Keeping Your Website Secure
Web & Cyber Security have continued to become more critical in recent years. Not only the nature of threats and attacks have advanced, but the number of users and businesses depending on online services has exponentially increased as well. Cyber Security was identified as a Tier 1 threat in the 2010 National Security Strategy, alongside Terrorism, War, and Natural Disasters.
In this hands-on approach blog, we will look at tips and best practices to immediately implement and improve your website security.
Regularly Update Your Website Technology
Perhaps the most common reason for a website to be compromised is an outdated, vulnerable software providing cyber attackers with a simple way to compromise the site.
If you run a CMS based website such as WordPress, then this means keeping the WordPress up to date and all the third-party plugins installed to be updated regularly.
You also need to ensure that underlying platforms and technologies, including the operating system and web server such as LAMP (Linux Apache MySQL PHP), are regularly updated as per vendors' guidelines.
Some of the above measures could be implemented by your website hosting provider.
Web Access Firewall
A Web Access Firewall (WAF) is different from a firewall installed on the hosting server. Think of this a bit like a security guard standing between your users and your website.
Any web request directed to your website will go through the WAF first. WAF will verify that the request is not malicious, and that the source of the request has not been recorded as 'blacklisted' in other security providers' databases.
Once these checks are completed, the request is forwarded to your website. Quite a few WAF providers also hide your server IP address from the web traffic. A WAF will also protect your site from DoS ( Denial of Service) and DDOS ( Distributed Denial of Service). A good example of a free WAF provider is Cloudflare.
Idle User Accounts
Over time, people change their roles within the business. Some of your users leave and no longer work for you. Every system, over time, builds up a collection of users that no longer use the system. This happens to websites too.
Whether it's a CMS-based or a bespoke website, you will end up with users who no longer need access to your website over the years. These unused active accounts can result in a security compromise. If you are using a CMS based platform, then look for a reputable plugin that can automatically deactivate idle user accounts.
If you are developing a bespoke website, ask your developers to implement security policies so that unused accounts are automatically deactivated after a certain period.
We all know no matter how many memos and emails you send out to remind your users to change their passwords regularly, some users still tend to use simple and easy to guess passwords.
A simple solution is to have a password policy in place that expires the passwords after a certain number of days and forces the users to change their password regularly and choose a strong password.
If you are using a CMS like WordPress or similar, you should find a plugin or extension that can achieve this for you.
For bespoke web development, your web developers should be able to implement this for you.
This one has become easier to implement in recent years. An SSL certificate allows encrypting the web traffic between a user browser and the website (or the web server).
This results in all traffic between the web user and the website to be fully encrypted, hence keeping it secure from 'wiretapping'.
These days most web hosting providers offer free SSL as part of their offering.
To check if a website is fully SSL compliant, open the website in the browser like chrome and you should see a padlock in the address bar confirming that SSL certificate is installed correctly.
Regular Secure & Off-site Backups
Regular site backups are no brainer, and you should not compromise on quality when it comes to having a secure backup solution in place.
If you can afford to, have off-site backups in addition to your regular backups. This could also mean keeping your backups outside your hosting provider echo system.
It's good to regularly verify the quality of your backups by performing a 'disaster recovery drill'. And do not forget to protect your backup files with strong encryption.
A vulnerability scan involves checking your website code through software and identifying security issues.
There are few options available to you when it comes to identifying and mitigating security vulnerabilities in your website. If you are running a CMS based site such as WordPress, you can go for a plugin like Wordfence that identifies and reports vulnerabilities found in the WordPress platform and third-party plugins.
You can also go for a website scanner that can scan your website regularly and report vulnerabilities.
Whichever provider you use, ensure that a vulnerability scan is not a one-off solution. You must regularly scan your website for vulnerabilities and then mitigate the identified risks by taking appropriate actions.
I hope that you find these measures useful and easy to implement.
Web security experts know that 'Security is a Journey'. As cyber threats will continue to evolve, your web security measures will be required to improve as well.
As a website owner, you know the significance of keeping your website secure. We have shared some crucial and simple measures to help you. However, if you do not have the right resources to look into these intricacies, hire the top web developers, they will do it for you!