Even the smallest of SMBs should be able to answer the question “what is basic website security?”. Here is what you need to know.
What is Website Security?
If you ask an expert “what is basic website security”, they will almost certainly list five key points. Make sure your domain registrar keeps your details private. Think carefully about your choice of host and content management system. Implement two-factor authentication as much as possible. Implement robust access controls. Invest in robust security tools
Make sure your domain registrar keeps your details private
Some domain registrars will keep your details private by default. Some require you to tick a privacy option. Some even require you to pay a fee for privacy. Whatever it takes to keep your details private, do it.
For completeness, if you buy a domain with a hosting package, usually your host will be listed as the registered owner. Your contract with them will, however, state that the domain belongs to you and that you can take it with you if you move. This will give you privacy but could cause issues if your host goes out of business and could make it more complicated for you to move.
Think carefully about your choice of host and content management system
There are basically two ways you can go about building a website. One is to choose a host (or host it yourself) and add a stand-alone CMS. The other is to go for a combined hosting and CMS package. These are usually marketed as all-in-one web-building solutions for companies (and individuals) who want an easy route to an online presence.
If you go down the route of choosing a separate host (or self-hosting) and CMS, then you need to take a far higher level of responsibility for security (especially if you self-host) than you do if you go down the all-in-one route. You, therefore, need to think about whether the (far) higher level of flexibility offered by the stand-alone CMS options really adds value to your business or whether you could reasonably make do with what the all-in-one companies can offer.
Implement two-factor authentication as much as possible
If you conducted a survey on “what is basic website security”, then the number one response would probably be “passwords and access controls”. Ideally, you should implement TFA on your hosting access, your CMS access, and your FTP/sFTP server. Remember, however, that TFA can be broken, especially if you implement it through mobile devices rather than tokens. That’s part of the reason why you genuinely do need to use a unique, strong password for anything connected with your website.
Speaking of unique passwords, never allow people to share login details, not even ones without administrator access and not even if you change them regularly. All it takes is one slip-up and you’ve opened a door to your website.
Be aware that some companies offering all-in-one website-building packages may have limits on the number of users they allow for each package. Respect these. If you need more users than is permitted on a certain package, then spend the money on an upgrade.
Implement robust access controls
The way to develop robust access controls is to analyze the tasks which need to be performed on your website. Use this analysis to develop a workflow that has the minimum number of people accessing your website and gives each of these people the minimum level of access to do whatever they need to do.
For example, instead of having your whole content team upload their work to your website, have them pass it to a named individual who then uploads it. Give that individual posting privileges but not administrative privileges (at least not unless they need them for something else).
Remember that the more people who have access to your website, the more scope there is for one of them to do damage through ignorance or malice. That’s exactly why the all-in-one companies generally limit the number of users allowed on each package. What’s more, if people are sharing user IDs it becomes harder (maybe impossible) to work out who actually did what. That’s why anyone who has access to a website needs their own login.
Invest in robust security tools
First of all, you need a website vulnerability scanner. As these are offered by different companies, they each have their own range of services and prices. You can, however, take it as a given that any decent website scanner will have an anti-malware component and usually a firewall for your website applications as well. These are key to basic website security.
You also need an anti-malware tool to protect the devices you use to connect to your website (and host and FTP/sFTP server). Generally, the best option is a cloud-based all-in-one solution, which has at least an anti-malware scanner and a firewall. The best options will generally have a lot more functionality, but this is the minimum. Using a cloud-based all-in-one solution will give you all the protection you need out of the box and the vendor will take care of all updates.
Please click here now to have your website scanned, for free, by cWatch from Comodo.
