8 Tips to Keep Your Business's Website Content Secure
At the moment, there are more than 1.2 billion websites on the internet, according to Internet Live Stats. As anyone with a startup or long-standing business can tell you, websites require content, and often content management systems.
WordPress, Joomla, Drupal, Magento and Blogger are the market leaders for CMSs, providing both website and blog resources for about 36 percent of all sites, according to W3Techs, which provides information about the usage of various types of technologies on the web. That’s a lot of websites, and a large target for hackers and other malicious online actors.
CMS solutions are typically open source and free to the public, an attractive combination for small businesses. Vibrant communities for developing plug-in applications have grown up around these CMS platforms. These plug-ins, which offer features and tools that can help a business customize its online presence, are built by individuals and small teams of developers. For example, WordPress has more than 50,000 plug-ins currently available. They are critical to a positive, user-friendly website experience, but plug-ins are also a common security risk.
This was evident in early February 2017 when cybercriminals used the REST-API exploit to attack and deface more than 1.5 million WordPress-based websites.
This exploit became popular when WordPress issued a disclosure following the WordPress 4.7.2 platform update, which stressed the importance of patching the REST-API vulnerability. Cybercriminals jumped quickly, competing to see who could deface the most websites. This is not the kind of attention that your small business needs.
Back to Security Basics for Your Business Website
Businesses that rely on CMSs for their websites need to be aware of the threats that using open platforms with third-party apps present.
Your website is your public face, so it behooves you to secure it. Luckily, standard, no-frills security practices — when properly implemented — will address most of these threat vectors. With that in mind, here are eight security fixes that you can quickly apply to your website to help secure it.
Keep your platform updated: The latest security patches are rolled into each new platform version. By running the most updated version, you are running the most secure version.
Put limits on the login page: There are plug-ins available that allow you to limit administrator access in various ways. These include locking out and banning specific IP addresses, enforcing strong password policies and even hiding the login page from verified users.
Limit login attempts: Brute-force attacks, when an attacker guesses at the admin credentials until gaining access, are a common attack strategy. Using a plug-in that limits the number of login retries will go a long way toward deterring an attacker.
Change passwords regularly: Changing passwords often is a classic security procedure, and there’s even a plug-in available that does it for you. Whether you experienced a breach and need to reset passwords immediately, or you are simply following effective procedure, changing passwords on a regular basis is key.
Add two-factor authentication: Passwords are the weakest link to the security of any website. Using a plug-in that requires an additional identification factor (something you are, something you have, something you know) goes a long way toward securing user access.
Use SSL and HTTPS to encrypt data: Getting an SSL certificate will allow you to secure the traffic between your website and your visitors — and it will bump up your Google search rankings. HTTPS is a more secure technology, and it has become the standard way of sending web traffic. HTTPS increases users’ trust in a business. In a world where so much commerce is done online and users check companies’ websites to validate and compare them, HTTPS in a browser bar is a seal of approval.
Disable file editing: WordPress and other CMSs recommend making this change. This feature could allow unauthorized users to run scripts and upload files — a hacker’s dream.
Back up your site: If a cybercriminal does take down your website and it can’t be recovered, you can get your website up and running again quickly if you have all of your data backed up. You’ll thank yourself for your smart planning. There are many back-up options available.