How To Check Website Security

In this article, I’ll list the components involved in cyber communication. I’ll explain to Internet users how to check website security. I will also outline for the small online business owners and bloggers the importance of implementing website security and tell website administrators how to make sure that their websites are secure. I’ll talk about the role of securing the website in search engine optimization.

Banner: How To Check Website Security title located next to 2 dark hands reaching out to the word "data" on striped dark blue background.

What Is Website Security?

Website Security is the capability of the website to protect the consumers’ information from cyberattacks.

The website page you can access through your browser is only a window displaying a relatively small chunk of information you request when navigating the website. The full information is stored on the powerful server computers that belong to the web hosting company. All security measures are taken by the server administrators of the web hosting company, and not by the website administrators. 

However, website administrators are paying for the web hosting service and they choose what and how many layers of security protection they want to purchase. 

There are 3 places in the chain of web communication where your data can be attacked and damaged or stolen:

  1. The servers of the web hosting company can be attacked

    That’s why reputable web hosting companies invest a lot of money and effort in Information Security.

    There are different plans that are offered to the website owners, and owners select the level of protection most appropriate for their website’s purpose and content. Healthcare, eCommerce, financial websites must have the strongest security, while individual bloggers usually choose the most basic web hosting plans.

    The level of security provided through the basic web hosting plan would be different from one web hosting company to another. 
  1. The users’ computers can also be attacked.
    It’s your responsibility as a computer and Internet user to protect your own computer by timely running system security updates, installing firewalls, and antivirus software.
A hacker, Globe wrapped into the ribbon with binary data and the word "hacked" in the center.
  1. The attack could happen during the data transmission between your computer and a server computer.
    Most web hosting companies offer website owners to purchase the Transport Layer Security (TLS) certificates, better known by its predecessor’s name Secure Sockets Layer (SSL), as an add-on to the web hosting plan. Sometimes, shared SSL could be included in a price of the plan.

    TLS is an enhanced version of the SSL protocol. The SSL and TLS names are still being used interchangeably. TLS assures encryption, authentication, and integrity of the data sent over the communication protocol. The communication protocol – Hypertext Transport Protocol, or HTTP, empowered by the TLS certificate turns into HTTPS (HTTP Secure).

How To Check Website Security?

Is Web Hosting Provider Reputable?

As a website user, you don’t have access to the information about the security measures established on the web host’s side. You can check the name of the web hosting provider and assume that the reputable provider would have sufficient security even for their basic plan. 

You can find out what web hosting services the website is using by visiting WhoIs LookUp and entering the URL of the website in question. In the returned result page, the information you are interested in is the Name Servers (usually 2 names)

Example:
Name Server: NS8211.HOSTGATOR.COM
Name Server: NS8212.HOSTGATOR.COM

The name of the server in the example above tells you that this website is hosted at HostGator. If the name does not clearly identify the web hosting provider, you may want to google “web hosting server”+[Name Server] (replace with the actual Name Server retrieved from WhoIs).

Here is a couple of the places to check reviews on the web hosting services:

Another example of a less popular web hosting provider:
Name Server: BECKY.NS.CLOUDFLARE.COM
Name Server: CLYDE.NS.CLOUDFLARE.COM

This Server belongs to Cloudflare.

My first step in researching the reliability of this company and the level of security they provide is to visit their own website.

Among their plans, Cloudflare offers a free web hosting plan. Of course, a free plan sounds attractive to individual bloggers. However, the free plan does not include a Web Application Firewall (WAF) which is supposed to defend websites from automated attacks and does not offer an SSL certificate either.

In my opinion, websites without WAF should not even be allowed. As a consumer, I would immediately question the quality of the service and the level of its security offered through the paid plans by this company. The next level plan is Pro for $20/mo. It does include mitigation of DDoS (Distributed Denial-of-Service) attacks, Shared SSL certificate, and WAF. The next Business plan is $200/mo. And then there is an Enterprise plan, which in place of the price say “Request Quote”.

Which plan do you think most of the small businesses and individual bloggers buy? I’d say the “Pro” plan.

My next step in investigating this company is to look them up on HostAdvice and Tbwhs.com.

