How Secure is Your Company’s Website?
January 8, 2020 - By Jamie Trueblood
Most businesses don’t know the answer to that question. Let’s fix that.
Nobody needs to be convinced that web security matters. We all read the latest breach headlines. We all know a colleague whose company’s site was hacked. But what most businesses don’t know how to do is gauge the security of their own site. That’s usually a result of not knowing where to start.
So let’s start.
Here’s a quick checklist that can help a business establish a baseline for the security of their company site.
Who Has Access?
This is a crucial first question to ask. We can’t tell you many times we’ve gone under the hood of a company site to discover a bunch of admin accounts for people that don’t even work for the company anymore. That’s a security risk. An equally big risk: a single admin account shared by multiple people. Yikes. Bottom line: get a count on who has access to your site, what permission levels they have and then determine what, if any, action needs to be taken.
Passwords, Passwords, Passwords
qwerty. password. drowssap. password1234. This is not a Michael Scott joke. These are some of the most common passwords in the world. Yet the overwhelming percentage of security issues stem from lousy, weak and flat out stupid passwords.
Once you have a grasp on who has access to your site, institute a password policy. Require them to be complicated and consider a corporate password manager like Lastpass or 1Password. Then establish a mandatory password change schedule.
This all may feel like overkill, but we humans are, in fact, the weakest link. Strict password policies can help.
Imagine this situation. Someone on your team is making some changes to the company site. They break something and the entire site goes down. They’re not sure what they did. You could spend a lot of time and money trying to figure out and fix what went wrong or you could revert to a backup point that launches a version of the site as it existed before the breakage.
The majority of the quality web hosts like Flywheel and WPEngine run automatic daily backups. Some require manual backups. Either way, find out what your setup is and develop a backup frequency.
Plugins are a part of what makes WordPress great—but they are not immune to bugs or security holes. As a site admin, ensuring that all your plugins are up-to-date will reduce security risks. Review your plugins monthly and update accordingly. Pro Tip: run a backup of your site before you update core plugins just in case there are incompatibility issues.
What Version of WordPress Are You On?
The answer needs to be “the latest.” Running on the latest version of WordPress ensures that you’re taking advantage of all the CMS has to offer and its latest protections. A quick look at the release history and notes will reemphasize why this matters.
See That Little Padlock in Your Browser’s Address Bar?
That means that this webpage is secure. thinkitfirst.com has a Secure Socket Layer (SSL) certificate that encrypts communication between your browser and the server where the site lives. SSL encryption is critical on sites that accept sensitive user information such as payments, but it really is necessary on any website these days. In fact, Google Chrome will now warn users if the site they are going to is not secure. Not a great look.
But pay heed: just because you have an SSL certificate running on your website doesn’t mean that it is configured properly and fully secure. Certificates can expire, too, so keep an eye on how the certificate renewal process is set up.
Where is your Site Hosted?
Basic hosting plans can seem like a great solution, because you get what you need for less. But often, critical features (like backups) are add-ons that drive up the cost. Managed hosting plans from providers like Flywheel, WPEngine, and Pantheon include these because they, like us, understand how important they are. They will also handle updates to WordPress’ core codebase as well as other security features that can end up saving you a lot of money over the long term.
At the end of the day, web security is a never ending fight. But by following even a few basic strategies, you’ll be doing more than most.
Now go change your passwords.