Website security questions: a business owner’s checklist

Website security questions: a business owner's checklist

Every day, countless businesses are taking their operations online to attract new customers and scale globally. One of the quickest ways to get a website up and running is through WordPress, which powers over 43% of all sites on the internet.

But with this popularity comes a downside. Bots and hackers are always on the lookout, trying to exploit any vulnerabilities in WordPress sites. These vulnerabilities often arise from installing compromised plugins or themes or using poor hosting that can’t detect or prevent the most common attacks, like Distributed Denial of Service (DDoS) or brute force attempts.

Many business owners fall into the trap of choosing cheap hosting, only to later spend a fortune fending off attacks — attacks that often stem from the inadequate security of their hosting provider.

This is why, as a business, you shouldn’t be swayed by low costs when selecting a host. The focus should be on quality, especially in terms of security. You must dig deeper and ask the right questions or seek detailed information about your host’s security measures before choosing. It’s not enough for a host to promise security. You need to understand how that security is implemented.

That’s where this guide comes in. We’ve created a comprehensive checklist of essential questions you should ask your web host about security before making your decision.

1. Data encryption

Data encryption is critical for safeguarding the information exchanged between your website and its users. Whether it’s customer details, payment information, or confidential business data, ensuring this information is encrypted is non-negotiable.

What to ask:

  • Does the hosting provider offer SSL/TLS certificates, and are they included in the hosting package?
  • What level of encryption is used for data in transit and at rest?
  • How does the host ensure the security of sensitive information (e.g., customer data, financial transactions)?

Why it matters:

SSL/TLS certificates are essential for encrypting data transmitted between your website and its users. They ensure that sensitive information — like credit card numbers or personal details — cannot be intercepted by malicious actors. Without SSL/TLS encryption, your site is vulnerable to man-in-the-middle attacks, where hackers can intercept and manipulate the data flowing to and from your site.

But encryption shouldn’t stop at data in transit. It’s equally important to ensure that your data is encrypted at rest, meaning it’s securely stored on the server, making it inaccessible to unauthorized users even if they gain access to the physical server or the data center.

When choosing a web host, it’s crucial to confirm that they offer SSL/TLS certificates and use strong encryption standards, such as 256-bit Advanced Encryption Standard (AES), to protect your data in transit and at rest.

Ask about their policies and practices for encrypting sensitive information and ensuring your data remains secure, even in worst-case scenarios. Understanding these encryption measures will give you peace of mind, knowing your business and customer data are protected.

How Kinsta handles data encryption

At Kinsta, we protect your data through robust encryption practices, both in transit and at rest.

For example, all verified domains on Kinsta (localhost domains, temporary domains, and custom domains) benefit from our integration with Cloudflare, which includes free SSL certificates with TLS 1.2 and TLS 1.3 enabled — standards that provide strong encryption and are widely supported by all major browsers. This automatic SSL setup means you don’t have to worry about manually configuring your site’s security unless you want to use a custom SSL certificate.

In addition to securing data in transit, Kinsta leverages the Google Cloud Platform’s (GCP) state-of-the-art security measures to protect your data at rest. This means all data stored on Kinsta’s servers is encrypted using 256-bit AES encryption, which protects the data if someone were to gain physical access to the disks in the data center. The encryption keys are regularly rotated and protected with additional layers of encryption, adding further security.

However, it’s important to note that while the disks are encrypted, an attacker who gains access to your website through compromised credentials (like SSH access) or a vulnerability in your site can read unencrypted copies of the files. This makes it crucial to maintain strong security practices at the site level, such as using strong passwords, enabling two-factor authentication, and regularly updating software.

Our commitment to data encryption extends beyond technical measures. Over the years, we have worked hard to become SOC 2 compliant and recently achieved ISO 27001, 27017, and 27018 certifications. See more information in this article’s security audits and compliance section.