Tbwhs.com had no record of Cloudflare. On HostAdvice, out of the last six submitted reviews (the most recent one being 2 weeks old), five gave Cloudflare a 1-star rating out of 5, and one was a 2-star rating.

I could go further in my research, but I stopped right there and decided that I would not feel comfortable providing any sensitive information on a site hosted by Cloudflare. My name and email address would be the most I’d be willing to submit through such a website if it has an SSL certificate installed (please refer to the chapter below for the guidance of determining this fact)

I strongly recommend researching the web hosting company before submitting any sensitive personal information on the unknown website.

Is Data Transmission Secure?

As a website visitor, the one thing you should always check is whether the transmission of your data from your browser over the Internet to the server is secure. 

HTTP vs. HTTPS connection graphics.

The easiest automated way to check website security is by entering its URL in this free SSL Checker tool.

To perform a manual check:

Check the URL in the address bar of your browser. If a website is running over HTTPS (Hypertext Transfer Protocol Secure), it means that the site is protected by Transport Layer Security (TLS) protocol. 

On the secure website, you’ll see a little icon of a padlock.

In Google Chrome, you’d  need to double-click in the address bar in order to see the full URL:

https:// and padlock are shown in address bar of Google Chrome

In the Internet Explorer browser, you’ll see the full URL as you open the page – no extra clicks are required.

A browser-independent way to get the full URL is to highlight it, copy and paste it to a text editor.

If you know that the company or a person owning a secure website is legitimate and trustworthy, then it’s safe to provide sensitive personal information and make purchases on a TLS-protected site. 

However, even if the website is secure, but you are not sure about the trustworthiness of the owner yet, do not give away your full name, street address, Social Security Number, Credit Card or Bank accounts, or any other information of such a sensitive nature until you verify the owner. Scammers may have a secure website too.

Even a website served over HTTPS may have some pages of mixed content. Mixed Content is a combination of both secure (HTTPS) and non-secure (HTTP) elements delivered over TLS. Mixed content can potentially be read or modified by hackers.

Screenshot from Google Chrome of a warning regarding mixed content.

The image on the right (or above, if you are viewing this on a smartphone), is a screenshot from Google Chrome. The padlock has turned into “i” indicating the warning. 

This is not my site, therefore I didn’t want to expose the owner and covered the URL. 

When you click on the “i” icon, you’ll see the message shown in the image: “Your connection to this site is not fully secure”. 

Red Flag icon

The Internet Explorer did not offer this information to me, but it also didn’t show the padlock on this particular page. You could tell there was a problem because the URL shows HTTPS protocol with no padlock. However, you need to know these details in order to notice them.

Screenshot of the Mixed Content page as shown in Internet Explorer

And here is the Homepage of the same site as above:

Screenshot of the Secure Homepage with padlock icon as shown in Internet Explorer

I would think twice before giving my personal or financial information to such a page. 

And of course, there are sites that are non-secure at all. It doesn’t mean that they are not trustworthy for the content they provide, but they are not secure, which means that it’s easier to get a computer virus from them and have your information hacked. You shouldn’t trust a non-secure site for any data-requesting features or make purchases through them.

Screenshot from Google Chrome on 
not secure website.

Google Chrome suggests that you shouldn’t enter any sensitive information on this site because it could be stolen by attackers.

Once again, it doesn’t mean that you shouldn’t trust the author, but on such a site your personal data is at risk.

Is The Website Sharing Your Information With the 3rd parties?

Before making a final decision on whether you should provide your personal information to the website you are on, you may wish to find out whether they will share your information with other people or organizations.

Red Flag icon
  1. Check the Privacy Policy page.
    Having a Privacy Policy page is a legal requirement and every website must provide this information to its visitors. If you can’t locate this page, it’s a red flag.
  2. Pay attention to any messages that come up when you are about to submit your information.

I recently came across a website where I wanted to leave a comment in the Comments field below the post. Nothing on this page looked out of ordinary. I read the post carefully and wrote long relevant feedback because I thought that I could contribute some ideas from my personal experience on the subject of this post.

As a blogger myself, I know how helpful thoughtful comments are. They add value to the original post and create discussions with your readers. Search engines love user engagement! Therefore, I could keep my mouth shut, but I wanted to support a fellow-blogger.

