep the trust and confidence of current and potential clients.

To back up your site, you can use your hosting dashboard. If you’re host is GoDaddy, use this step-by-step guide to backing up and restoring your website or follow the steps below.

Sign in to GoDaddy and go to your hosting dashboard. Then select the website you want to access:

Web Page Security GoDaddy Hosting

Next, scroll down and find the “Backups” box at the bottom of the webpage:

Web Page Security Backups

If you have automatic backups scheduled, you can access your site files and databases to restore them:

Web Page Security Restore

6. Limit admin access to your website

As a lawyer, you probably don’t have a lot of time to deep dive into your law firm’s website backend. You might even have a legal marketing agency manage your website so you can focus on current client needs, not generating new clients.

One very important aspect of webpage security is to ensure that only the people who need admin access have it — no one else.

Who has admin access to your site? To find out, log in to your WordPress website, scroll to “Users” in the left sidebar, and then select “All Users.”

Web Page Security All Users

This will give you a list of all users and their user status:

Web Page Security User Status

If you are managing your webpage security, delete or change the admin status of anyone who doesn’t absolutely need it:

Web Page Security User Role

This adds an extra layer of security, because a past employee or outsourced consultant can do a lot of damage with admin access, such as deleting your entire site.

Once you have changed or deleted the admin access of your team members, it is imperative to monitor user permissions on a regular basis. Anyone with admin access can change user permissions, so be vigilant to keep webpage security a priority.

Related: Navigating WordPress user roles to maximize site security

7. Perform regular security (malware) scans

Knowing if your law firm website is infected with malware can be challenging.

The hackers behind cyberattacks are crafty, and they have come up with skilled ways to infect sites without detection.

How do you know if your site is infected with malware? A few signs and symptoms include:

  • OS and programs seem extremely slow to start
  • Unusual pop-ups
  • Lack of hard drive space
  • Weird error messages
    … and more.

You also can employ Google’s Transparency Report to get more details about whether your law firm site is infected with malware. To go one step further, use GoDaddy’s Express Malware Removal to identify and remove malware to enhance webpage security.

Web Page Security GoDaddy Malware Removal

Enhance your law firm webpage security

Your law firm webpage security should be a priority. Protecting your site from cyberattacks and making it challenging for hackers protects your firm’s information and data, as well as the data and personal information of your clients.

It only takes one cyberattack to devastate a law firm or private legal practice, leaving you vulnerable to legal issues — not to mention a lack of client trust moving forward after a large-scale data breach.

Don’t wait. Be proactive and ensure your webpage security is top-notch. Use the above tips to get security efforts moving in a powerful direction. Is your law firm website at risk?

Image by: Dusty J on