Website Security Basics for Law Firms

Marni Macleod

Like most business machinery, websites require some level of ongoing maintenance.

After a website is launched, it’s not uncommon for it to sink to the bottom of a company’s priority list. However, it is important that law firms pay attention to their online properties to protect their firm’s brand integrity. Websites and online profiles are increasingly becoming the first point of contact between new clients and lawyers. It’s likely that a potential client — even if referred to you by a trusted source — will still take the time to check your firm out online before picking up the phone. Consequently, it’s wise to take steps to protect what often constitutes your first impression.

Many lawyers are surprised that their websites would be a target for hackers. While large law firms with high-traffic websites are certainly a strategic target for malicious hacking efforts, most website hacking is a crime of opportunity. In other words, your website may be hacked because you left the window open and not because it is of any strategic importance.

Even with open source Content Management Systems such as WordPress, which take security very seriously, there are potential issues that may arise if some basic precautions are not taken. You should also be aware that unless you have signed on with a proprietary system that includes tech support or have specifically contracted for ongoing oversight and maintenance of your open source platform with your website developer that, once the site is up and running, the obligation to take care of it rests with you. It’s equivalent to the presence or absence of an ongoing retainer for general legal services.

This blog post outlines some security basics for websites built on a content management system (CMS) like WordPress. While we ensure that websites are secure on the day they launch, these recommendations will help your firm minimize security risks in the years to come.

Website Server Security

Security starts with the computer server hosting your site. Never forget that your website lives somewhere in the real world. This means that you need to consider that it can fail from a fire, bankruptcy, or incompetent employee just as easily as it can get hacked.

Hosting companies should provide the most recent stable versions of all server software as well as reliable methods for the backup and recovery of website files. If you are not sure about how to choose a hosting company, you can always ask your website developers for suggestions.

A general rule of thumb is that you get what you pay for. If your site is hosted with the cheapest hosting company you found online, you should expect that your site may be hosted on a server in someone’s basement or resold from an overseas wholesaler.

Watch for vulnerabilities on your computer

If you have access to your Content Management System’s administrative interface, make sure the computers you use are free of spyware, malware, and viruses. It is a good practice to always keep your operating system and your web browser up to date to help protect against security vulnerabilities.

Use secure passwords – Update Regularly

Many potential vulnerabilities can be avoided by developing good security habits. A strong password is an important aspect of this. If you have difficulty coming up with a secure password, many automatic password generators are available that can help you create one. By adopting this practice, you will be doing yourself a favour by protecting your website (and all of your other account login passwords) from hackers attempting to install malicious code.

Remembering a password is obviously challenging so you’ll want to write it down and store it in a secure part of your office.

Keep WordPress Themes and Plugins Updated

Most modern software packages and plugins are updated regularly to address new security issues as they arise. With this in mind, you should always keep up-to-date with the latest versions of software.

WordPress users will be happy to know that updating WordPress is as simple as clicking a button. WordPress notifies you of any updates right on the WordPress dashboard. Once you are aware that an update is needed, you can easily navigate to the Updates Page to update WordPress, plugins, and even themes.

If your website is powered by a different CMS, like Joomla, you may have to contact your web developers to have the software updated for you; as some of these systems do not provide update buttons within their dashboards.

Back-up your website regularly

There are a few automated back-up plugins available for WordPress. You can use these plugins to create regular back-ups of your database, and/or WordPress installation files. It is important that you always backup your site before you update WordPress, themes, and/or plugins, so that you can restore your website with a somewhat recent version of your site content if anything goes sideways during the update process.

There are always two key components to backing-up a website on a CMS. You need to back-up the files AND the database. Most plugins will do this for you.

Other ways to keep your site secure

Little things that also can help make your website more secure include:

  • Disabling unused user accounts
  • Never using “Admin” as your username
  • Granting users the minimum access they need to do their jobs

That’s just the beginning

There are many other ways to enhance your website’s defenses, such as:

  • Protecting against network vulnerabilities (updating firewall rules on your home router and being careful about the networks that you work from)
  • Using SFTP encryption if your web host provides it
  • Assigning the proper file permissions (allowing write access only to the necessary files)
  • Housing different websites and blogs in separate databases with different users
  • Securing wp-admin, config.php, creating data backups, monitoring your logs, files and server.

You can also sign-up for website security monitors, such as, and BackupBuddy, and install security plugins that will do most of the heavy lifting for you: Akismet (comes with your WordPress install) and BackupBuddy, LoginLockdown, Bulletproof Security, and Exploit Scanner, are some other options you may want to investigate.

Choosing a Plugin

If you want to choose different plugins for other reasons, there are a couple of things to keep in mind: (1) Check how quickly the developer responds to support requests; (2) Check out forum threads to see how well the plugin is supported; and (3) If two plugins do similar things, choose the one with the highest download count.

If this all seems a little daunting, consider retaining a web-developer to keep your site up-to-date on a monthly, quarterly, or annual basis. In most cases, maintenance costs are extremely low because it simply doesn’t take much time to do. Law firms should discuss maintenance and security options with their web developers either before or immediately after launching their new site.

Disclaimer: Sadly there are folks out there with nothing better to do than hack into other people’s websites sometimes for profit and sometimes just to wreak havoc. The strategies and tools we review here are just a few of the things that we have found helpful but we note that they do not provide a 100% guarantee against your site getting hacked or becoming the target of malware. Ideally, you should have access to an in-house IT team or reputable contractor who can work with your website and domain hosting companies to help you protect yourself or (if necessary) address any issues that arise.

Hardening WordPress, WordPress Codex
Locking Down WordPress, by Code Poet


Monthly Archives