As I was about to submit my comment, I realized that there is no usual way to enter my name, email of my choice and my website’s URL (always optional). Instead, the options were to sign in with Facebook, Twitter, Google account or Disqus. I’ve never used Disqus. I don’t have an account with them, and I have no desire to share any of my personal information with them, even if it’s just my name with the photo.

I decided to log in with my Facebook account (even though that wasn’t my preference). I clicked on the Facebook icon, and the message shown in the screenshot below came up.

Screenshot: Facebook profile information is displayed and the message saying that Disqus is requesting the following info: Facebook full name, profile picture and email address. the Confirm button under the message and another message in small print below the button: "By confirming, you agree to share info with Disqus and are subject to their Privacy Policy and Terms"
Red Flag icon

Note that it is a small print that informs me that I agree to share my information and am subject to their Privacy Policy.

If I clicked the “Confirm” button without reading the message, my name, photo and email address would be shared with Disqus. Perhaps, this would cause me no harm. Disqus seems like a legitimate company that provides, in their own words, “blog comment hosting service for web sites and online communities that use a networked platform”.

However, I’m not well familiar with this company and don’t want to spend my time researching them as I don’t need their services. I don’t think I should be forced to share my name with the photo (I could turn off sharing the email address) with those who don’t need to have them. Therefore, I opted out and did not submit the comment I’ve already written for this blog post.

Sorry, pal – fellow-blogger! I tried to be nice to you, but you have to make it fair for me too.

Tips For The Owners On Securing Their Websites.

Install SSL/TLS Certificate.

Per Sucuri, “There is often a misconception about why websites get hacked. Owners and administrators often believe they won’t get hacked because their sites are smaller, and therefore make less attractive targets. Hackers may choose bigger sites if they want to steal information or sabotage. For their other goals (which are more common), any small site is valuable enough.”

Having your website secure, even if you don’t collect any personal information is very important. 

Not collecting personal information means that your website is “read-only”:
none of the posts or pages have comments area enabled, you don’t offer your visitors to sign up for your newsletters, not asking for an email address in exchange for a gift, etc.

If that’s the fact about your website and you are relying on organic traffic, then you’re hurting your website performance. 

  • Search engines give you credits for user engagement and interactions with your visitors. 
  • The comments and discussions with your readers add quality content to your posts: your 1,000-word article could grow over time to 10,000 words just because of the discussions with your readers via comments.

Your site could rank higher if you communicate with your readers, and the higher rank you get, the more organic traffic would come to your website. 

  • Besides, search engines rank secure websites higher just because they are secure.
  • Visitors feel much safer when they see this little padlock icon in the address bar of your website. More of them will be willing to return to your website in the future. The return rate also plays an important role in your ranking.

To purchase and install the SSL/ TLS certificate, contact your web hosting company. You can also purchase it independently from sites like SSLStore.

Find And Resolve Mixed Content Issues.

If your website has SSL/TLS Certificate installed, but your padlock doesn’t show on some pages as explained in the “Is Data Transmission Secure?” chapter, these pages have Mixed Content.

To find out what parts of your page are insecure, navigate to that page in your browser. I use Google Chrome, but most browsers provide similar tools. In Google Chrome, right-click on the page and select “Inspect” from the pop-up menu.

A window with the source code will show on the screen. Select the “Console” tab at the top of this window. You’ll see Mix Content warnings. In the code, find URLs that start with “http://” and not “https://”

Oftentimes, these will be images served over the HTTP protocol. You can click on http://xxx/xxx… link to view the source. The “Sources” tab will open. You’d need to click on the “Console” tab again in order to return to the list of warnings.

If your page problem is indeed in the insecure image URL, check if this image is also available over HTTPS:

  • copy image URL
  • paste it in a new browser tab
  • change http:// to https://
  • If the same image is displayed after changing the URL, edit the mixed content page/ post in your WordPress environment or whatever CMS you are using to work on your website and change the problematic URL to start with https://.
  • If the image cannot be displayed over HTTPS, you’ll need to find a way to display it from a secure location or remove it altogether. If legally allowed, you may want to download this image and host it on your website directly.
  • Update the post/ page to reflect changes
  • Navigate to the page in the browser and confirm that the error is gone.

