In the wake of the WannaCry attack and two hacking attempts on our own website in the past three weeks, security is at the top of our mind. It should be at the top of yours, as well.
Here are the things that you or your web management team should be doing to ensure that your website remains a productive marketing tool and is not conscripted to slave duty in some hacker’s evil plans.
Stay Up to Date
Whether you’re running WordPress, Joomla, or any other commercial CMS (content management system), you decrease your odds of being compromised if you keep the “core” coding updated as new versions are released.
It’s not critical to stay right on top of the latest small releases, but you shouldn’t be waiting too long before installing them. A monthly review is our recommendation, though you can reduce that to quarterly if your site isn’t mission critical.
As I mentioned, there’s no need to jump on most releases immediately. In fact, we often wait at least a few days to install new releases for our clients since those releases sometimes have problems of their own. They’re typically addressed in a subsequent update.
Back Up Regularly
Even the best laid security plans can go awry, so you’ll want to be sure that you are backing up your site regularly. How often you need to back up will depend on how frequently you update the site’s content. Most of our clients are on a weekly backup schedule, with the backup archive holding on to the most recent 4 weekly backups. (Meaning, we can dig back as far as a month if we need to restore an older version of the site.)
You can do this daily if you are very active in updating content, or monthly if you rarely change content.
How you back up is another question – many hosting providers offer backups, but aren’t always eager to help you restore. You may want to consider an off-server backup solution so that you can get back up and running quickly if your provider has a major failure of the server on which your site is hosted. These are easy enough to set up in just about any CMS.
Undo Defaults
Most systems come with default settings for everything from the main administrator account to the name and location of the main site database. Change these. (Right now!) Keeping the default “admin” user for your WordPress site, for example, means hackers only have to guess your password. Why make the job that much easier for them?
Keep it Human
Many of the attacks on your site will be brute force attacks that make use of bots of one kind or another. These bots don’t typically fare well with tools designed to establish there’s an actual human person at the keyboard. So things like ReCaptcha can be effective in limiting your exposure.
Understand That We’re All Human
This won’t stop a disgruntled ex-employee, of course, so you should have policies in place for frequently changing passwords and controlling who has those passwords. Separate accounts should be established for each person who needs access to your admin dashboard, hosting account, and other sensitive accounts. This allows you to shut down access as needed without causing disruption for other staff members. It also allows you to track activity at the account level – in most CMSs, you can see who has logged in and what changes they’ve made.
The Geeky Side
There are a number of more technical steps that can be taken. Since these will depend on the kind of CMS your site is running, we won’t go into details, but you should be asking your web maintenance team whether they are taking steps to secure your site’s underpinnings.
Solid website maintenance isn’t glamorous – not even a little – but the minimal amount of effort it takes to do well is inexpensive insurance against failures that can knock you offline for days – or longer – if you’re not prepared.
