Website security isn’t sexy, but it’s neccessary in today’s quickly evolving world of technology. Unfortuantely when anyone starts talking about website security, most people’s eyes glaze over with boredom. This is usually due to the mentality “Eh, nothing will happen to my website.” or “My website isn’t big enough for any malicious hacker to care about.” or some similar assumption.
These. Assumptions. Are. False.
The simple fact is anybody who publishes a website online is at risk of having their site hacked, defaced, or infected with malware, regardless of its size or popularity.
Over the past month or so I’ve noticed some posts in the community regarding this very topic:
Due to the above I wanted to take some time to write a quick and easy-to-understand post on some of the most important steps our community of website builders (hey Weavers!) can take to help make sure their websites are safe and secure. 
Here goes!
1) Host your website with a web hosting provider that takes security seriously.
Web hosting providers are a dime a dozen. The amount of providers you can host your website with are seemingly endless! Most people hyperfocus on price when selecting a web hosting provider. Don’t get me wrong, saving money is great! Everyone loves a good deal. However as the old adage goes, “You get what you pay for”.
In most cases, when web hosting providers compete in a race to the bottom regarding price, they sacrifice a lot in security. For example they use outdated web hosting technlogies, they don’t offer any security tools for their users, they don’t invest in training their employees on how to help their customers in the event their site gets hacked or infected with malware, etc. Sure you might be paying $2/€2/£2 a month for your web hosting account, but it’s important to ask, “What am I giving up for this $2/€2/£2 hosting?”
Some of the things you should ask when selecting a web hosting provider:
- Do they offer free SSL certificates?
- Do they offer any free Malware scanning tools?
- Do they use updated web hosting technologies? (such as updated versions of PHP, updated versions of their web hosting opererating system, webserver, and control panel, etc.)
- Do they offer support services in the event your website gets hacked or infected with malware?
- Do they have any documentation listing their security protocols and how they pledge to help keep your website safe?
It’s perfectly fine to reach out to your current or potential new web hosting provider to ask these questions! If they can’t answer them (or answer them satisfactorily) don’t hesitate to move right on along to the next one!
2) Update, update, update!
Out of the box RapidWeaver is a very secure website building platform and we are constantly updating the app with enhancements as well as bug and security fixes which we document on our release notes page here.
We also have a vibrant and talented community of third party addon developers who create amazing themes, platforms, templates, plugins, stacks, and soon to come elements! These addon developers are constantly enhancing and updating their produts too!
I love a bit of nostalgia, but I get a bit concerned when I see a support request come in from a community member along the lines of “Hey I’m still using RapidWeaver 4/5/6/7 as well as this addon that hasn’t been supported or developed since 2016, can you help me troubleshoot it?”
We understand updating software can be scary. After all if it’s not broke, don’t fix it! However the problem with this train of thought is that software updates often contain necessary security fixes and code enhancements which are crucial to help keep your wesbite safe and secure!
Bottom line here, don’t be scared to update RapidWeaver and/or any addons that you might have purchased for it. We have an awesome community here that loves to share their knowledge and help out, including sharing their knowledge about any upgrading troubles that might arise!
3) Add an SSL certifictae to your site.
Back in the day, the advice used to be if your website didn’t have any account/login system, didn’t accept payments, and didn’t collect/transmit any user information, then it didn’t need an SSL certificate. Today that advice no longer holds true.
Not only does adding an SSL certificate to your website (and forcing it to load over https such as https://www.example.com) help keep it secure, but it also helps improve your SEO (search engine optimization)!
Google started heavily penalizing sites that don’t have an SSL certificate back in the mid 2010’s by marking them as “not secure” and lowering their search rankings (i.e. similar sites that have an SSL certificate will be listed on the search results page before sites that don’t have an SSL certificate, making those non-SSL sites harder to find). But since this post is about security, we won’t focus on SEO.
Back to security, the “how” of how an SSL certificate helps secure your site is quite technical and more than I want to go over in this post. For this one, consider it some good old fashioned “Trust me bro, add an SSL to your site” advice. 
For anyone that doesn’t have (or doesn’t know if they have) an SSL certificate installed on their website, feel free to leave a commet here on this post and we can help check that for you!
4) Use SFTP and a strong SFTP password in RapidWeaver’s publishing settings.
In order to publish your RapidWeaver built website so people can actually view it online, it’s necessary to connect to your web hosting account via FTP or SFTP.
FTP stands for File Transfer Protocol and SFTP stands for Secure File Transfer Protocol. These are the protocols that are used to tranfser your RapidWeaver built website from your Mac to your web hosting account. In order to make that connection, you have to enter your FTP/SFTP username and password in RapidWeaver’s publishing settings.
If your web host offers SFTP, we 100% recommend using that file transfer method instead of regular old FTP. Like the acronym states, SFTP is secure. With SFTP your file transfer is encrypted during the trasnfer process. If you are not sure if your web hosting provider offers SFTP, reach out and ask them. If they offer it, use SFTP as your connection method in RapidWeaver’s publishing settings. If your web host doesn’t offer SFTP, consider switching to one that does!
Regarding passwords, it’s important to make sure your SFTP password (or FTP password if you must use FTP) uses a combination of letters, numbers, and symbols… just please no password12345! 
5) Scan your site periodically for any potential problems.
Our final step kinda ties back into step #1 (choose a web host that takes security serisouly). A good web host will include some kind of virus or malware scanning tools that you can use to scan your website for any nasties. An even better web host will offer the ability to schedule periodic website scannings so that you don’t have to manually go in and scan the site yourself. An amazing web host will monitor your account in real-time, scanning any file in your web hosting account when it changes and sending an alert if it detects anything suspicious! If your web hosting provider doesn’t offer any of these features, please consider chagning to one that does.
If your web hosting provider doesn’t offer any antivirus or malware scanning tools and you must stick with them, below are some free online tools that you can use to scan your site manually:
VirusTotal - VirusTotal
Sucuri Site Check - https://sitecheck.sucuri.net/
SiteLock - Free Website Scanner - Check Site Security & Malware | SiteLock
Astra - https://securityscan.getastra.com/malware-scanner
Please note some of the above scanning services offer paid tiers for their scanning, however usually the free tier is a good starting point to check if your site has been flagged for anything suspicous. If anything strange pops up, we recommend sharing the results with your web hosting provider for a closer inspection.
Final thoughts
While the above list is not comprehensive, and doesn’t cover all security threats and scenarios, it does offer simple and valuable initial steps for users to evaluate and enhance the security of their website(s).
Any questions or comments feel free to post them in the comments section here, and as always Happy (and secure) Weaving! 