If you’re part of a law firm, I doubt you need me telling you about how important security is in the legal world. And while I’m sure you follow all of the best security practices for your real-world practice, do you apply the same attention to detail to your law firm’s website?
Beyond the risk of losing data, getting hacked can interrupt your business and lessen your reputation in the eyes of your clients. That’s any firm’s worst nightmare, right?
And while many people have grandiose visions of talented hackers rapidly typing away to sneak their way into the Fort Knox that is your website…the truth is often much simpler:
Sites get hacked because they fail to follow the most basic of security practices.
Basic security might not be the most exciting topic in the world, but following some simple tips to secure your law firm’s website can ensure that your site is safe from most of the common exploits.
In this post, I’ll dig into some foundational security tips to secure your law firm’s website and protect your data, your client’s data, and your reputation.
1. Always Update – Updates Aren’t Just For New Features
If you look at any major exploits, you’ll often find one commonality:
Out of date software.
Not only do you need to update your software, you need to update it quickly. Slow updates were the reason that dozens of law firms were hacked in a recent WordPress exploit, and they’re also one of the major drivers behind global exploits like the Wanna Cry ransomware.
Whether you built your law firm’s website with WordPress, Joomla, or anything else, you need to keep your software up to date. And it’s not just the core CMS software – the same applies to every single third-party extension you add.
2. Use a Strong Password
I know that this tip seems basic…but when data suggests that one of the world’s most common passwords is “123456”, this point still bears repeating. None of the other security tips matter if hackers are able to traipse through your site’s front door as a result of poor password practices.
So what makes a strong password?
- Make it unique. That is, don’t reuse passwords across multiple accounts.
- Mix it up. Numbers, symbols, upper and lowercase letters.
- Longer is better. Each additional character in your password makes it harder to guess (assuming you’re not using common words).
- Avoid dictionary words and common substitutions. While you might feel clever switching “s” with “$”, hackers are onto such simple substitution tricks.
And remember – everyone with access to your site needs a strong password. Getting others to buy in is just as important as making your own password secure.
3. Don’t Give Users More Access Than Needed
In security, there’s something called the Principle of least privilege. Basically, it says that you never want to give users an ounce more access than they need to your site.
For example, if your receptionist needs to access contact form entries and nothing else, your receptionist should only have access to the contact form entries. He or she doesn’t need account permissions to edit content or add files.
By ensuring each user only has as little access as possible, you limit the vectors from which hackers can attack you.
4. Use Well-Maintained Plugins, Extensions, Etc.
Content management systems like WordPress, Joomla, and Drupal have made it easy for anyone to quickly create a website thanks, in part, to their huge libraries of third-party extensions.
Don’t get me wrong – extensions are wonderful things. But each time you add one, you open up a new possible weakness for your site. And that’s why you need to actually pay attention to the extensions you add to your firm’s site.
Check whether the:
- Extension has been recently updated.
- Developer responds to support issues.
- Extension is listed in a vulnerability database like WPScan Vulnerability Database.
Doing so helps you ensure that you’re using only well-maintained extensions.
5. Use a Security Plugin or Extension
Tying in with the previous point, another great way to secure your firm’s site is to take advantage of those vibrant third-party extension marketplaces to install a quality security plugin or extension.
Such plugins typically add web application firewalls, brute force protections, malware scanning, and more.
As long as you keep them updated, they’ll go a long way towards eliminating most “low hanging fruit” attacks.
6. Install an SSL Certificate
Ever wondered why some websites have a green padlock and others don’t?
The reason is something called an SSL certificate. An SSL certificate encrypts the connection between your (or your client’s) web browser and your website. Essentially, it ensures that no one can “eavesdrop” on the conversation between your client and your site.
While it’s a good practice to use SSL site wide, it’s especially important on login and form submission pages. For example, you definitely don’t want to allow anyone to get a peek at the details your clients are submitting through your contact forms, right? I hope not!
7. Make Sure Your Server and Files Are Configured Properly
You’ll need help from a developer for this one. But part of hardening up your firm’s website is making sure everything is configured properly server-side to eliminate any potential backdoors into your site.
By this, I mean:
- Setting proper file permissions
- Preventing directory browsing
- Restricting access to sensitive configuration files
- Restricting PHP execution in directories that exclusively hold image files or otherwise allow file uploads
8. Be Careful With File Uploads
You might run into situations where you need to allow clients to upload file attachments to your site. For example, if you create an appointment booking form, you might give an option for clients to upload more details about their situation. And that’s fine!
But you do need to ensure that you place limits on the file type and number of files your clients can upload. You should also go deeper and consider:
- Renaming files upon upload
- Making sure the file permissions forbid uploaded files from executing
9. Run Regular Backups
And finally – part of security is planning for what happens when everything goes wrong. And the best answer to that scenario? Working backups.
Notice how I said “working”? Backups aren’t worth anything unless you periodically test to make sure that they actually, you know, work.
If you’re using WordPress for your law firm’s site, you can use a plugin like Updraftplus to run automatic backups.
In addition to ensuring that your backups actually work, you should also follow the 3-2-1 rule for data storage:
- Keep three overall copies
- With two copies in physical locations (like your computer or an external hard drive)
- And one copy stored in the cloud.
Wrapping Things Up
While some law firms are handling information so sensitive that hackers will attempt to access servers 100,000s of times, the vast majority of law firms aren’t going to draw such specific attention.
Instead, your firm is much more likely to fall prey to a low-level attack that succeeds because of poor basic security practices.
Don’t let that happen to your firm. Implement these basic law firm website security tips and take your, and your client’s, information security seriously.