This article is part of a series created in partnership with SiteGround. Thank you for supporting the partners who make SitePoint possible.
Website administrators, especially those in smaller businesses or organizations without people dedicated to the job and large IT and web arms, often overlook quite a few basic tenets of website security. This can be quite dangerous in the modern era of not only directed hacking, but the mass scripting attacks carried out against a seemingly endless and random pool of targets. No matter how small and relatively unimportant your site is, it can be a target. And whether you’re the person who developed the site, or just the one managing it, you may not be familiar with a few of these basic tips for website security.
If you’re an employee who’s been asked to oversee a website and are reading this article, some security considerations might sound difficult, but remember that everything you need to know you can learn. There are plenty of resources out there (including our own SitePoint Premium) that can help you with website development and administration. The important takeaway from this article, I hope, is for you to spend a few moments and really think about your site’s security.
Password Security
Good password security is one of the most important considerations for your website’s security. As an administrator, you may be responsible for a variety of important passwords. The hosting account management, FTP access, SSH access, MySQL databases, your site’s control panel, WordPress admin panel, etc. All of these need to be different passwords (never re-use a password) and long. Pass phrases are better than passwords in that regard. Complexity helps too, but it should be something that you can remember, or you should use a password manager to assist you.
User Access Levels
Another thing to consider is the access of administrative users to your website. If your organization will require more than one or two users to be administering a site, you should have separate accounts for things like admin panels. Those users should also have different access levels. In terms of content management systems, the users should be limited from website administrative settings, altering other people’s content, or file management, unless they actually require those permissions.
Having user account levels and separated accounts will help to prevent accidental or malicious damage to your site, and using individual accounts will also help you track and log who makes particular changes, just in case any nefarious activity occurs (or a user is hacked). It will also help with removing users from the organization who leave your company – you can simply and easily deactivate their account without needing to reset shared passwords, if their account is their own.
Backups
The importance of a good backup process can’t be too overstated. A working (that means test it occasionally!) backup system will prevent data loss in the event of negligent actions, faulty coding, bad actors, cataclysmic hardware failure, or acts of nature. Even for small informational sites who aren’t altered often, the lack of a backup can cost a business thousands to have a website rebuilt.
Our hosting partner, SiteGround, solved this problem for all their clients by providing them with a free daily backup.
HTTPS
With the most recent Google requirements for SSL certificates, sites without HTTPS who accept sensitive user information will be labeled insecure by browsers, and perhaps soon all sites without HTTPS will be labelled as such. Because of this, practically every site needs HTTPS, especially those being freshly developed. You’ll be protecting your users’ information, and if your site doesn’t accept sensitive information, you’ll still be providing confidence and peace of mind to your viewers, and with candidates like Let’s Encrypt on the scene, you can do it for free. And if you’re using shared hosting, many hosts such as SiteGround offer Let’s Encrypt certificates for free right from your control panel, making it that much easier to secure your site.
Database Access
Databases are essential to many website platforms now, including most content management systems and sites with users and backends. However, databases also present security risks. If the data is being stored, it’s now vulnerable to access by malicious entities. You’ll want to consider the safety of your databases. Who has access to your site’s control panels, or SSH accounts to your server if you have them, and are their credentials secure? What about the actual databases? Do your database users have appropriate permissions for their own databases? Do they have global permissions that they shouldn’t have? Are their passwords secure?
Additionally, you may want to look at how databases are accessed. Ideally, you can lock down access to UIs like phpMyAdmin to only particular IP addresses, or disallow remote db access altogether, and instead use the command line via SSH, or tools like MySQL Workbench or Sequel Pro instead, limiting the number of vulnerabilities.
Monitoring
Another thing you may want to do is set up some sort of service for monitoring website alerts, to get near-instant notifications for downtime, or usage alerts (such as excessive RAM or CPU usage). If you’re using a CMS such as WordPress or Drupal, you can also use security plugins to get security related alerts, hacking attempts, etc. There are plenty of services out there (such as Uptime Robot or Pingdom) to provide you with these kind of alerts, ranging from free up-checks down to paid service packages to get detailed monitoring and reports.
Thinking About Website Security
These, of course, are just a few reminders and tips. The most important tip is to really change your mindset. Think about these things, and more. Consider vulnerabilities within your organization and without. Consider the level of access your users have. From a development perspective, consider how you’re filtering and validating information that comes directly from website users. How are you de-provisioning accounts for employees who leave your company? Are there any shared credentials that need checked or changed? What about SSH access that might need revoked, or version control systems?
The more you think about these things, the more successful you’ll be at keeping your assets safe. Hopefully this article has at least stirred your thoughts about website security, especially if it’s something you’ve never thought of before. Feel free to leave comments below, if you have more ideas for beginners to consider about security, or a story to tell!
Frequently Asked Questions (FAQs) about Website Security as an Admin
What are the key responsibilities of a website administrator in terms of security?
A website administrator plays a crucial role in maintaining the security of a website. They are responsible for setting up and managing user accounts, ensuring that the website’s software is up-to-date, and regularly backing up the site’s data. They also monitor the website for any suspicious activity, respond to security incidents, and implement security measures such as firewalls and encryption. Additionally, they may also be responsible for educating other users about safe online practices.
Why is website security important for an administrator?
Website security is crucial for an administrator because it protects the website from potential threats such as malware, hacking attempts, and data breaches. A secure website not only protects the sensitive data of the company and its users but also helps to maintain the reputation of the business. Furthermore, it ensures the smooth running of the website and prevents any disruptions to the service.
How can a website administrator improve the security of a website?
A website administrator can improve the security of a website by regularly updating the website’s software, using strong and unique passwords, and implementing security measures such as SSL encryption. They can also use security plugins, regularly backup the website’s data, and monitor the website for any suspicious activity. Additionally, they should educate other users about safe online practices.
What are some common security threats that a website administrator should be aware of?
Some common security threats that a website administrator should be aware of include malware, hacking attempts, phishing attacks, and data breaches. These threats can lead to the loss of sensitive data, disrupt the functioning of the website, and damage the reputation of the business.
What is the role of a website administrator in responding to a security incident?
In the event of a security incident, a website administrator is responsible for identifying the source of the problem, containing the incident, and repairing any damage caused. They may also need to notify users and other stakeholders about the incident and take steps to prevent similar incidents in the future.
How can a website administrator educate other users about safe online practices?
A website administrator can educate other users about safe online practices by providing them with information and resources on topics such as creating strong passwords, recognizing phishing attempts, and keeping their devices secure. They can also implement policies and procedures that promote security and regularly remind users to follow these practices.
What are some tools that a website administrator can use to improve website security?
There are many tools available that can help a website administrator improve website security. These include security plugins, SSL encryption, firewalls, and antivirus software. Additionally, tools for regular backups, user management, and website monitoring can also be beneficial.
What is the importance of regular backups in website security?
Regular backups are crucial in website security as they ensure that the website’s data can be restored in the event of a security incident or other disaster. This can help to minimize the impact of the incident and ensure the continuity of the website’s operations.
How can a website administrator ensure that the website’s software is up-to-date?
A website administrator can ensure that the website’s software is up-to-date by regularly checking for and installing updates. This is important as outdated software can have vulnerabilities that can be exploited by hackers.
What are some best practices for password management in website security?
Some best practices for password management in website security include using strong and unique passwords, regularly changing passwords, and using a password manager. Additionally, two-factor authentication can provide an extra layer of security.
Jeff works for a startup as a technical writer, does contract writing and web development, and loves tinkering with new projects and ideas. In addition to being glued to a computer for a good part of his day, Jeff is also a husband, father, tech nerd, book nerd, and gamer.