1. Control the accounts
- Use a password manager and unique passwords for the domain, hosting, email, CMS, analytics, CRM, and payments.
- Enable multifactor authentication everywhere it is available.
- Give each person their own account and only the permissions they need.
- Remove access immediately when a contractor or employee no longer needs it.
2. Protect the domain and hosting
- Turn on domain-locking and renewal notifications.
- Use HTTPS across the entire site and redirect HTTP traffic.
- Choose maintained hosting with backups, logging, DDoS protection, and rollback.
- Configure browser security headers such as CSP, HSTS, Referrer-Policy, and X-Content-Type-Options.
3. Keep the attack surface small
Every plugin, integration, tracking script, form, and administrator account adds another thing that can fail. Remove unused software, use maintained dependencies, and avoid installing a feature merely because it is convenient.
4. Secure forms and customer data
- Validate inputs on the server, encode outputs, rate-limit submissions, and add appropriate bot protection.
- Collect only the information needed for the stated purpose.
- Do not request passwords, payment-card details, medical details, or other sensitive information through an ordinary contact form.
- Define how long submissions are retained and who can access them.
5. Keep card data away from the website
Use hosted checkout from a PCI-compliant payment provider. The server should create the checkout session, keep secret keys outside public code, verify signed webhooks, and process each payment event exactly once.
6. Back up—and prove recovery works
- Back up files, databases, configuration, and critical business records.
- Keep at least one backup separate from the production host.
- Test a restore before an emergency.
- Write down who can disable the site, contact the host, rotate credentials, and notify affected people.
7. Monitor and maintain
Schedule updates, uptime checks, form tests, certificate checks, access reviews, and vulnerability scans. A secure launch that is never maintained slowly becomes an insecure website.
Launch-day minimum
| Control | Minimum acceptable state |
|---|---|
| Accounts | Unique passwords and MFA |
| Transport | HTTPS with secure redirects |
| Payments | Hosted checkout; no raw card storage |
| Forms | Server validation, spam controls, rate limits |
| Recovery | Automatic backups and a tested restore |
| Updates | Named owner and recurring schedule |