The complete guide to creating a secure business website

Small and midsize businesses (SMBs) are 350% more likely to fall prey to social engineering attacks like phishing, ransomware, and spyware.

If hackers find ways to exploit your small business website, it can open you up to data breaches and subsequent lawsuits. Here are some best practices for maintaining a safe business website.

Security and legal factors to consider when building a website

You will need to safeguard your business website against online threats from the time you start building it until well after you launch your website.

You can mitigate certain commercial website security and legal risks by following these 17 essential steps.

1. Vet your web developer and IT support

Make sure you hire a good web developer.

Your site is going to be the face of your brand and often how customers will interact with you and purchase products. That's why it's important to find someone with a good handle on user experience (UX) and business website legal requirements so you don't run into any issues with hackers or lawsuits later on.

Before hiring a web developer for your business website:

• Check their portfolio
• Review references
• Ask them about their implementation of legal must-haves
• Request a quote
• Determine if they can meet deadlines

2. Install an SSL certificate

SSL stands for secure sockets layer, which is a minuscule data file stored on a web server to protect your company website. An SSL certificate is a simple piece of code on a web server that lets a web browser know that the connection is encrypted and it's safe for the shopper to visit your website and/or submit payments.

If you don't install an SSL certificate, your website will be more vulnerable to hackers. This can reduce your online visibility, since Google will warn visitors that the site isn't secure, causing them to exit. It could even suggest you less often on the search engine results pages (SERP) if the certificate is missing.

Tip: You can get a free SSL certificate from Let's Encrypt, or you can ask your hosting provider if they will bundle it with your hosting services.

3. Select a secure web hosting service

Aside from obvious must-haves like buying enough server space to ensure that everything on your website loads correctly even when there's heavy web traffic and a nearly 100% uptime guarantee, your web host will also need to do the important job of storing all of your assets (images, videos, website code, etc.).

Try to find a web hosting company that won't hold you hostage in a long-term contract if you're ever unhappy with the services. Enter into a hosting contract with the service provider based upon your requirements.

Tip: Be wary of companies with a single plan and a one-size-fits-all approach to web hosting. Chances are that as you grow, your hosting plan won't be able to scale with you.

4. Install antivirus and malware protection software

Antivirus software programs are a great catch-all for detecting and removing malicious viruses like trojans, keylogger software, worms, and spyware from your website and operating system. Anti-malware is designed to fortify computers and websites against advanced malware by implementing heightened security measures.

Look for anti-malware software that includes services like:

• Malware detection and removal
• Web application firewall (WAF)
• Vulnerability patching
• PCI compliance
• DDoS protection

If your anti-malware software fails, you need to use antivirus software to repair your website. In more serious cases, consult with an IT specialist or a web developer to manually review and remove infected files and tighten up security.

5. Manually accept or close comments and feedback

For many businesses, getting website comments is a sign of success.

But user feedback can sometimes be bad for your website. Old comments can also make your post look outdated and slow down your website

Meanwhile, accepting comments without vetting them first can lead to spam and security risks. Manually accepting blog comments can safeguard website visitors against malicious links that could install spyware on their computers or leak their personal information. To reduce comments from hackers and bots, you should consider the following:

• Use ReCaptcha for user verification.
• Make users create an account.
• Turn off post comments after a few months.

Business website legal requirements

Website privacy laws are emerging quickly across states, so it's important to stay current and consult with an attorney if possible. Here are some of the privacy laws that you need to consider:

6. Comply with CalOPPA

The California Online Privacy Protection Act (CalOPPA) mandates that online businesses selling to consumers in California must have a privacy policy. The policy must be prominently displayed on the website and should include several things, including:

• Website operator
• Information collected
• Entities the information is shared with

7. Comply with GDPR

Businesses that sell to consumers in the European Union must also meet General Data Protection Regulations (GDPR) requirements. Some of the GDPR guidelines require businesses to:

• Know exactly what data they're collecting
• Only collect necessary information
• Appoint a data protection officer to identify website vulnerabilities
• Maintain a data register to map data flow
• Report data breaches immediately
• Share data collection motives transparently
• Use cookie consent notices
• Avoid collecting data on people aged 16 and below
• Assess third-party risks
• Update privacy policy regularly
• Allow people to see what personal data you collect
• Enforce data protection standards

8. Build required web pages for commercial sites

Every website needs privacy policy and terms and conditions pages. Other pages that you should have include a:

• Homepage
• About page
• Product or service pages
• Master service agreement (MSA)
• Contact page

9. Ensure ADA compliance and web accessibility

The government can fine you for Americans With Disabilities Act violations. Any individual with a disability can also sue you if your website is inaccessible and they're unable to use it.

Check your website's ADA compliance score.

10. Include a data collection disclosure and privacy policy

All e-commerce websites must protect the consumers that use them.

