By Jason Unger
If your company has a website, you have a security risk. Today's popular database-driven, open source-powered websites are big targets for hackers looking to disrupt your business, publish junk content, and generally just cause trouble.
My company is comprised of experts in designing, developing and managing sites powered by WordPress, the content management system that powers more than 28 percent of websites online today. As you can imagine, because there are so many sites using WordPress, and given the fact that it is open source software, there are plenty of troublemakers who try to hack insecure WordPress sites. When we help clients secure their websites or clean up their sites after an attack, we educate them that the hacks are likely not targeted at them. It's usually someone simply scanning for known vulnerabilities that they can exploit.
There are steps you can take to keep your website secure. Here's how.
Keep Your Software Up-to-Date
With software like WordPress, which regularly releases new versions to provide new features and patch security issues, updating is a must. Generally, if the update contains an immediate security patch, WordPress is able to update itself, but that's not always the case. Know what updates are available for your content management system and implement them.
If you use plugins or other add-ons to enhance your site's functionality, keep them updated as well. This is especially true if the plugins are built by third-party developers. If you have a plugin that has not been updated by its developer for some time, you should be aware that it may contain a security hole that was never patched.
Be judicious when deciding what third-party products to add to your site, and if you're not using a plugin or alternate theme on your site, remove it. Getting rid of the code from your server ensures that it can't be exploited.
Only Give Access to Those Who Need It
The more people who have access to your website or server, the greater the chance that someone's account will be used to hack your site. While everyone involved in your website certainly has the best of intentions, all it takes is one person's account to get hacked. Limit who has access to your website, and set up user levels for those who do have access. If your CEO wants to have an account on the site, that's great. But if he or she is not going to be changing site settings, don't set up an administrator account.
As people move on from your company, ensure that their accounts change as well; I've seen one too many sites with admin users who have long switched jobs.
Use Trusted Partners for Hosting and Website Management
Know what your web host and website manager do to keep your site secure, and understand it to the best of your ability. Get on the same page as far as who is responsible should a hack happen. Is it you? Is it your site manager? Is it your host? Whoever it is -- know beforehand. When you're picking out service partners, understand that price matters. Cheap web hosting is cheap for a reason. It's not good.
Ask for references or a list of your partners' other clients to make sure they're reputable. You have to be able to trust them to help you or to get the job done themselves should an issue arise.
Install an SSL Certificate
Your website should include an SSL certificate, which turns it from an "http" site to an "https" site. When your site is secure, you are ensuring to your customers that they are indeed on your site, and not being subjected to a man-in-the-middle attack. It's not a large investment in cost or time to switch to a secure site. At this point, it's really low-hanging fruit.
Google uses your site's security as a ranking factor in its search algorithms, so if you have an SSL certificate, you're getting an additional positive consideration.
Be Vigilant: You Can't Set It and Forget It
Security is not a one-time endeavor. It needs to constantly be a part of your digital strategy. You need to understand current threats to your website or have someone managing your site who does understand them. While there are plenty of security fundamentals you can implement, find out what more you can do. Push your service partners to better explain their security protocols and if there's more they can do.
If your company has a website, you have a security risk. If someone intentionally wants to hack your site (which is rarely the case for the majority of sites), they have plenty of ways to go about it. Don't make it easy for them. Be vigilant, and constantly work to make your site more secure.
--
Jason Unger is the founder of Digital Ink, the creative and digital team that provides custom website design and development, graphic design for print and digital, WordPress consulting and website management.