Protect your website

Your website is important to your business. Make sure you protect it, and your customer's data, from cyber attackers.

We regularly get reports of websites that have been compromised. Like many cyber security issues, just taking a few basic measures is the best way to keep your website safe.

Secure the data across your website

Browser window showing www.cert.govt.nzYour customers trust you to keep their information safe – including the communication that you have with them. An easy way to do this is to make sure your website uses HTTPS everywhere – this includes on the content pages of your website and also the areas behind the scenes, like where you log in to make updates. For example, if your website uses WordPress, make sure HTTPS is enabled on the login page to your content management system (where you update your website).

HTTPS gives your website added security and privacy. It keeps the information transferred between you and your customers confidential by encrypting it. This encryption means that only the person using your website can see the information that’s being shared, and no one else along the way. This stops attackers from getting login details or credit card information when customers submit that data on your site.

We recommend you use HTTPS across your whole site. Google Chrome adds ‘not secure’ at the top of the browser on any page that is not using HTTPS. To protect customer information you must use it wherever you are sending sensitive information like on the control panel when you login, or on the form customers fill out when they’re buying your goods.

Benefits of making your website use HTTPS


Automate software updates and domain renewals

Phone screen with renewal reminder

Running a business is hectic - you’ve got heaps of things to remember, from payroll to ordering. Make it easier by setting everything for your website that you can to update automatically. Whether it’s automatically renewing your domain name, updating your software or making backups; you can set and forget and focus on other areas, like converting more customers.

Every piece of software needs to be updated and most companies work hard to make sure any security holes are fixed in each software update.  As the business owner, it’s your responsibility to make sure the software is updated. This includes things like plugins on your content management system and your web server. If you set these to update automatically, you can rest easy knowing they’re done.

Ask your domain provider about auto-renewing your domain. This means that your domain won’t expire, so no one else can get their hands on it. Most domain providers let you auto renew your domain so you don’t have to worry about it, you can also set up automated payments to make this easier.

Some scammers quickly buy domains from owners who are busy and might not be paying close attention to renewal notices. They then take advantage of your website address and set up their own scam website selling fake goods or serving malware.

Domain Name Commission's advice for domain holders [PDF,534KB] External Link


Do regular backups

Graphic showing data being backed up to the cloud

Even with the best laid plans, things can go wrong. Sometimes it’s because the latest stock order is running late and sometimes it’s because something goes a bit peculiar with your website. Having a recent backup of your website is invaluable if something goes wrong. They’re most useful if they’re recent and cover both the pages themselves and any data your website holds, like customer databases.

Backups help keep you ready in case something goes wrong that is hard to plan for, for example your web server might get hit with ransomware and stop responding, or your website could be compromised. If this happens, backups are the best option to get back on your feet.

It can also save you hours fixing a mistake (if you accidentally delete a section) or from losing your website if there’s an attack. Contact your provider about how they work and make sure they’re run automatically.

Read our recommendations for backing up your website.


Regularly review your website

Computer screen showing reporting incidents page on www.cert.govt.nzIt seems pretty obvious, but one of the best ways to keep your website safe is to keep an eye on it. When you check your website regularly, you’re familiar with what’s on it and it makes it easier to notice when something’s out of place. For example, if you notice some weird content that you didn’t put there, someone else might have access to your website and is using it to host bad content.

In another example, if you notice that your web sales for the month have dropped off unexpectedly, someone may have gained access and modified your website, making payments go to their account.


Top ten tips to protect your website

There are several things to do to keep your website safe. Below we’ve provided our top ten tips to keep your website secure. You can use this list below as a checklist to help keep your website, and your customers’ information, safe and secure:

  1. Make sure your login password is long and strong and different from any other service you use.
  2. If two-factor authentication is available, turn it on! This adds a second layer of security, by asking for a second action (often a code) after a password to check you are you.
    Using two-factor authentication.
  3. Keep your software up-to-date – this includes your admin section, any plugins or external modules you use, and any other areas you look after (e.g. your web server).
  4. Create a plan for what to do if something goes wrong, including your key contacts for IT and communications support. The plan will help you minimise the impact and get back on your feet.
    Develop your incident response plan.
  5. If you have a security incident, report it to CERT NZ so they can advise you on your next steps. They’ll also use the information to create preventative advice for others.
    Report an incident.

    You may need to work with your provider to complete the following security tips:
  6. Enable HTTPS on all of your pages, including on your admin panel where you log in to make changes.
  7. Logs record the actions that people take when they access your website or server. Set them up to record when someone accesses the content management system or changes the files.
  8. Occasionally check that the logs are still working as they were set up. Once they gain access, attackers often turn the logs off so that you won’t be able to track them.
  9. If you make changes to your website, follow security best practice – ask your developers or IT support provider to follow the security techniques called OWASP.
  10. Check you still need all the plugins you have installed on your website. If you don’t need them anymore, remove it. They’re easy targets for attackers.

Download our checklist [PDF, 166 KB]