For small businesses, having a secure website is not just about maintaining a professional image—it is essential for protecting your business and your customers. With cyber threats evolving, it is important to ensure your website is fortified against attacks that could compromise sensitive information, damage your business reputation, or lead to financial loss. This fact sheet provides practical guidance on website security measures,helping small business owners safeguard their online presence and build trust with their audience. By taking proactive steps, you can minimise risks and maintain a secure, resilient digital front for your business.
Securing your business website is crucial, regardless of the platform you use. Whether your site is built with WordPress, Wix, Shopify, or custom code, the following best practices can help protect your business, data, and customers.
This fact sheet will address thefollowing:
GuidanceNote:
Please note, this fact sheet is quite long. It provides general advice and guidance about some of the more common web platforms available (such as WordPress, Shopify, Wix etc.). Prior to making any changes, we also recommend backing up your website. You may also find some suggestions regarding specific companies or solutions to meet your needs. Please note that IDCARE does not have any financial interest in these organisations, and they are recommended purely in the interests of supporting your cyber resilience.
Backing up your website means storing copies of your site’s files and database so you can restore it if it’s compromised. If you use a website builder (such as those listed below), exploring the settings or admin panel may let you set these up automatically.
Our Advice:
Use a backup service offered by your hosting provider or a third-party plugin/tool. Ensure backups are automatic and stored separately from your live site.
Specific advice regarding common platforms:
WordPress
Backup Plugins:
Use plugins like UpdraftPlus or BackWPup to automate regular backups. Store backups offsite, such as in cloud storage.
More information can be found on the WordPress developer webpage.
Shopify, Wix, Squarespace
Automatic Backups:
Some platforms provide automatic backup options; check under your site’s settings. Alternatively, use third-party apps like Rewind for Shopify.
For more information – see online content for Shopify, Wix and Squarespace in relation to website backup procedures.
Note that in the Wix page, it is clearly stated that backups occur automatically, while for SquareSpace, the only option is to keep a duplicated copy of the site.
HTTPS ensures that data transmitted between your website and users is encrypted, protecting sensitive informationl ike passwords and payment details.
Our Advice:
Purchase and install an SSLcertificate from a trusted provider or check if your web host offers it for free. This will automatically upgrade your site to HTTPS.
Specific advice regarding common platforms:
WordPress:
Free SSL Certificates:
Many hosting providers offer free SSL certificates via Let’s Encrypt. You can also use plugins like Really Simple SSL to enforce HTTPS across your site.
Shopify, Wix, Squarespace:
Automatic SSL:
SSL is automatically provided with your plan. Make sure your site settings enforce HTTPS and check your dashboard for any certificate errors.
Custom-Built Websites
Install SSL via Hosting Provider:
Acquire and install an SSL certificate through your hosting provider’s control panel (e.g., cPanel). Update your .htaccess or server configuration to force HTTPS.
Outdated software, plugins, or themes can have vulnerabilities that hackers exploit.
Our Advice:
Regularly check for and install updates provided by your CMS (e.g., WordPress), e-commerce platform (e.g.,Shopify), or web hosting provider. Enable automatic updates where possible.
General Best Practices – Keeping Plugins up to date
Regular Monitoring:
Set a schedule to check for updates, either weekly or bi-weekly, depending onthe complexity of your site and the number of plugins.
Use Security Plugins:
Install security plugins (e.g., Wordfence for WordPress) that monitor your sitefor outdated plugins and alert you when updates are needed.
Backup Before Updating:
Always back up your site before performing any updates, especially for critical plugins or apps, to ensure you can restore it if anything goes wrong.
Specific advice regarding common platforms:
WordPress
Dashboard Updates:
Go to Dashboard > Updates. WordPress will show you if any of your plugins have updates available. You can select all and update them in bulk or individually.
Plugin Page:
Navigate to Plugins > Installed Plugins. Each plugin that needs an update will display a notification. Click on Update Now next to each one.
Automatic Updates:
Enable automatic updates for plugins to keep them current without manual intervention. In the plugin list, click Enable Auto-Updates next to the plugins you want to keep automatically updated.
Shopify
App Updates:
Shopify apps (plugins) update automatically in most cases. However, some apps may notify you if manual updates are needed. Check the Apps section in your admin dashboard for any update alerts or messages.
App Developer Support:
If an app doesn’t update automatically, contact the app developer through the Apps section for guidance. It’s also a good idea to check if the app is still supported and maintained regularly.
