The risk of cybersecurity breaches continues to threaten businesses of all sizes. Even established websites can be vulnerable without the implementation of proper security measures.

We’ve addressed this ever-present issue by outlining nine essential steps—each easily adopted by non-technical people—that empower users to take control of their website’s security.

From establishing a routine for regular backups and software updates to utilizing strong passwords and multi-factor authentication, these guidelines provide a simple checklist that anyone can adopt.

Moving beyond the basics, these experts also propose best practices for mitigating lesser-known vulnerabilities. By incorporating these comprehensive measures, business leaders can significantly enhance their website’s defenses and safeguard their valuable data.

CREATE MULTIPLE SITE BACKUPS

Business leaders should make multiple backups if they want to keep their sites safe from cybercriminals. You can take many steps to prevent hackers, but if one does get through your line of security, a backup can quite literally save the day and all of your hard work.

The best part is, you don’t need to be a tech expert to do this. There are plugins and other software that you can buy that can quickly and easily backup your site to their server and your computer. Once you’ve invested in one of these tools, store the data on an external hard drive and keep it somewhere safe. This extra peace of mind will make it easier to operate without fear of hackers or other bad actors.

Syed Balkhi, founder, WPBeginner

INSTALL A SECURITY PLUGIN

One absolute must-have on your checklist is a strong security plugin. If you use a website builder like WordPress, look for a well-respected option like Wordfence. Think of it as an automated guard for your website—even with the free version on its default settings, it will block a surprising number of everyday hacking attempts.

Don’t worry; you don’t need to be a tech genius to set this up. In your admin dashboard, go to “Plugins,” click “Add New,” and search for “Wordfence.” Install it, and click “Activate.” That’s it for now. Tuning some settings will give you even more security if you know what you’re doing, but even the plugin’s default settings provide a big security boost compared to not having it at all.

Juliet Dreamhunter, founder and AI strategist, Juliety

ENABLE REGULAR SOFTWARE UPDATES

Regular software updates are essential. Non-technical business leaders should ensure that all software, including the website’s content management system (CMS), plugins, and any third-party integrations, are kept up to date.

This is crucial because updates often contain security patches that fix vulnerabilities hackers could exploit. They can typically take action by enabling automatic updates whenever possible or regularly checking for updates through the CMS dashboard and promptly applying them.

Alex Uspenskyi, founder and CTO, Elai

Adopt Zero Trust principles

Business leaders should embrace the concept of Zero Trust. Zero Trust is a security concept which means requiring strict verification measures from anyone and anything, anywhere, whether within or outside the organization and its perimeter. It reinforces identity verification, controlled and secure access to resources on a need-to-know basis, and continuous monitoring from all fronts. It also works around the principle of constant vigilance, encouraging a high-alert environment regarding breaches to avoid complacency.

Trevor Horwitz, CISO, TrustNet Inc.

USE STRONG PASSWORDS AND MFA

One essential aspect of web security that often gets overlooked by non-technical business leaders is the critical importance of using a strong, unique password for every online service (especially for your website’s administration panel) and employing multi-factor authentication (MFA) wherever possible.

It might seem daunting, especially if you’re not particularly tech-savvy, but taking action on password security is simpler than expected. Non-technical users should leverage password managers, which can generate and store complex passwords for every account. This means you don’t have to memorize any complicated strings of characters, yet your accounts each have a unique key to their locks. Adding an additional layer of security, MFA—which typically requires a code from your phone in addition to your password to log in—significantly reduces the chances of unauthorized access, even if someone manages to guess or steal your password.

In concrete terms, consider the case of a small retail business that transitioned to e-commerce. Despite their efforts in cybersecurity, they hadn’t emphasized the importance of unique passwords or MFA among their staff. This oversight led to an attacker obtaining one employee’s credential, which was reused across several platforms. The fallout was immediate, with unauthorized access to sensitive company data.

However, after implementing a policy of unique passwords stored in a manager and required MFA for access, there have been no similar incidents. This shift not only safeguarded them against further attacks but also served to build greater trust with their clientele by demonstrating a commitment to security.

CHANGE DEFAULT ADMIN LOGIN URL

Updating your default login URL is one way of protecting your website from automated attacks. If your website is built using WordPress, the login URL is undoubtedly your site name, followed by /wp-admin. It’s the same for most off-the-shelf content management systems, including Magento and Shopify.

Knowing this puts a hacker one step closer to gaining access to your site. Using a free plugin, it’s relatively straightforward to change the default URL to something harder to guess. Adding this to your web security checklist will improve your site’s security posture.

Craig Bird, managing director, CloudTech24

VALIDATE WEB FORM INPUTS

Web forms, such as those used for contact information or customer feedback, can be vulnerable to SQL injection and other forms of injection attacks if not properly secured. Protecting against these requires validating and sanitizing all user input.

For non-technical leaders, this might sound challenging, but many website-building platforms and plugins automatically handle much of this security. Ensuring that your site uses reputable, regularly updated plugins for web forms can mitigate this risk without requiring you to code.

Alari Aho, CEO and founder, Toggl Inc

RUN WEEKLY SECURITY SCANS

Implement a recurrent, free scanner that checks every week for new and older vulnerabilities, and rates the site’s security score. Scanner.blacksight.io is a free, industry-leading scanner that lets people scan their main production site for free and automatically reports on a weekly basis. The reason is that sites and content change fast; a business needs to check its production sites constantly to catch security issues quickly.

Yves Soete, principal DevSecOps engineer, Blacksight.io

ENSURE SECURE REMOTE SERVER ACCESS

A website needs to be secure. This includes securing access to the hosting infrastructure.

Today, websites are generally hosted on remote cloud servers. Administrators and content creators need access to that infrastructure. This access can be a substantial vulnerability.

Traditionally, ports are opened in the firewall so people can access the resources remotely. Then, they rely on password authentication to control who gets in. Bad actors scan these open ports 24/7, trying every compromised password in the book. Anyone who has seen a web server’s log can attest to this.

A better solution is to use a more modern approach where the web server initiates the connection outbound. This way, no open ports are required in the firewall, and only those who need access can get back in. Modern VPN protocols like WireGuard make this easy.

Configuring WireGuard can be laborious. However, third-party tools exist to automate management and make the remote server as easy to work with as one on your LAN, while also keeping it tightly restricted to the three people who actually need access.

Peter Carroll, founder, The Netrinos Network