Website Security Checklist: The 4 Basics

If you're monitoring your solutions in-house, these essential tips should cover the basics that you need to ensure you don't get any nasty surprises.

There are little to no boundaries on how we build websites today. 

With so much emphasis on personalisation and data collection, businesses need to move quickly to keep solutions updated with the dynamic, rich user experiences customers expect. 

Third-party API integrations and custom APIs allow website owners to build quickly and efficiently, whether that’s through connecting to an existing service or developing a custom one. 

Now, businesses are veering towards the use of MACH architectural principles across their tech stacks. When you adopt MACH architecture you don’t have to start a (very expensive) fresh every so often. Why? When you take on digital projects with MACH ideals in mind, everything you introduce to your Stack is completely flexible, pluggable, scalable, and replaceable!

In an era of MACH culture, where it’s normal to use several external providers at any one time, keeping up with security has never been more important. 

Website security checklist.


1. Update.

  • Ensure that all software, including any plugins that you use for your solutions, is updated often. These updates usually contain bug fixes and security updates.


2. Scan.

  • Look for security issues and vulnerabilities with your setup using widely available online tools. For development teams, I recommend Analyse your HTTP response & SSL Server Test (Powered by Qualys SSL Labs. Both have a basic user interface, but they do the trick, and no should not be underestimated as a powerful way to test your browser and server.


  • For a comprehensive look at your site, take advantage of Dynamic Application Security Testing (DAST) scanning tools recommended by The Open Web Application Security Project (OWASP). The OWASP is a fantastic nonprofit foundation that works to improve software security for corporations, foundations, developers (and digital agencies like us). Being an OWASP partner benefits our internal operations and client projects thanks to the quality of resources (and regularity) of events available to our team. 

Pro-tip: Most tools will come with ways to overcome security issues and vulnerabilities, so don't forget to take action from the report results!


3. Monitor.


  • Check your server. Server level monitoring is a key function of any IT operation. It measures the level of server uptime, reliability, performance and more. If you're using Cloud, ensure you utilise all the analytics possibilities and suggestions from the provider itself - they can be handy. We use a leading monitoring service, UptimeRobot, to tell our clients when their site is down.


  • Check your apps. Application monitoring involves looking at your internal application code in detail so that you can ensure your site is well-optimised and performing as it should. This might mean looking at low-level code checks, an application log analysis or performing automatic static code analysis. Establish the metrics that are important for your organisation and measure them. (For developers, tools like Dynatrace or Locust are great tools if you want to introduce benchmarking practices into your codebase). For more on the technical stuff, check out The Importance of Modern Web Performance Testing


  • Consider user audit monitoring. It's better to know how an error or a leak occurred so you can prevent it next time. By monitoring users actions within your systems, you build a log of events that can help to understand the bigger picture.


  • Don't forget UX. You can monitor your UX with tools like HotJar that use heat maps that give UX experts the bigger picture before taking action. 


  • Use Chrome Lighthouse reports to identify how well a website performs over time from a speed, SEO and accessibility perspective. We've put together a mini guide for developers and people that know their stuff on how to use Chrome Google Lighthouse reports.

4. Prevent.

  • Change your CMS "defaults", such as any backoffice URLs, so that they do not expose tools and software used! 

  • Back up your files and systems regularly.
  • Don't use weak and the same passwords and not share them explicitly with anyone. (1Password is our team's secret and secure way of communicating).

  • Use Web Application Firewall, your hosting provider/Cloud, or use tools like Cloudflare, Fastly and Akamai to ensure your site is protected.


The takeaway.

If you're monitoring your solutions in-house, these essential tips should cover the basics that you need to ensure you don't get any nasty surprises. We offer bespoke support plans for essential enterprise clients using a custom CMS or Umbraco. If you'd like to know how this service might be able to help you, get in touch below.

  • Image for 3 Ways to Win Consumer Trust With Your Website Strategy

    3 Ways to Win Consumer Trust With Your Website

  • Image for Keeping Up With Digital Transformation Build

    Keeping Up With Digital Transformation

  • Image for How to Use Google Chrome Lighthouse for Better Web Performance Build

    How to Use Google Chrome Lighthouse for Better Web Performance

  • Image for Azure Resource Naming Tips 2022 Build

    Azure Resource Naming Tips 2022

Ready to collaborate ?

Get in touch to see how we can transform your digital presence.

Send us a message