Wix
App Market Updates:
Apps in Wix usually update automatically. However, check the Apps section for any notifications indicating that an update or action is required on your part.
Custom Code:
If you use custom code with Velo by Wix, review your code periodically to ensure that any external libraries or APIs you rely on are up to date. This may involve manually updating the code within your dashboard.
Squarespace
Automatic Updates:
Squarespace extensions update automatically. Ensure your site is using the latest version of each extension by checking the Settings > Extensions section for any notifications or alerts.
Custom Code Blocks:
If you use custom scripts, revisit the source of those scripts (e.g., third-party services) to confirm they are the latest versions. Replace old code with the updated version when necessary.
Custom-Built Websites
Review External Libraries:
If your site uses external libraries or third-party scripts, manually check their documentation or source website for the latest version. This may involve replacing old code with the updated files.
Controlling who has access to your website’s backend and limiting their permissions can reduce the risk of unauthorised changes or data breaches.
Our Advice:
Assign roles carefully (e.g., admin, editor, viewer) and only give access to those who need it, this is called the Principle of Least Privilege. A person should only have enough access to do their job, nothing more. Regularly review and revoke access for former employees or unused accounts.
WordPress
User Roles and Permissions:
Use the built-in User Roles feature to assign minimum necessary permissions. Install plugins like User Role Editor for more granular control.
Shopify, Wix, Squarespace
Admin and Staff Permissions:
Platforms allow user roles with varying permissions. Adjust these under Settings> Staff/Users to limit access to sensitive functions.
Custom-Built Websites
Access Control:
Implement role-based access control (RBAC) in your application. Set permissions in your server environment (e.g., SSH, FTP) to restrict file access.
Additional Guidance:
For WordPress and custom solutions, you’ll also need to ensure you have restricted access to the admin area of your site.
WordPress
Restrict access to https://mysite.com/wp-admin by using plugins like IP Whitelist or WPLimit Login Attempts to allow only specific IP addresses. The admin page should never be accessible by the public.
Custom-Built Websites
Secure cPanel access by implementing IP whitelisting through firewall rules and using a strong password policy along with two-factor authentication if available.
A web application firewall (WAF) helps block malicious traffic, while security monitoring tools scan for vulnerabilities or suspicious activity.
Our Advice:
Many hosting providers offer WAF services, or you can use third-party solutions. For further information, please contact your provider. Additionally, install security plugins or monitoring tools specific to your platform to receive alerts and reports.
WordPress
Firewall Plugins:
Plugins like Wordfence or Sucuri Security offer firewall functionality. Install and configure them to monitor and block malicious traffic.
Shopify, Wix, Squarespace
Third-Party Services:
Use services like Cloudflare for firewall and monitoring protection. These services operate independently of platform constraints and monitor traffic and vulnerabilities.
Custom-Built Websites
WAF Integration:
Services like Cloudflare or Sucuri can be integrated with your site. You may also install and configure a firewall directly via your server’s control panel (e.g., cPanel, Plesk).
CAPTCHAs are used to verify that form submissions come from human users rather than automated bots, protecting your site from spam and malicious attempts to access your system.
Our Advice:
Use CAPTCHA tools on forms such as login, registration, and contact forms to prevent automated attacks. Most platforms have built-in CAPTCHA options or plugins you can easily enable.
Cyberattacks like SQL injection and Cross-Site Scripting (XSS) exploit input fields (e.g., login forms, searchbars) by injecting malicious code. This comes from the users’ end; thus, user input should never be trusted.
Our Advice:
Make sure your website is set up to validate and sanitise all user input. Most platforms have plugins or built-in settings to help manage this. These tools will ensure special symbols like commas and apostrophes are treated as text and not code.
WordPress
Security Plugins:
Use plugins like iThemes Security or WP Security Audit Log to enforce input validation. Always sanitise and validate custom form inputs.
Weebly, Wix, Squarespace
Platform Protections:
These platforms protect against SQL injection and XSS by default. However, if using custom code (e.g., via Velo in Wix), follow platform security practices for input validation.
GoDaddy Website Builder
Custom Code Review:
If you have embedded custom forms or code, manually validate inputs using GoDaddy's hosting environment. Ensure your forms use parameterised queries if they interact with databases.
Shopify
Built-in Security:
Shopify provides protection for custom forms. Ensure any apps or custom fields use Shopify’s validation methods.
Custom-Built Websites
Server-Side Validation:
Implement parameterised queries and sanitise inputs using frameworks (e.g.,PHP, Node.js) to prevent SQL injection and XSS attacks.
