Website Security and Administration: Essentials and Top 7 Tips
Table of contents
What is website security and administration?
Websites and their underlying software and hardware need to be managed to ensure they are safe and running smoothly.
All websites need to be managed on some level. As a rule of thumb, the more important your website is to your business or the larger your business, the more time should be spent looking after the website asset.
The tasks of general website administration and security administration are usually carried out at the same time by the same person – the appointed website administrator.
Website administration may be carried out by any technically-minded person although the tasks, mindset and technical skills are different to that of a web developer.
Website security
Keeping a website safe and secure is the most important part of website administration.
It is insurance against the different types of attacks and failures that can happen to any business with an online presence.
The importance of website security is easy to underestimate as you only hear news of security breaches or hacking on large companies.
The truth is that all websites, even small ones, run into issues caused by disregarding website security concerns.
Taking basic administrative steps can help.
What is website administration?
Website administration is the regular upkeep of a website so that it’s running efficiently and securely.
Website administration can be carried out by IT personnel or a web developer.
It involves such things as:
Hosting administration
Starfish offers hosting administration as part of its managed hosting service.
Hosting administration involves getting to grips with the hosting control panel that allows administration of:
Email administration
Adding, deleting email accounts. Setting up disk space limits. Resolving email issues.
Logs administration
Websites generate logs, which may be needed by a web developer.
Files administration
Over time websites can have a lot of old logs, email records (often with spam), old backups, old file uploads.
FTP accounts
FTP accounts are used to transfer content to and from a server. Every time a developer joins or leaves the team, FTP accounts have to be created or deleted.
Databases
The database system needs to be kept neat and tidy. Old databases need to be deleted. Naming conventions need to be instated.
Security Certificate Administration
Security Certificates (SSL) that certify that a website is safe to use need to be bought and installed every 1 to 2 years – renewal should happen before users are given a warning message when they visit your website.
Updating Software
Software and programming languages used to run your website need to be updated to the latest version.
This should be done on regular basis (every one to two months) so that the website remains secure and every software and language installed are compatible with each other.
For major software updates or websites that mustn’t go down under any circumstances – a backup and testing on a development site will be needed before transferring the changes to the live server.
Managing user accounts
A business may have many digital accounts such a hosting, content management system, to third party integrations, online payment gateways, social media accounts.
Making sure the right people have access to the right accounts and that account details are regularly updated is the job of the administrator.
Managing and tightening website security
Digital security within a small business falls under the IT administrators role who will have plenty of other software and IT security concerns too.
There are plenty of ways that security can be threated and plenty of ways to improve website security.
Different types of threats
Inside attacks
Once in a while, someone working for the business may wish to do something malicious or illegal.
They may do damage whilst they are in the job, just before leaving and long after they have left.
On the company servers – they may be tempted to copy corporate files, alter company software for their own benefit, view confidential records, insert trap door code or gain access to files and data that doesn’t belong to them.
On a website, they could choose to surreptitiously alter text, copy files stored on a web server, hold onto software until a demand has been made.
The reasons may be for out of feelings of wrongdoing, mischievousness, boredom or revenge – whatever the reason, temptation should not be put in their way.
Spamming
Spam is unsolicited email. It can be sent to your website or from your website. There is also comment spam, which are advertising spam placed on your website through feedback forms.
Hacking
Hackers have dozens of tricks and methods to gain access to a website or web server. They will try to find any weakness in your website and use it.
The purpose may not be to attack your website or business directly but to use your website or webserver for ulterior motives such as distributing spam, illegal content, using your bandwidth, gaining access to other websites.
Backdoor Code
Placing code in your website through the use of third party software that is innocently installed. This threat is particularly relevant to WordPress but also to other platforms that use plugin architecture to extend the functionality of a website with ease.
Backdoor code may be used to carry out further attacks on other website and may bring down your website.
Website Viruses
Website viruses are pieces of code put inside your website through hacking or backdoor code. The code might redirect the user from your website to another website, place an ad on your website, help attacking other websites or steal information.
Consequences of a website security attack
The consequences can range from annoying to costly. The point being that it’s worth spending some time and effort mitigating the risks.