That means being completely transparent about the data you collect and how you use it. You will need to enforce payment compliance standards to keep customers' data safe when they make purchases on your website. Some of the ways to comply with online privacy laws include the following:

• Disclose what personal information your business collects
• Explain how you use the data and if you will share it
• Ensure users are aware of third-party services operating on your site
• Inform users about how they can control what data your company collects

What privacy policy is required for websites?

The Federal Trade Commission (FTC) requires all businesses to implement privacy policies to avoid unfair or deceptive marketing practices.

This means you should:

• Be honest and transparent about what data you're collecting and how you're using it.
• Publish a privacy policy even if you aren't collecting personal data, but especially if you sell to consumers in California (CalOppa) or give third parties access to your website.

Third-party services like Google Ads, Facebook, Twitter, and the Apple App Store require websites to post a privacy policy on their website. Information you should include in a privacy policy includes:

• Who can access consumer information
• How the information will be used
• Company contact information
• How information is stored and protected
• How to opt out of data collection

11. Become PCI compliant

PCI DSS stands for Payment Card Industry Data Security Standard, requiring companies who accept and store payments online to retain a secure environment. PCI compliance requirements include:

• Current firewall configuration and antivirus software
• Unique IDs and passwords
• Cardholder data encryption on public networks
• Network monitoring
• Regular security system testing

12. Create a copyright notice

You don't have to copyright the content on your website, but it's a good idea to add a copyright notice in your website footer if you created copy, photos, animations, or something else that is unique to your company. To copyright media on your website, you should include the:

• Copyright owners' and creators' names
• Company name
• Copyright symbol
• Year published

13. Implement a cookie consent notice

Website cookies, aka HTTP cookies, help websites remember users and curate content that's relevant to them. It's also good for tracking what customers looked at if you want to set up a re-marketing campaign later.

Unfortunately, cookies can also infringe on consumer privacy rights, and if your site is hacked, private information could fall prey to criminals and hackers. That's why you must get consent before collecting this information. To obtain informed consent, you should:

• Divulge that your website uses and stores cookies
• Explain why your company uses cookies
• Share how you will use the cookies
• Link to your company privacy policy
• Explain how you collect personal information (eg. subscriptions, forms, etc.)
• Ensure users understand what they're agreeing to
• Allow users to opt out

Tips for maintenance, marketing, and legal requirements after launching your website

Once your website is live and legally compliant, the next steps for business success is to start marketing while running regular maintenance on your website. This ensures users will have a positive experience on your website for years to come. By using best website practices, you can also protect yourself against consumer lawsuits.

14. Backup website data and conduct maintenance

A website backup will make a copy of all of your files, databases, photos, text, and code.

Generally, web hosts will offer website backups in their service plans, but it's a good idea to use third-party services or plug-ins in case the initial backup goes awry.

Maintaining your website and ensuring it remains functional, legally compliant, and easy to use as the years go by is important.

15. Follow FTC guidelines for affiliate marketing programs

Affiliate marketing allows businesses and influencers to promote products or services to drive traffic to a website. If they're successful in generating revenue, they are compensated.

If you provide or receive any benefits, including but not limited to the following, then you are obligated to disclose that information to viewers:

• Cash or digital payment
• Discounts
• Free products or services
• Store Credit
• Favors

The Federal Trade Commission requires businesses to inform the public if they receive payment to review or promote a product or service. Most people will be more skeptical about paid advertising and will do more research.

But if they think you're giving an unbiased opinion, they may feel misled and make a hasty decision.

16. Understand industry-specific google ads restrictions

Google restricts paid online ads for anything that may be deceptive, harmful, exclusive, or misleading to customers. That's why business owners can't use Google Ads for:

• Kickstarter or GoFundMe campaigns
• Call forwarding services or directories
• Live ticket sales or resale
• Bail bonds
• Housing
• Employment
• Baby formula
• Third-party tech support

17. Steer clear of illegal & deceptive SEO tactics

Some SEO tactics, like plagiarism, are illegal, and others are just frowned upon. Regardless, you should avoid these tactics to rank better online and avoid nasty lawsuits. Illegal and black hat SEO tactics can include:

• Website spinning: If you need a new website, hire an experienced SEO copywriter. Don't use AI or spinner software to duplicate a competitor's website.
• Pagejacking: Stealing another company's webpage for a product or service and replacing it with your branded keywords is illegal and unethical.
• Keyword stuffing: Don't spam consumers, or Google will penalize your website for having a poor user experience.
• Hidden text: Avoid including text and links that are exclusively for search engines and hidden from consumers.

Are you interested in further protecting your website by trademarking it or copyrighting its published content? Learn how to register it today or visit LegalZoom's  Article Center for answers to your questions about protecting your company and additional website legal requirements.