Let’s imagine you’re chatting to a friend. They’re interested in starting an online business and you’re giving them some advice. You start a sentence with “How I secure my website is…”. How do you go on? Here is what you need to know.
How I secure my website
If you ever have to start a sentence with “How I secure my website is…”, the rest of the sentence should cover the following points. I built it from the ground up with security in mind. I manage my users, internal and external. I undertake robust checks (automated and manual).
I built it from the ground up with security in mind
A website is essentially a framework into which you fit your content. The stronger you build that framework, the more secure it will be. When you buy your domain and hosting look carefully at the security implications and see what you can do to maximize security. This can be something as simple as making sure that you check the “privacy” option when you buy your domain (even if it costs extra). Likewise, when you choose your content management system, make sure to inform yourself about what you need to do to keep it secure.
Once you’ve settled all of that, you can then proceed to build the website itself. Always start with function. In other words, decide what you need to do and work out the safest way to do it. Then you can look at appearances. For completeness, appearance does matter. In fact, it matters a lot. Security, however, matters more.
I manage my users, internal and external
Any user account is a doorway into your website. You therefore not only need to filter people through the right doors, but also make sure you are comfortable with what they can do when they get through them.
Administrative accounts are the most powerful accounts and therefore do the most damage if compromised. You should have the lowest possible number of these. Furthermore, you need to be absolutely rigorous about making sure that all admin accounts are revoked as soon as they cease to be required (e.g. a user moves on).
Non-admin internal accounts have less power but are still a point of vulnerability. You still want to keep them to a minimum, but make sure that anyone who genuinely needs access to your website has their own credentials. This allows you to keep tabs on who is doing what.
When dealing with internal users, you can exercise a degree of control over how credentials are used. For example, you can make it clear to users that their credentials are for their own use, i.e. not to be shared. You can also have password policies and implement two-factor authentication as much as possible.
You have less control over external users, but there’s a difference between less and none. For example, you can’t really force them to refrain from sharing credentials and you may not be in a position to insist on two-factor authentication. You can, however, certainly make it clear that users are responsible for what happens with their accounts. You can also block accounts after too many failed password entries and log out idle users.
Just as importantly, you can definitely control what exactly external users can do on your website, before and after they log in. For example, you might be willing to permit them to use a contact us form before they log in but insist that they log in if they want to upload files.
Anything any user is allowed to do on your website needs to be carefully monitored. For example, if you use a contact us form, then you need to validate the content to ensure that it is legitimate data not malicious code. If you allow file uploads, then you need to limit what can be uploaded and check it very thoroughly for malware.
I undertake robust checks (automated and manual)
Automated security tools are one of the best investments any business can make and, what’s more, they’re now available at prices even SMBs can afford. Any modern business website needs a website vulnerability scanner. These are available from different companies and each company will have its own option. As a minimum, however, you can expect any decent website vulnerability scanner to have a firewall and an anti-malware solution.
Speaking of firewalls and anti-malware solutions, you will also need to protect any computers or mobile devices that you use to access the back-end of your website. This will stop hackers from compromising them to get key login details, which they can use to attack your website.
Please click here now to have your website scanned, for free, by cWatch from Comodo.
