Protect your website
Your website is important to your business. It also contains business and customer information that is valuable to cyber attackers. Take steps to protect it, starting with these four:
Protect your website checklist
Taking the four steps above is a good start in protecting your website, but working your way through the full checklist will make your business data and customer information even more secure.
Steps to work through yourself:
- Create a long and strong login password for your website that is different from any used for other services. We recommend a passphrase of four or more words.
Creating good passwords External Link
- Turn on two-factor authentication (2FA). 2FA verifies you are who you say you are, by asking for a second piece of information (often a code) as well as your password. This adds an extra layer of security.
Implementing 2FA External Link
- Keep your software up-to-date. This includes your content management system (CMS), any plugins or external modules you use, and other items such as your web server.
Apply updates External Link
- Back up your website regularly. Set the backups to take place automatically and store them somewhere secure but easy to get to, such as a locked drawer or cupboard, preferably offsite. Having backups means you can restore your data quickly and easily if it's lost, leaked or stolen.
Backing up your website External Link
- Create an incident plan to guide you if something goes wrong. This should include your IT and communications support people's contact details. Having a plan will help you minimise the impact of an incident and get you back on your feet quickly.
Create an incident response plan External Link
- Report cyber security incidents to CERT NZ. We'll help identify the issue and let you know the steps you can take to mitigate it or prevent it from happening again. We'll also use the information you provide to create advice and guidance for others who might experience the same issues.
Report an incident External Link
Steps to work through with your IT provider:
- Enable HTTPS on all pages, including on your CMS, where you make changes to your website.
Enable HTTPS External Link
- Set up to receive alerts when someone makes changes to the website or CMS.
- Check your CMS periodically to make sure the 2FA and alerts are still configured correctly.
- Follow cyber security best practice when making changes to your website. Ensure your website developer or IT support follows the cyber security techniques outlined in the Open Web Application Security Project (OWASP).
- Check you still need all the plugins installed on your website. If you don't need them anymore, remove them – they make your website an easier target for attackers.
- Get Payment Card Industry Data Security Standard (PCI DSS) compliant. PCI DSS helps ensure that online transactions are safe and secure, and that customers' card data is protected from attackers. Your bank requires your online trading website to be PCI DSS compliant, so talk to them about what's involved.
Get PCI DSS compliant External Link
You're strongly advised not to process any online payments yourself. Use a third party payment gateway provider who is already PCI DSS compliant.
In addition to PCI DSS compliance, there are other important considerations in operating – or preparing to operate – an e-commerce site.