Like any system or platform that’s connected to the internet, your website is vulnerable to an online attack. For example, hackers could:
- infiltrate your site to try and steal customer information, or
- use your website to host phishing or other attacks.
How to protect your website
Here's how to keep your website safe and secure.
Secure the data across your website
Your customers trust you to keep their information, and the communication you have with them, safe. An easy way to give your website added security and privacy is to enable HTTPS.
HTTPS keeps the information transferred between you and your customers confidential by encrypting it. This makes it much harder for attackers to get the login details or credit card information customers submit on your site.
Update software and devices
Updates add new features, but they also fix issues or vulnerabilities that allow attackers to get your information. Most software companies work hard to make sure security holes are fixed in each software update.
As the business owner, it’s your responsibility to make sure your website’s software is updated and any security patches are applied. This includes things like plugins on your content management system and your web server. Give yourself one less thing to think about by automating your updates.
Get PCI DSS compliant
If you accept payments online, the Payment Card Industry Data Security Standard (PCI DSS) helps ensure transactions on your website are safe and secure, and that your customers' card data is protected from attackers.
Most banks require PCI DSS compliance when accepting online payments, so talk to yours about what’s involved.
Renew your domain
If your domain name expires, an attacker could claim it and set up their own scam website selling fake goods or serving malware using your business’ name.
Ask your domain provider about auto-renewing your domain.
Manage my domain name – Domain Name Commission
Use a strong and unique login password
Logins are a point of vulnerability for any website. Create a long, strong and unique login for your website – we recommend a passphrase of four or more words that aren't based on any personal information.
Turn on two-factor authentication
Any systems you can log into over the internet are susceptible to attack. We strongly recommend adding two-factor authentication (2FA) to your website. That way, an attacker would need your 2FA code as well as your password to access your site.
Back your website up regularly
Having a recent backup means you can restore your data quickly and easily if it’s lost, leaked or stolen, for example if:
- your web server gets hit with ransomware and stops responding
- your website’s compromised by another sort of online attack
- you accidentally delete a section.
Backups are most useful if they’re recent and cover both the pages themselves and any data your website holds, like customer databases.
Ensure you or your provider set backups to take place automatically. It’s preferable to make a couple of copies and store them in different, secure (but easily accessible) places. That way, if one backup is compromised, you have a spare.
Review your website regularly
It seems pretty obvious, but one of the best ways to keep your website safe is to keep an eye on it. The more familiar you are with your website, the more likely you are to spot something that’s out of place, for example:
- the appearance of unfamiliar or unusual content – it might mean someone else has access to your site and is using it to host bad content
- an unexpected drop off in online sales – it could mean someone has gained access and modified your website to make payments go to their account.
Understand your privacy obligations
It’s important to be aware of your obligations under the Privacy Act, particularly those about collecting, storing and disclosing customer information.
You're required to include a privacy statement on your website outlining:
- why you collect customer information
- how you use customer information
- how your customers can find out what information is held by your business.
The Office of the Privacy Commissioner (OPC) has a handy Privacy Statement Generator so you can quickly create a privacy statement that's right for your business.
Privacy statement generator – Office of the Privacy Commissioner