Questions to ask yourself or your web designer to ensure your website is as secure as possible.
I have to be honest; there is no 100% foolproof way to secure even a simple website. It’s said that website security is only as strong as its weakest link and there are many links in the chain along the way; Hosting, Code Quality, Developers, You and anyone else involved – all play a key role in your website’s security.
This guide is written for the do-it-yourself business website owner, but can be used as a list of facts that your website developer should be able to talk to you about with regard to their processes in developing and maintaining your website.
If you are just starting out with a new website and a new domain, there are three critical things that you, as a business owner need to know to ensure that you are always in control of your website, its name and the hosting account where the files are stored:
Who owns the domain name?
Who owns the hosting account where the files are hosted?
Did you sign up directly at the host or through your web designer? Signing up directly at the host with your information and credit card is really the only way to ensure that you own the hosting account. This is important should something ever happen between you and your web design team. You should never be trapped or forced to use one person or company.
Who’s name is the domain registered to?
Be sure that the domain is not registered to an employee or someone else that does not hold stake in the company. Employees leave, relationships can sour and he or she who owns the domain has the right to do with it as they please. Don’t give this task to anyone else, including your web designer to handle unless that you are extremely sure that they will register the domain name to you or the correct entity within the organization.
Now that you have established ownership, it’s time to move on to the website development process.
The following are some ways to mitigate the possibility of being hacked. These are some questions to ask yourself if you are planning a DIY website or if you are hiring a web designer/developer, you should be aware of these things so that you feel prepared to ask them about their security processes:
Where is the website hosted?
Choosing a good web host is a huge step in the right direction, when it comes to keeping your site secure. Many times the over-loaded servers on cheap shared hosting packages are poorly maintained. There are all sorts of nasty things that can happen when a host doesn’t keep a close eye on their servers, who is on them and what kind of things they are hosting.
Does your host keep the server software updated?
Apache, PHP, ASP, MySQL (just to name a few) are all programs that should be kept up to date (at least as much as possible) on the web server. The programs don’t need to be the absolute latest versions, but they should be recent releases. Make sure that if you are using an open source solution that your host at least keeps up with the minimum program version requirements as the project progresses.
How secure are the passwords used to access my site (and it’s database if applicable)?
Don’t use your easy-to-remember, one size fits all password for hosting, databases or website logins. Use a different, secure password for each. Secure passwords should not include personal information such as a pets name, should be over 8 characters, should contain numbers and letters (lower and capital), and possibly even symbols (such as !@#$%^).
Are my website’s passwords stored in a secure way?
On a notebook in your desk is not a very secure place for passwords. Make sure to keep passwords behind lock and key. If the notebook is in a locked, fire-proof safe, then you are better off. Storing passwords digitally is fine as well if they are stored in a password-secured, encrypted file. If you store them online, make sure that you connect to the location only through a secure connection (you should be using an https:// address and you will likely see a lock in your browser).
Who will be connecting to your host?
Do you have employees that will access the site? What level of access will they have? Will they be able to access all the files or are they just able to edit certain things? The least amount of people involved in the process, the better – especially people accessing the host or that are given administrator rights to the files.
Are the machines that will connect to the host using updated anti-virus software?
Keep your virus software updated at all times on the computer you use to access your host and/or website logins. Viruses such as key loggers can nab your username and password with ease. This is the easiest way for a hacker to gain access to your site and have their way with it.
How are you connecting to the web host?
Always use SFTP/SSH to connect to the host. Standard FTP/HTTP is susceptible to packet sniffing — a process where a hacker can obtain unencrypted data through the internet. Using SFTP to connect to your host means that the data is encrypted that is sent between you and the server.
What is your backup procedure?
Backup you site and back it up often, store backups in more than one location, preferably off the server you are hosting on. If you are using a site with a database make sure that the database is also backed up daily.
If you are using any of the popular open source content management systems (CMS) or blog solutions, such as WordPress, Drupal or Joomla:
How do you know that the server and the CMS are working together securely?
Follow the developers security guide. Most open-source products have a very defined set of standards for server setup that you will want to follow. These security guides are very important and go a long way towards protecting your site.
How do you choose which plugins / addons / extensions to use on the the website?
If you are looking to add more functionality to your site with the use of plugins (which is one of the key-components to open source products) be sure to choose mature products, if possible, and always check the plugin’s feedback. If the plugin is new, make sure the developer is reputable. The community-at-large regulates plugin developers based upon feedback. A poorly coded plugin will surely have a poor rating and/or bad feedback.
How often do you patch (or upgrade) the CMS and its plugins?
Do you patch as soon as the product is released or do you give it some time? Leaving an installation of a popular open source product and/or its plugins unpatched for a lengthy period of time is a bad idea. Patches usually contain fixes for security issues among other things. It’s alot of work to keep systems updated and in working order, but it is of ultimate importance to do this. Hackers know about security holes and are using tools to scan the web 24/7 to find sites they can exploit. Once a patch is released, it contains details that give the general public details about the security risk the development team may have found. Once it’s general knowledge, it’s very easy to exploit.
This might seem like a whole lot of work, however it’s alot more work (not to mention money) to safely restore or rebuild an entire website from scratch. If you reinforce all of the links in the security chain as much as possible, you will greatly minimize the ability for hackers to manipulate your website files.