If you’re surfing the internet and want to know how to check the website is secure, then the simplest answer is to see if it uses the HTTPS protocol rather than just the HTTP protocol. If you own a website and want to know how to check the website is secure, then the answer is that there are several checks you can make and it’s advisable to make them regularly.
How to check a website is secure
If you want to check a website is secure, there are six key steps you need to take. Check your user accounts. Check your scheduled tasks (cron jobs in WordPress). Check your activity logs. Check your internet traffic. Check your search results. Use a website vulnerability scanner
Check your user accounts
One of the easiest ways to check a website is secure is to keep an eye on your administrator accounts. These are the ones that have the access privileges to do serious damage to your website. For this reason, you should have the minimum possible number of administrators (most SMBs are really only likely to need a couple). You should also move quickly to revoke their access if they leave the company (even if it’s on good terms).
Never let any of your internal users share their login details. If someone needs temporary access to your website, then set them up with their own account. This may seem tedious but it’s vital to keeping effective track of who does what, when, and why. Implement two-factor authentication if at all possible (on WordPress it’s as easy as adding a plugin) and have an enforceable policy that people must use strong passwords.
If you limit the number of genuine administrators, then it should be easy to spot any unauthorized administrator accounts popping up. These should be massive red flags that your website’s security has been breached.
Check your scheduled tasks (cron jobs in WordPress)
Similar comments apply here. If you know what tasks are scheduled regularly, then it should be easy for you to pick up on anything unusual. You then need to check whose access was used to set up the task. If you recognize the user as legitimate, then go and check with them whether or not they remember setting up the task. If they don’t then their account may have been compromised.
If you don’t recognize the user then check your records to see if someone has set up a new administrator (and if so who and why). If there is no record of the administrator being created, then you have a major red flag.
Check your activity logs
Your activity logs will depend on your host and your content management system. What’s more, sometimes they will be enabled by default and sometimes you will need to take steps to activate them. If you’re using WordPress, the WordPress activity log tracks pretty much everything which happens on your website.
If you’re not using WordPress, you should still have some sort of log which keeps track of login activity and another which keeps track of errors. It’s recommended to keep an eye on both. In addition to safeguarding your security, they can provide useful information about your website’s performance.
On that note, be careful what information you give away with your error messages. Usually, the best way to implement them is to give each error a code that can be referenced internally so your staff can deal with the problem. Tell the visitor the absolute minimum they need to know about what the issue is and what steps if any, they need to take.
Check your internet traffic
Once you have established a baseline for your web traffic then pay close attention to any deviations from it and if you see any, investigate immediately. For example, a sudden spike in traffic could mean that your site is being probed by bots or undergoing a denial-of-service attack. A sudden drop in traffic could mean that your visitors are being diverted elsewhere or advised to avoid your site as it has been flagged for lack of security.
Check your search results
Remember that the search engines also know how to check the website is secure and they will flag up any issues they find. Try searching for your site and seeing what they say about it.
Use a website vulnerability scanner
While the checks mentioned so far are all very useful and should be carried out daily if possible (at least weekly), a website vulnerability scanner can perform checks at a much deeper level.
There are several website vulnerability scanners on the market, each with their own specific options, as a minimum, however, they should offer anti-malware scanning and a firewall for your website applications. These are both fundamental to keeping your website secure.
Additionally, it’s strongly advisable to use a robust anti-malware product to protect the devices you use to access your website (and hosting and FTP/sFTP server).
Please click here now to have your website scanned, for free, by cWatch from Comodo.