Website downtime
A hacked website needs to be brought offline until the website code has been made secure again. Websites need to be brought down to stop the infected website carrying out attacks on other website and spreading. Your hosting company will do this automatically as soon as they detect any attack.
Loss of SEO, loss of traffic
Exploited websites are marked down or blacklisted by search engine to protect their users. It can take some effort to restore your listing, traffic and reputation.
Loss of work
A website may be beyond repair – i.e. the cost of repair and fixing the code is not worth the effort. If you don’t have a recent copy of your website, then potential data and website improvements will be lost.
Cost of repair to an infected website
It is possible to repair a website that has been infected by spam or malware. The time needed depends on how many files have been infected and whether the software used to remove the code is effective or whether it has to be done by hand.
Loss of sales
This may only apply if your website is an e-commerce website and a real driver of income. It’s worth mentioning but it’s not the biggest concern for most business websites.
Ways to protect your website and data
1. Install a Security Certificate
Websites don’t automatically come with a security certificates but all websites should have one bought and installed.
2. Make regular backups
Backups can be made on the web server or off-site. Making regular off-site backups means that should anything go wrong with your website, you have an up-to-date copy to use in its place.
3. Tighten database security
Database hardening – is the process of making it harder to hack a database. The following tips relate to MySQL which is the most common database used in websites:
- Change port mappings from the default (3306) to something else.
- Don’t run live sites with root privileges
- Change the root account name.
- Ensure passwords are encrypted and that strong passwords are used.
- Use the right privileges.
- Drop any old or test databases.
4. Secure the hosting environment through the CPanel
CPanel is the software used to manage a hosting environment. Here are some tips to get you started and help you keep your hosting environment secure:
- Use strong passwords for CPanel access
- Don’t give web developer access to the host unless absolutely necessary
- Enable firewalls
- Use the latest version of CPanel
5. Password administration
Having some control and management of passwords is needed for companies beyond a few employees. Particularly nowadays, when companies use outsourced staff that work remotely – having password policies and procedures in place can save a company from unscrupulous behaviour.
Changing passwords
When staff come and go, there is a need to add and remove passwords: not just their passwords – but any passwords that they may been given access to.
Strong passwords
To increase website security, encourage or enforce the use of strong passwords – passwords that cannot be guessed.
Use two factor authentication
Two factor authentication (2FA) means having second form of authentication after the correct password has been typed in.
This is useful for website security because passwords for online accounts are sometimes shared to give people access to resources they need to their job. A second step verifies that access was indeed granted.
6. Scan your website regularly
Use software that scans the files of your website to check for vulnerabilities and exploits. There are many to choose from.
7. Use reCAPTCHA on forms
ReCaptcha is a technology brought out by Google. It removes the need for users to fill out extra fields like the captchas did in the past. The latest version is V3 but some sites work better with v2.
WordPress specific security and administration issues
WordPress is safe
WordPress had a reputation for being insecure. This was a long time ago when WordPress’ popularity was rising faster than it kept up.
WordPress is now a mature and stable platform and is easier to keep up to date than other systems such as Magento, Joomla and Drupal. Website security is not much of a problem anymore.
What ’s more, WordPress has a large team of security experts looking after its platform and releasing updates as soon as any vulnerabilities are discovered.
Most website security risks are caused by out of date software plugins.
WordPress Website Security Measures
Keep WordPress up to date
WordPress consists of the core software, any plugins that you’ve added as well as any themes.
Use premium plugins
As much as possible, use premium and popular plugins and keep the number of plugins to a minimum – this is important for speed optimization reasons too.
Use website security plugins
There’s a big range of free and premium (paid for) website security plugins.
Here’s a few to get your research started:
- Sucuri Security
- MalCare
- WordFence
- Jetpack
If you’re planning on buying one, you’ll need to research deeply into the difference between them because they all have their pros and cons and the one you choose will be dependent on your setup, your needs and your budget.
Use backup plugins or service
There are several manual backup plugins and automatic offsite plugins that can help with website security.
Here are some to get your research started: