If you have a website, or even if you’re thinking about creating one, the question “how to secure my site” should be at the front of your mind at all times. Although the internet has opened up huge opportunities for legitimate businesses, it has also opened up huge opportunities for malicious actors, such as hackers. This means that all modern businesses need to take website security very seriously.
How to secure my site
When you’re thinking about how to secure your site, there are three key areas you need to address. These are as follows. Lay the right foundations. Manage your users (internal and external). Undertake robust monitoring.
Lay the right foundations
This may be painful to hear, but if you have an established website, you may want to bring in a proper website-security expert and ask them for their thoughts on how to secure your site. You may find that it would be in your best interest to rebuild it from scratch, this time keeping security front and center throughout the process.
While this may not be great news, it’s better to address any security issues voluntarily than to wait until someone exploits them. It’s also worth remembering that you would be updating the actual framework of your website. You could reuse your content. In fact, a website revamp could give you a great opportunity to update it.
If you’re building a new website, then you want security to be baked into its core from the very start. This means thinking about how you purchase your domain (make sure you activate any privacy options), choosing the right hosting options (especially if you’re sharing a server) and content management systems, and building functionality on the basis of security first and design second. For clarity, design is extremely important, security, however, is even more important.
Manage your users (internal and external)
Give as much thought to the structure of your team of internal users as you do to your website itself. On the one hand, you want to minimize the number of internal logins you create and, in particular, the number of administrator logins you create.
On the other hand, you will need to be realistic about the need to have cover for staff absences. It’s fine to document instructions and processes. In fact, it’s highly recommended, but somebody following a step-by-step guide is highly unlikely to be as confident as someone who is in regular practice. Given that speed is often a concern for businesses, it can make sense to have more than the bare minimum number of accounts to allow for cover if necessary.
Once you’ve established how many users you need, you designate specific people to fulfill the necessary roles and give each of them their own login. This is for their sole use and sharing credentials must be explicitly banned. To encourage people to adhere to the ban (without having to be forced) make sure you have a straightforward process by which people can get their own login credentials. Furthermore, make sure you have a straightforward process by which login credentials are promptly revoked when they cease to be needed, for example when staff move on.
In principle, you can enforce robust password policies on both internal and external users. In practice, there is really nothing you can do to stop either recycling the same passwords they use everywhere else, possibly with some slight variations.
For internal users, however, you can usually enforce two-factor authentication. This adds an extra layer of security. Please note, however, that this itself can be compromised, especially if you implement it through text messaging rather than through a token as is often the case.
Both internal and external users can be blocked after a certain number of failed password attempts and logged out after a certain period of being idle.
If you allow external users to enter any data into your website, even if it’s just a basic “contact us” form, then be sure to validate it thoroughly. If you’re allowing them to upload files, then it’s advisable to place restrictions on the size of those files to prevent this being used as a channel for DDoS attacks.
Undertake robust monitoring
Quite bluntly, in the digital world as in the real one, even the best defenses really only serve to delay attackers. If you want to defeat them, then you need humans to push back and send them on their way. This means that you need a website vulnerability scanner plus a robust anti-malware solution for any devices you use to connect to your website.
Please click here now to have your website scanned, for free, by cWatch from Comodo.
