#1 Problem With Your Law Firm’s Website
Do you lock your door at night? Do you take precautions when securing your law firm’s building? As a business, you probably take extra care in making sure your physical assets, including your building, property, client info, and everything in between is secure. But what about your virtual and online assets?
Your law firm’s website is one of the most important online assets you have. For most of your clients and potential clients, it’s the first thing they experience when interacting with your brand and firm. In developing communication and trust, it’s crucial to not only have a good looking (and working) website, but one that is also secure for you and your visitors. Your design, page speed, content, and everything else is important for your firm’s success. But the root of your success starts with the #1 problem you may be overlooking–your law firm’s website security.
The Importance of Website Security for Your Law Firm
On average, over 30,000 websites are hacked each day. Through Covid-19, the FBI has reported over a 300% increase in cyber crimes, including website hacks. Websites are especially vulnerable for many small businesses (including your law firm’s website) because they are easy targets for hackers. They often don’t have the security measures in place or someone/processes that monitor any issues frequently.
So why does it matter? Having a secure law firm website is important for several reasons:
#1 It Protects Your Customers. As a law firm, the trust you develop with your customers is one of the most important pieces to your business. It’s the reason they become clients, the reason they come back, and the reason why they refer your firm to others. Building their trust starts online, and having a secure law firm website and safe browsing environment is crucial to their experience and willingness to do business with you.
#2 It Protects Your Firm’s Assets. If you have a website, you’re most likely collecting customer information. Taking steps to keep your customer data safe and encrypted is crucial to not only your customers, but to your business. Hackers often target websites to get information, and the easiest information on your site is often from your customers. Your customer information is a valuable asset to your business, and protecting it is critical. Another asset that could be a threat is your firm’s physical computers–hackers cannot only steal your customer’s information, but they could also install viruses that target local machines. Getting hacked could possibly give hackers more access to your other sensitive data, along with damaging your computers.
#3 It Improves Your Conversion Rates. If a potential customer comes to your website and sees that your law firm website isn’t secure, or gets a warning that it’s not secure, they more than likely will not give their information and bounce. People already have a hard time giving out information (and sensitive information), and not having a secure site can severely impact conversions and overall conversion rates.
#4 It Can Improve Your SEO Rankings. Having an SSL certificate has been a Google ranking factor dating back to 2014. While there are many ranking signals, new data has suggested that the importance of security as a ranking factor has grown. Basically, if you don’t have an SSL certificate and your site exhibits spam flags, you’re going to either lose rankings or get outranked.
10+ Steps to Improve Your Law Firm’s Website Security
Now that we’ve identified how crucial and important having a secure law firm website is, here are some steps you can take to better protect your site:
1. Upgrade to HTTPS/SSL Certificate
Using an SSL certificate helps protect the communication between your browser and server to prevent data from being intercepted or tampered with by hackers. Once you upgrade to an SSL certificate, your website will use HTTPS instead of HTTP, which also provides a badge of trust in a user’s browser–ensuring that your website is secure. Your SSL certificate can often be purchased through your hosting provider, especially if you’re using WordPress. Depending on the amount of sites, subdomains and security level you need, there’s several options that can make sense–your hosting provider often will recommend certain ones over others to fit your needs.
2. Update WordPress, Plugins, and Themes (Frequently)
Updating plugins and themes is crucial to not only functionality, but also security. 90% of WordPress vulnerabilities are related to outdated WordPress versions, plugins, or themes. Other content management systems like Joomla and Drupal have similar vulnerabilities due to their library of extensions as well. The more plugins you have, the more vulnerabilities you could possibly be exposed to. If you’re using plugins, make sure the plugin is reputable and keep up with updates. You can see if your plugins and law firm site has known vulnerabilities here.
3. Use a Security Plugin
If you’re using WordPress for example, having a security plugin can help with additional security measures, along with auditing and monitoring of your site. There are a ton of security plugins available for WordPress, but one of the best and most recommended is “Sucuri”. This free plugin provides you with hardening, malware scanning, email alerts, and more to help add an extra layer of security for your law firm. There are plenty of plugins that can do the same, but again, make sure you are using a reputable source, and one that doesn’t have known vulnerabilities. It may surprise you, but 3 of the top 10 plugins with vulnerabilities are security plugins.
4. Use a Secure Hosting Provider
The type of hosting and WHO you use for a hosting provider matters in speed and support, but also security. It’s important that your law firm is using a hosting provider that offers security measures like firewalls, SSL, site backups, and more. Cheap hosting often comes with cheap service and security– choose wisely.
5. Run Frequent Backups
If for some reason you’re not running backups with your hosting provider, you can also run backups using (yet another) plugin. Backups essentially allow you to reinstall or restore your site if something goes wrong. User error, data corruption, plugins, etc. can cause issues with the site, but so security threats. Having a backup is just another safeguard in case something does go wrong or your site gets hacked, and you need to restore.
6. Upgrade Passwords
We all know the importance of a strong password for our bank accounts and social channels. And that same mentality should be applied for your law firm’s website passwords. Make sure you are using a strong password not only for admins, but for all users that have access to your site. Upper and lower case characters, letters, numbers, and special characters can all help create a strong password.
7. Upgrade Usernames (Including Admin)
Passwords are important, but most people often overlook the importance of a username. Choosing a unique username matters because most people often replicate a username across multiple profiles, making it easier for hackers especially if another profile is compromised. Admins are probably the most targeted here since they hold the keys to the website. The #1 thing that is often overlooked is the default admin profile. Older WordPress sites often list the default admin username as just “admin”. Since a username makes up half of the login credentials, knowing the “admin” makes it much easier for hackers to access.
8. Password Protect or Hide Login Page
If you’re familiar with WordPress, you’re probably familiar with your login page as /wp-admin. You know who else knows that? Hackers. They can easily request your wp-admin folder and login page without any restrictions. Adding additional password protection on your directories and login page on the server side can help block those requests. You can also hide the page, or rename so it’s not as blatant, which is something we do with our sites.
9. Limit Login Attempts
Brute force attacks often happen when a hacker tries to hack the site by guessing your username and password (which is why #6 and #7 are important). By limiting the login attempts, you can lock users out after failed attempts, thus minimizing brute force attacks. If you’re using WordPress, there are several plugins that can accomplish this–logininzer, limit login attempts, to name a few.
10. Hide WordPress Version
Obviously this is only for WordPress law firm websites, but by default the current version of WordPress is displayed in the code on your site. If you’re using an outdated version of WordPress, this alone makes you more vulnerable. And if you’re displaying to the world that you’re using an outdated version, then it’s an easy target for hackers. You can hide the version in your WordPress by making some minor edits to your themes files. Best case scenario, hide and frequently update.
11. And 8 More Technical Pieces…
All of the above are somewhat easy fixes/solutions that can be accomplished with little to no coding knowledge. But If you’re looking for more detailed and technical solutions that go above and beyond, here’s some other things you can look at:
- Disable Directory Indexing and Browsing
- Change WordPress Database Prefix
- Disable PHP File Execution
- Disable File Editing
- Hardening wp-config.php
- Disable XML-RPC in WordPress
- Harden Database Security
- Check File and Service Permissions
For many small law firms, website security, constant monitoring, and everything in between can be a beast. Which is why, at Civille, we do all this for you. Our platform and systems were built with many things in mind, and website security is no exception. If you have questions on security or would like us to handle these things for you, contact us today!