5 important security tips for your website
While it might not be top of mind, website security demands a big conversation — not only for web developers, but for anyone who has or maintains a website or even anyone who uses the internet (here’s looking at you, web surfer). We’ve seen enough attacks and vulnerabilities over the last year (remember Sony Pictures, the pentagon’s social media, Shellshock, HeartBleed & WordPress) to realize that this is a serious issue and one that’s not going away any time soon. So, what can you do as a website owner to take precautions where you can?
I’ll walk you through 5 important security tips for your website and how to implement them today.
1. Update WordPress + Plugins (or other platforms)
Always remember, websites are not ‘set and forget’ and the upkeep is the responsibility of the website owner. Using a content management system (CMS) like WordPress, has numerous advantages, including regular security patches and updates. Each small release from WordPress addresses tune-ups and fixes for your site and each major release offers new features and design refinements. While the latter is great for a new look and updated interface, it’s the security releases that will be your best friend. We love our car analogies here at 24 and this offers the perfect opportunity for one. Just as you would regularly service your car for an oil change, you need to regularly service your website. Otherwise, it will slowly deteriorate and become increasingly vulnerable to attacks. Again, just as you likely take your car to a mechanic, it’s best to check in with your web developer prior to upgrading plugins or the core. If you maintain your own website, best practice is to back up your site files and database first. There is a risk of conflicts / code breaking after an update, so the backup is ideal in case anything goes wrong.
2. Keep Regular Backups
Say your website crashes tomorrow or there is malicious code injected via some nasty scripts. Would you be able to roll back to a previous, unadulterated version? We certainly hope so! Realistically, many people don’t know how to answer this question. Some hosting packages include regular backups, while others don’t. Best idea is to contact your hosting provider (or web developer that manages this) and ask them if and how often database and code backups are taken. Managing backups at a hosting level requires the least amount of time from you – a win in our books!
3. Secure Hosting
Not all hosting is created equal. This is mostly apparent in the visual interface used by each hosting provider and the level of support given through their online ticketing system. But less apparent is the servers and security. A server requires upkeep and maintenance, just like your computer would. They should be running the latest software and regularly patched to ensure the highest security possible. Looking for the right hosting provider? We can help you
4. Strong Passwords
We’re all guilty of using the same password to manage multiple accounts online. It’s frightening to imagine remembering a different, strong password for everything we access, but cracking a password isn’t difficult, so please proceed with caution. I won’t dive too deep into personal, online accounts here (although I recommend checking out LastPass for secure password management) but it is essential that your WordPress admin login uses a secure password. Also, never use ‘admin’ as the username as this is a dead giveaway to anyone trying to hack your account. So, what constitutes a strong password? Here’s the breakdown:
- 12 characters, minimum
- include numbers, symbols, capital letters and lowercase letters
- Do not use a word from the dictionary
- Avoid substituting obvious numbers for letters, for example, using ‘3’ for ‘E’
While we would love to offer great tips for remembering passwords, it’s certainly a tough one. Passwords stored online or on your computer won’t be 100% safe, so maybe there’s some argument to a good old pen and paper. If you have a filing system at home or in your business, consider keeping a password journal that you update and maintain regularly. We know this may sound archaic, so again, we recommend looking into password management that suits you.
5. Use SSL/TLS
SSL/TLS (Secure Socket Layer/Transport Layer Security) is most commonly used on eCommerce websites, where you are sending secure data (your credit card information) across the interwebs. You can see this in the url bar at the top of the webpage – marked by https:// (as opposed to http://) and sometimes a little security lock. But what most people miss is other secure information we are sending online – admin login information. As an extra step in security for your website, it may be wise to enable https:// for all login pages and wp-admin. This is the most sensitive area of your site and the extra lockdown could save your passwords from creeping out into the wrong hands. To use SSL/TLS, first step is to purchase an SSL certificate. This is usually done through your web hosting provider. We recommend consulting your web developer to assist as the next step requires some updates to the code, to enable the page to run off of https:// rather than http://.
So, are the security risks sinking in?
Now that you have a few tips, it’s a good idea to make a plan to put these into action. There will be a little time and money involved, but to mitigate some of the risk in a hacked site, it’s a relatively low investment.
But this isn’t a big deal for me, right?
Simply put? Wrong. I’m focusing specifically on website owners today, but anyone who uses the internet should join in the conversation. We’re not talking about security as much as we should be and currently, it’s sitting in a mostly reactive space at the moment. “Oh man, our website got hacked — please fix it ASAP!!” Rather than a proactive one, “Hey, looks like our website needs an update, can you please help us?”
As a digital company and people in the digital space, I think we can shift some responsibility on ourselves to be the advocates — to introduce website security into our process, not only on a technical level, but an educational one. As a digital producer, I’m taking this on board and adding it to my conversations with clients. If I don’t share this knowledge with them, who else will?
So, are you ready to have the talk?
Seemingly, we’ve all just been doing this internet thing for a while now, acting like we’re safe from behind a computer or a screen. But how much longer can you ignore online security before you or your website fall victim? I’m calling for a shift in the way we think about sharing information online. Recent television shows like CSI: Cyber are helping open the conversation — bringing terms like black hat hacker, spoofing and backdoor into our homes and sparking new conversation. Could you afford to have a hacker spoof you?
I believe we are sitting on the brink of moving from denial and ignorance to realizing that this is a big deal. But how many more hacks and vulnerabilities will it take? Will it take your website crashing or leaking sensitive data to make the investment?
Let’s get a few steps ahead, by growing the conversation and talking about online security so we can start doing something about it.
I’d love to hear your security tips or your take on the future of online security in 2018.
Contact for further info
ParamInfo is one of the UAE’s most respected Solution Providers. We specialize in website design, ecommerce, Corporate Branding, Digital Marketing and app development. With over years of experience we have established ourselves as a trusted and efficient agency empowering businesses of all sizes with bespoke solutions.