Four Steps to a More Secure Website

website imageHere’s a huge mistake that we continue to see all too often in our work: Organizations put 100% of their website budget into development, leaving nothing for ongoing maintenance and security.

The fact is that every website, no matter how small, requires ongoing attention—not only to keep the site performing at its best but also to help keep out hackers. We tell our clients to plan for website maintenance the way they do for car maintenance. When you buy a car, you budget for oil and tire changes, tuneups, and repairs. That’s the way you need to think about your website.

Don’t be fooled into thinking you won’t be a target

You may think your business or nonprofit website is safe from attack. After all, you’re no doubt small potatoes compared with eBay, Target, Anthem, Sony, AOL, the U.S. Post Office, and the numerous other organizations that have been in the news for getting hacked. So why should a hacker go after you?

The truth is that most hacks come from robots or “bots” trolling the web for vulnerable sites to infect, not from targeted attacks. Sites that are not regularly updated are the most vulnerable, since updates often patch weaknesses that hackers can exploit.

Malware can turn your site into a spam-producing, porn-infested, pharmaceutical-selling nightmare, or pull it offline altogether. The good news is that you can take some simple steps to minimize both the likelihood and the damage of an attack.

1. Start with a good host

A good website developer will likely steer you toward a host that builds security features into the hosting plan. These features may include firewalls, daily backups of your website, virus and malware scans, and more. (As a side benefit, security-minded hosts typically provide faster servers, which is important for user experience and search engine rankings.)

If you’re not sure what your current host offers in terms of protection, get on the phone and ask what measures they take to prevent attacks, as well as their protocol in the event of a hack. You should also know how much they charge to restore your site to an earlier, “clean” version if it does get hacked. Ideally they won’t charge for this service, since they should be backing up your site as a matter of routine.

Google blacklist warning

Google will display this page instead of yours if it sees that your site is infected with malware

While we’re on the subject of site backups, many website owners only learn of a hack when a staff member (or, worse, a customer) sees the dreaded Google hack warning on the site (see example at right). Because days or even weeks may have passed since the site was infected, your backups may also be infected, unless your host keeps site backups for some time and provides daily scanning and removal of malware.

If your host doesn’t do this, we suggest that you either switch to a host with a more robust security protocol or hire a developer to put an additional backup system in place. As a reminder, it’s also important to check your site regularly to make everything looks OK.

2. Keep your website up to date

Updates are released regularly and are designed in part to fix any security loopholes that have been discovered and to put prophylactic measures in place to stay ahead of hackers. (They also fix newly discovered bugs and increase functionality.)

A hack can be crippling, even for sites with no sensitive data.

Unless you establish a plan and budget for periodic website maintenance, you are leaving your website vulnerable to attackers who are actively looking to exploit security loopholes. Regular maintenance should include updating your website’s platform (e.g., WordPress, Drupal, Joomla), its theme, and the plugins that govern specific functionality.

This doesn’t mean that you should start tinkering with updates yourself, unless you know exactly what you’re doing. WordPress and other content management systems do let you run some updates with the click of a button, but updates sometimes cause incompatibilities that can wreck site display or crash the site. For that reason, it’s best to have a web developer run updates, and always on a separate test site.

Check with your web developer to see if they offer this service (we do at Pen + Pixels). You can also hire a maintenance company such as WP Site Care.

3. Limit access to the back end of your site

Content management systems like WordPress allow you to assign varying levels of access to each staff member who will be updating the site, depending on their level of responsibility. This capability offers built-in protection for site owners. The problem is many times new users are added with a level of access that’s too high for what they need to do.

In the hands of the wrong person, high-level access can be disastrous. Ill intent isn’t usually the cause. We’ve seen sites overtaken by spam content, pulled offline, or even deleted completely when a well-meaning staff member mistakenly got into the wrong back-end files.

The solution is simple: Regularly review the user roles of everyone who has back-end access to your website. Remove access for former employees and others who no longer work on the site, and adjust the roles for those remaining to limit top-level access. In most cases the Editor role is sufficient, as it allows staff to update site content but not change core files. You can also assign roles that will let you approve changes before they appear on the site. With few exceptions, the only people who should have administrator-level access are the person at the top and your developer.

4. Take measures to reduce brute-force attacks

In this era of password admonishments, you might think we’d all be on board with those long, incomprehensible strings, yet a surprising number of organizations still use weak passwords to access their websites. This makes your site vulnerable to brute-force attacks, where automated systems try to guess the username and password to gain access and inject malware.

You can protect your site from staff who rely on simple passwords or who fail to change the preassigned username “admin” by having your developer install a plugin that ensures use of strong passwords and limits login attempts. Some hosts also provide these features as part of their hosting packages.

Constant vigilance!

No organization leaders ever want to be greeted by a warning that their site has been blacklisted. All it takes putting in place a plan and a modest budget to support it.

With regular maintenance and a well-thought-out security plan, you will be able to stay ahead of hackers. Equally important, in the unlucky event that you do get hacked, you’ll be able to get your business back online fast and with minimal hassle.