InnerWorks Logo
Return to main siteReturn to main site

Website Security Checklist: The 4 Basics

Website Security Checklist: The 4 Basics

Jessica Redman

21 Oct 2021 • 4 min read

These crucial tips should cover the basics for in-house monitoring of solutions to prevent any pesky issues!

Innerworks is coming soon...

This blog was originally published on our previous Cogworks blog page. The Cogworks Blog is in the process of evolving into Innerworks, our new community-driven tech blog. With Innerworks, we aim to provide a space for collaboration, knowledge-sharing, and connection within the wider tech community. Watch this space for Innerworks updates, but don't worry - you'll still be able to access content from the original Cogworks Blog if you want. 

There are little to no boundaries on how we build websites today.

With so much emphasis on personalisation and data collection, businesses need to move quickly to keep solutions updated with the dynamic, rich user experiences customers expect. 


Third-party API integrations and custom APIs allow website owners to build quickly and efficiently, whether that’s through connecting to an existing service or developing a custom one.

Now, businesses are veering towards the use of MACH architectural principles across their tech stacks. When you adopt MACH architecture you don’t have to start a (very expensive) fresh every so often. Why? When you take on digital projects with MACH ideals in mind, everything you introduce to your Stack is completely flexible, pluggable, scalable, and replaceable!

In an era of MACH culture, where it’s expected to use several external providers at any one time, keeping up with security has never been more critical. 


Website security checklist.

1. Update.

  • Ensure that all software, including any plugins that you use for your solutions, is updated often. These updates usually contain bug fixes and security updates.

2. Scan.

  • Look for security issues and vulnerabilities with your setup using widely available online tools. For development teams, I recommend Analyse your HTTP response & SSL Server Test (Powered by Qualys SSL Labs. Both have a basic user interface, but they do the trick, and they should not be underestimated as a powerful way to test your browser and server.

  • For a comprehensive look at your site, take advantage of Dynamic Application Security Testing (DAST) scanning tools recommended by The Open Web Application Security Project (OWASP). The OWASP is a fantastic nonprofit foundation that works to improve software security for corporations, foundations, developers (and digital agencies like us). Being an OWASP partner benefits our internal operations and client projects thanks to the quality of resources (and regularity) of events available to our team.

Pro-tip: Most tools will come with ways to overcome security issues and vulnerabilities, so don't forget to take action from the report results!

3. Monitor.

  • Check your server. Server-level monitoring is a key function of any IT operation. It measures the level of server uptime, reliability, performance and more. If you're using Cloud, ensure you utilise all the analytics possibilities and suggestions from the provider itself - they can be handy. We use a leading monitoring service, UptimeRobot, to tell our clients when their site is down.

  • Check your apps. Application monitoring involves looking at your internal application code in detail so that you can ensure your site is well-optimised and performing as it should. This might mean looking at low-level code checks, an application log analysis or performing automatic static code analysis. Establish the metrics that are important for your organisation and measure them. (For developers, tools like Dynatrace or Locust are great tools if you want to introduce benchmarking practices into your codebase).

  • Consider user audit monitoring. It's better to know how an error or a leak occurred so you can prevent it next time. By monitoring users' actions within your systems, you build a log of events that can help to understand the bigger picture.

  • Don't forget UX. You can monitor your UX with tools like HotJar that use heat maps that give UX experts the bigger picture before taking action.

  • Use Chrome Lighthouse reports to identify how well a website performs over time from a speed, SEO and accessibility perspective.

4. Prevent

  • Change your CMS "defaults", such as any backoffice URLs, so that they do not expose tools and software used! 

  • Back up your files and systems regularly.
    Don't use weak and the same passwords and not share them explicitly with anyone. (1Password is our team's secret and secure way of communicating).

  • Use Web Application Firewall, your hosting provider/Cloud, or use tools like Cloudflare, Fastly and Akamai to ensure your site is protected.


The takeaway.

If you're monitoring your solutions in-house, these essential tips should cover the basics that you need to ensure you don't get any nasty surprises. We offer bespoke support plans for essential enterprise clients using a custom CMS or Umbraco. If you'd like to know how this service might be able to help you, get in touch below.

Community tech aid

Innerworks and Cogworks are proud to partner with Community TechAid who aim to enable sustainable access to technology and skills needed to ensure digital inclusion for all. Any support you can give is hugely appreciated.