How to Think about Website Security as an Admin
This article is part of a series created in partnership with SiteGround. Thank you for supporting the partners who make SitePoint possible.
Website administrators, especially those in smaller businesses or organizations without people dedicated to the job and large IT and web arms, often overlook quite a few basic tenets of website security. This can be quite dangerous in the modern era of not only directed hacking, but the mass scripting attacks carried out against a seemingly endless and random pool of targets. No matter how small and relatively unimportant your site is, it can be a target. And whether you’re the person who developed the site, or just the one managing it, you may not be familiar with a few of these basic tips for website security.
If you’re an employee who’s been asked to oversee a website and are reading this article, some security considerations might sound difficult, but remember that everything you need to know you can learn. There are plenty of resources out there (including our own SitePoint Premium) that can help you with website development and administration. The important takeaway from this article, I hope, is for you to spend a few moments and really think about your site’s security.
Good password security is one of the most important considerations for your website’s security. As an administrator, you may be responsible for a variety of important passwords. The hosting account management, FTP access, SSH access, MySQL databases, your site’s control panel, WordPress admin panel, etc. All of these need to be different passwords (never re-use a password) and long. Pass phrases are better than passwords in that regard. Complexity helps too, but it should be something that you can remember, or you should use a password manager to assist you.
User Access Levels
Another thing to consider is the access of administrative users to your website. If your organization will require more than one or two users to be administering a site, you should have separate accounts for things like admin panels. Those users should also have different access levels. In terms of content management systems, the users should be limited from website administrative settings, altering other people’s content, or file management, unless they actually require those permissions.
Having user account levels and separated accounts will help to prevent accidental or malicious damage to your site, and using individual accounts will also help you track and log who makes particular changes, just in case any nefarious activity occurs (or a user is hacked). It will also help with removing users from the organization who leave your company – you can simply and easily deactivate their account without needing to reset shared passwords, if their account is their own.
The importance of a good backup process can’t be too overstated. A working (that means test it occasionally!) backup system will prevent data loss in the event of negligent actions, faulty coding, bad actors, cataclysmic hardware failure, or acts of nature. Even for small informational sites who aren’t altered often, the lack of a backup can cost a business thousands to have a website rebuilt.
Our hosting partner, SiteGround, solved this problem for all their clients by providing them with a free daily backup.
With the most recent Google requirements for SSL certificates, sites without HTTPS who accept sensitive user information will be labeled insecure by browsers, and perhaps soon all sites without HTTPS will be labelled as such. Because of this, practically every site needs HTTPS, especially those being freshly developed. You’ll be protecting your users’ information, and if your site doesn’t accept sensitive information, you’ll still be providing confidence and peace of mind to your viewers, and with candidates like Let’s Encrypt on the scene, you can do it for free. And if you’re using shared hosting, many hosts such as SiteGround offer Let’s Encrypt certificates for free right from your control panel, making it that much easier to secure your site.
Databases are essential to many website platforms now, including most content management systems and sites with users and backends. However, databases also present security risks. If the data is being stored, it’s now vulnerable to access by malicious entities. You’ll want to consider the safety of your databases. Who has access to your site’s control panels, or SSH accounts to your server if you have them, and are their credentials secure? What about the actual databases? Do your database users have appropriate permissions for their own databases? Do they have global permissions that they shouldn’t have? Are their passwords secure?
Additionally, you may want to look at how databases are accessed. Ideally, you can lock down access to UIs like phpMyAdmin to only particular IP addresses, or disallow remote db access altogether, and instead use the command line via SSH, or tools like MySQL Workbench or Sequel Pro instead, limiting the number of vulnerabilities.
Another thing you may want to do is set up some sort of service for monitoring website alerts, to get near-instant notifications for downtime, or usage alerts (such as excessive RAM or CPU usage). If you’re using a CMS such as WordPress or Drupal, you can also use security plugins to get security related alerts, hacking attempts, etc. There are plenty of services out there (such as Uptime Robot or Pingdom) to provide you with these kind of alerts, ranging from free up-checks down to paid service packages to get detailed monitoring and reports.
Thinking About Website Security
These, of course, are just a few reminders and tips. The most important tip is to really change your mindset. Think about these things, and more. Consider vulnerabilities within your organization and without. Consider the level of access your users have. From a development perspective, consider how you’re filtering and validating information that comes directly from website users. How are you de-provisioning accounts for employees who leave your company? Are there any shared credentials that need checked or changed? What about SSH access that might need revoked, or version control systems?
The more you think about these things, the more successful you’ll be at keeping your assets safe. Hopefully this article has at least stirred your thoughts about website security, especially if it’s something you’ve never thought of before. Feel free to leave comments below, if you have more ideas for beginners to consider about security, or a story to tell!