Are You Confident In the Security Level Provided by Your Web Hosting Organization?

Please do not sacrifice users’ security by choosing free or unrealistically low-price plans (unless it’s a time-limited promotional offer).
Find the most affordable plan that corresponds to the level of protection your website requires depending on the type of information you collect from your visitors.

If your site receives a lot of spam comments, you may also consider switching your web hosting service rather than installing anti-spam plugins, which slow down your website’s loading speed and thus decrease your ranking in search engines.

A good web hosting provider should take care of your website security and free you up from such worries.

I am hosting my website with Wealthy Affiliate. Taking advantage of their Black Friday offer, I’m paying $299/year for my Premium membership. This is $25/mo for the fast and secure web hosting, incredible 24/7/365 Technical Support that usually responds within 5 minutes, advanced keyword research tool, a platform for easy finding, joining and managing your affiliate programs, endless comprehensive training, personal mentorship, supportive worldwide community of about a million members, many of whom are the experts in different types of online business.

Without a promotional offer, the annual membership costs $359 (this comes down to $30/mo), or $49/ mo if paying month-to-month.

Should Black Friday deal be offered this year again (it had been offered for 7 years in a row), you’d be able to take advantage of it. The payment previously made would be prorated towards the new offer and you won’t lose the money you’ve already paid.

With my Premium membership, the SSL certificate is installed for free on my websites. The spam coming to my website is close to zero (I’ve received 3 spam comments since December 2017) I don’t run any plugins on my websites that provide a firewall and malware protection or spam protection. Everything has been taken care of by the Wealthy Affiliate web hosting services at no additional cost for me.

Please feel free to investigate my website’s security with SSL Checker tool or manually and do your own research on Wealthy Affiliate.

If you are having issues with your current web host or would like to create a new website, I invite you to join Wealthy Affiliate by clicking the button below and move your websites to their hosting. Premium membership allows up to 10 websites to be hosted at Wealthy Affiliate.

Click The Button To Get Your First Month Of Premium Membership
For Only $19.00 ($30.00 OFF)

Sign Up For WA Premium Membership Now

You can join Wealthy Affiliate for FREE in order to explore the fabulous training, tools, and service they provide. As a free member, you can create 2 free websites on the SiteRubix subdomain. Then, you can decide based on your personal experience whether it makes sense for you to upgrade for the Premium Services and move your website to their web hosting (or move the free website you built to your own domain).

Act now and start exploring and learning!

Join Wealthy Affiliate for free today button

Conclusion.

IT professionals take Information Security very seriously. Most webmasters also treat website security as their top priority. 

However, there are close to 2 billion websites in the world. Every individual nowadays can easily create and run his or her own website. Unfortunately, not all of them want to properly educate themselves about all the responsibilities that a website administration imposes. Therefore, there are still many websites, especially run by solo entrepreneurs, that are not secure and create danger for their visitors.

Prudent Internet Users want to take control in their own hands for their safety on the World Wide Web. That’s smart and worthy. 

When I see pedestrians at the pedestrian crossing stepping down from a curb to cross the road on his/her green traffic light without looking to the sides for cars, I mentally ask them: if there were a violent driver (sick, drunk, or else…) coming your way, whom you are going to tell that it wasn’t your fault when you’d have to live to the rest of your life disabled? Will it help you? 

The same applies to all safety issues, including Internet security. A lot of precautions are taken by professionals, but I urge you, as a user, to watch out!

Also, keep in mind that checking website security is only one part of assuring your safety on the Internet. The other part is the trustworthiness of the website, which will be discussed in my next post.

Bloggers and other webmasters, you want to be safe in cyberspace, don’t you? Make it your highest priority to secure your own websites and protect your visitors.

I invite you to Wealthy Affiliate to learn everything you need to know about properly running your online business – you won’t regret joining our supportive community and learning from the industry experts, I promise. Learn more about Wealthy Affiliate here and join for free now to explore the platform yourself.

If you have any questions or comments, please leave them in the “Comments” area below.

You May Also Like:

24 Comments

    Add a Comment

    Your email address will not be published. Required fields are marked *