hardhats hanging on wall

7 best practices for small business website security

7 min read
Sebastian Shepard

You don't need to look too far to see why website safety should be a priority. Consider the unfortunate case of Equifax. When news broke in early September that the sensitive information of up to 143 million Americans had been compromised, we knew it was bad.

It got worse — a few days later, Equifax was facing at least 23 class-action lawsuits.

Even if none of them are successful, the cost to the company has already been huge — in the hundreds of millions in stock value wiped out, in the legal fees to come, and for the remediation that Equifax will provide to affected parties.

It just goes to show you that website protection isn't just being smart about security, it's being smart about your bottom line.

7 website safety best practices

It’s important to protect your business assets. Here are seven best practices you can do to improve your website safety and keep valuable data secure.

  1. Get a vulnerability scanner.
  2. Keep sensitive pages off Google.
  3. Get malware and virus protection for your site.
  4. Perform backups frequently.
  5. Be cautious with login privileges.
  6. Protect customers with an SSL.
  7. Protect your WiFi.

Ready to take security seriously? Website protection should be a top priority for your small business website, so keep reading to learn more about each of these best practices.

1. Get a vulnerability scanner

Vulnerability Scanner
Vulnerability scanners show you where your site is in danger.

A vulnerability scanner shows you where your site is weak, where there are holes that hackers look for, and (if it's a good one) shows you how to remediate those weaknesses. They're important because they think like the bad guys do — probing a network, looking for open ports, and finding vulnerabilities to exploit.

It's important to scan regularly — even as often as daily. New vulnerabilities are discovered all time, and something that was secure yesterday may not be safe today.

A word to the wise — vulnerability scanners can be highly technical and require a skill set outside of the typical small business owner. If you're not technical, we recommend looking at user-friendly vulnerability scanners.

Our recommendation: The McAfee SECURE Vulnerability Scanner. It’s built — and priced — specifically for small businesses. Its interface is designed to be helpful even for non-technical folk.

2. Keep sensitive pages off Google

Many websites have admin pages that are, in general, better to keep out of public view. After all, admin pages typically point to areas of your site that hackers are after. And the harder it is for hackers to find those pages, the better, right?

That's why you want to keep them off Google. Fortunately, this isn't that hard — especially if you don't have a bunch of links pointing to that site. All you need to do is add a simple Disallow: command to your robots.txt file.

For more info on how to do that, check out this page.

3. Get malware and virus protection for your site

Sucuri screenshot for malware protection

Many of these website security best practices are about preventing bad things from happening, and it's extremely wise to get a proactive malware and virus protection service. This will enable you to scan your site for harmful things that could already exist, and then help you remove them in the unfortunate case you find something.

Basically, it will help you get back to normal ASAP. And in a time of crisis — when you have a virus or malware, that's exactly what you need.

Our recommendation: GoDaddy Website Security, powered by Sucuri. You get elite scanning, super high-quality remediation assistance, and to top it off, Google blocklist removal (Google can blocklist sites that aren't safe, and GoDaddy checks to see if you're on this list and gets you off it before it costs your business serious coin). Plus, with the top-tier version, you get a Website Application Firewall to prevent all sorts of bad things from getting through to your site.

4. Perform backups frequently

Website Backup Drives

You've probably heard this a million times. Telling website owners to back up their website is the "eat your vegetables" of the eCommerce world. But, like vegetables, there's a very good reason people keep telling you to do this.

Even if all of our files are living on hard drives in far-flung data centers all over the world, those hard drives can still fail. And when they do (not if — they all break eventually), the best way to get up and running again is to have a backup.

Now, some hosts perform backups for you. This is good. But very few of them back up as much as you need. Maybe they do it once a month, or less.

You're looking for a bare minimum of a weekly backup.

To do that, you need to use your own backup service.

Our recommendation: If you're getting daily orders, you should be keeping daily backups. GoDaddy's Website Backup service — which features built-in daily malware scanning, automatic daily backups, easy one-click restore and more — is a great tool. Also, make sure you have both a physical and digital backup. For the latter, you're going to need a SaaS backup service like CodeGuard.

5. Be cautious with login privileges

One of the simplest ways to improve your website security is to have tighter login controls.

A login that remains valid for 30 days, despite inactivity, is a risk to your customer data — and your business. All it takes is for a device to fall into the wrong hands — a laptop left on a coffee shop table, or a tablet in an airport. If your login controls are weak, then whoever has them can access all that valuable information.

Our recommendation: Have logins expire after no more than a few hours of inactivity. It might be annoying to log in multiple times per day, but it's better than having the wrong person get logged in with no effort. We also recommend putting a firm limit on number of login attempts. That way, you'll be protected against brute force attacks. If your site is built on WordPress, learn about a few website protection plugins that can limit login attempts.

6. Protect customers with an SSLScreenshot of GoDaddy's SSL sales page

Website safety isn't just about protecting the stuff you store on your site. It's also about keeping data safe as it's sent to your site. And for that, you need an SSL.

Like website backups, you probably don't need to be told why you need an SSL certificate. To briefly summarize: SSL certificates encrypt data sent to your servers, so when a customer types in their credit card information or home address, anyone "listening" to your connection won't be able to get that valuable info.

They're considered so necessary that Google uses them as a search ranking signal and will actively try and humiliate you if your site doesn't have it.

Our recommendation: GoDaddy offers SSL certificates with 24/7 customer support and the strongest encryption on the market, giving you the best website protection.

7. Protect your WiFi

Wardriving is a term for when hackers drive around looking for unsecured WiFi networks, and then access devices that are connected to those networks to steal data.

WiFi signals can travel a decent distance — just check the available networks your phone can join next time you're out on the street. That's why it's so crucial to secure your network with a very tough password.

Website protection is ongoing

Small business website security isn't just a matter of following these seven steps and calling it a day. Best practices are constantly evolving, especially in the web security space where the bad guys are constantly coming up with new ways to wreak havoc. Stick to these tips, and check back regularly to keep on top of the latest trends!

Products Used