Malware can infect your website, compromising data and spreading to site visitors. Regular scanning helps detect and remove threats early.
Our Advice:
Use malware scanning tools or services available through your web host or install security plugins that provide scanning features.
WordPress
Security Plugins:
Install plugins like Wordfence or Sucuri Security for automated malware scanning and monitoring.
Weebly, Wix, Squarespace
Built-in Options and Third-Party Apps:
Platforms often handle basic security monitoring but lack detailed malware scanning. Use third-party services like SiteLock for additional protection.
GoDaddy Website Builder
Security Add-ons:
GoDaddy offers security add-ons, including malware scanning. Check your hosting plan or upgrade options to activate this feature.
Shopify
Security Apps:
Shopify apps like SiteLock provide regular malware scans and monitoring. Check your app settings to enable this feature.
Custom-Built Websites
Scheduled Scans:
Services like Sucuri can be integrated for real-time protection.
CSPs restrict which resources (e.g.,scripts, images) your website can load, reducing the risk of certain attacks such as Insecure Direct Object Reference (IDOR) which allow an unauthorised person to access restricted resources on the server or application.
Our Advice:
Set up a CSP in your website’s settings or via a plugin Specifying which domains your site is allowed to load resources from .WordPress
Plugins:
Use HTTP Headers or WP CSP plugins to set up a CSP. These plugins allow you to configure your policy without editing code.
Manual Edit:
Update the .htaccess file or theme’s functions.php to include a CSP header. Always back up your site first.
Weebly, Wix, Squarespace
Platform Limitations:
These platforms restrict direct access to server settings, so CSP implementation might not be possible. Check platform support or third-party apps for CSP options if available.
Shopify
Shopify Apps:
Use apps like Content Security Policy to add CSPs. Review your store settings and consult Shopify support if manual implementation is needed.
Custom-Built Websites
Server Configuration:
Directly edit .htaccess (Apache) or nginx.conf (Nginx) to implement CSP directives. Ensure all headers align with the resources your site uses.
Human error is often the weakest link in cybersecurity. Training staff on best practices and warning signs of cyber threats is essential.
Our Advice:
Provide regular training on phishing, password management, and secure access practices. Encourage a culture of security awareness within your business.
For more information regarding web-security for small businesses, IDCARE also recommends ACSC’s guide on how to secure your website.
The ACSC also has some guidance surrounding:
TLS, HTTPS and encrypting web and email traffic. View their guideline here.
DNS and Security. View their guideline here.
Preparing and responding to DDOS attacks. View their guideline here.
Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:
Mon - Fri: 8am - 5pm AEST
QLD: 07 3555 5900
ACT & NSW: 02 8999 3356
VIC: 03 7018 2366
NT, SA & WA : 08 7078 7741
Mon - Fri: 10am - 7pm NZST
AKL: 09 884 4440
IDCARE as a registered charity does not ask individuals to donate or pay for our front line services. We are not a charity that can receive tax deductible donations.
We rely on organisations that care enough about you to care about us to keep our charitable service going. Proudly these organisations are displayed above and on our Subscriber Organisations page.
If you are asked for payment from someone claiming to be from IDCARE, please report this to us using our Report Phishing email.
IDCARE has access to the Department of Home Affairs Free Interpreting Service, delivered by the Translating and Interpreting Service (TIS National). Access to the Free Interpreting Service is provided to assist you to communicate with non-English speaking people who hold a Medicare card. Please note that the service does not extend to New Zealand citizens or residents who do not hold an Australian Medicare card, or to tourists, overseas students or people on temporary work visas.
New Zealand Relay provides services to help Deaf, hearing impaired, speech impaired, Deafblind and standard phone users communicate with their peers.
A TTY user connects to New Zealand Relay via a toll-free number and types their conversation to a Relay Assistant (RA) who then reads out the typed message to a standard phone user (hearing person).
The RA relays the hearing person's spoken words by typing them back to the Textphone (TTY) User.
The National Relay Service (NRS) is an Australian government initiative that allows people who are deaf, hard of hearing and/or have a speech impairment to make and receive phone calls.
The NRS is available 24 hours a day, every day and relays more than a million calls each year throughout Australia.
ABN 84 164 038 966
IDCARE acknowledges and Respects the traditional custodians of the land on which we operate across Australia and New Zealand.
This website may contain names, images and voices of deceased Aboriginal, Torres Strait Islander and Māori peoples.
