Your developer is your closest ally in keeping your website secure.
When we talk about website security with our clients, we hear a range of responses. Some of our clients are knowledgeable and ask educated questions to understand the safeguards and precautions we take on their behalf. Others are asking as a point of due diligence, and are only interested in confirming that we have a set of security guidelines which we follow. And others don’t ask at all, because they’re convinced that their business is too small to be a target.
No matter who we’re explaining website security to, one thing is clear: as a web development company, our clients are more reliant on us than anyone else to keep their websites safe. Not only is it our responsibility to build a strong website, our clients also trust us with key decisions that directly affect their site security.
Security threats can come from a range of sources, and responding to them requires a proactive approach. To create the best response, it’s helpful to understand where threats come from, and how businesses can guard against them.
Infrastructure: Laying the groundwork for a secure website.
Perhaps the most important decisions a business can make for their website security have to do with their website infrastructure. While any hack is serious, the damage done through infrastructure breaches tends to be more widespread and harder to defend against. Fortunately, guarding against these security threats boils down to a few key decisions regarding your hosting environment, as well as following industry best practices.
- Many small businesses choose shared hosting options on their early sites because of the lower costs. However, shared hosting introduced vulnerabilities, because the security of your server environment is partially dependent on the practices of the other sites you’re sharing with. Because of this, we use Pantheon for all our hosting, because we trust the security and stability of their site architecture.
- DNS protection. DDoS attacks are a form of security threat that can overwhelm your site with a surge of traffic, consuming your bandwidth and taking your site offline. We use CloudFlare to protect our clients’ from these attacks.
- SSL certification. You can tell a website has SSL certification if its address begins with https:// rather than http://. SSL certification encrypts data as it passes between your web server and a visitor’s browser. Without it, a hacker could intercept user data (from a web form, for instance) en route from the user’s browser to your server. SSL certification is an industry standard, so if you see a developer without it on their site, do not work with them.
- In the event that anything does go wrong, your developer should be regularly backing up your site. This makes it easy to restore your site to a previous version in case of a successful hack.
WordPress: Choosing the right plugins and maintaining updates.
WordPress is an open-source content management system, which means that anyone has access to the source code. While this may sound like a threat to some, it’s actually a huge security asset: With hundreds of thousands of eyes on it, no hacking attempt gets very far or lasts very long, and any potential vulnerabilities are discovered and resolved quickly with each update.
However, to ensure your WordPress website stays secure requires some regular maintenance, as well as some care and consideration in selecting and managing plugins.
- WordPress security plugins. If you’re running a WordPress website, there are a few basic security plugins that can help you keep your site secure. We use iThemes Security Pro on our sites, which can prevent brute force attacks, change the default login URL, and detect suspicious activity.
- Plugin selection. While the plugin ecosystem on WordPress makes it easy to expand a site’s functionality, not all WordPress plugins are created equal. Our team can work with yours to review plugins and select those that don’t have known security vulnerabilities.
- Managed updates. Just like your computer, WordPress also has to be regularly updated to keep it secure and in working order. We can handle these updates for you so that you don’t have to worry about breaking your site with each update.
Developer: Finding a trustworthy web partner.
A good WordPress developer should be guiding you through all of the decisions we’ve already discussed regarding infrastructure and WordPress management. However, there are also best practices your developer should be following to keep your site safe.
- Developing a website can expose certain vulnerabilities, which is why we always use a staging site to prevent any of those vulnerabilities from ever being client-facing.
- Custom dev. Custom dev means our websites are less reliant on page builders and third-party plugins, which apart from slowing your site down, can also introduce additional vulnerabilities.
- You’ve probably struggled with many CAPTCHA form in the past, and aren’t excited about using it on your site. Fortunately, RECAPTCHA is here to the rescue. RECAPTCHA simplifies the process to just clicking a check box. It’s important to prevent bots from filling your inbox with spam.
End User: Following the best practices with your team.
Finally, some security measures fall upon the end user—meaning you. As the owner of your website, you will want to be sure you and your team are using it safely. This means educating your team about unsafe security practices, and setting up your passwords and access controls to limit security risks. Your developer should be following these same security measures with their own team.
- Strong, unique passwords. If you’re like most people, everything you ever learned about creating a password is wrong. Instead of taking words you know and replacing letters with numbers, just find a random password generator that will spit out a string of 16+ random characters, then save that password somewhere secure. Do not reuse passwords.
- Enable two-factor authentication (2FA). 2FA means that you have to provide two pieces of information when you sign into an account, each from a different source—something you are (a finger print), something you own (a PIN sent to your cell phone), or something you know (a password). Enabling 2FA on your website and related accounts can prevent someone hacking into your account, even if they crack your password.
- User access controls. Not everyone in your organization needs the same access to your data. WordPress lets you control what users can do on your website. An intern might be able to sign in and upload a post to the blog, but can’t publish without approval. You should also keep track of what employees have access to which passwords, and change those passwords any time an employee leaves your organization.
Be wary of over confidence and over promising.
Website security is an ever-evolving field, with new threats emerging every day. It’s also a field in which true security depends on a range of factors, not all of which can be controlled. Because of this, no good web developer will ever guarantee that a website is perfectly safe from attack. This would be a sign of dangerous over confidence. Anyone making such a claim is likely to be speaking in ignorance, and therefore a liability rather than a source of security.
However, a good developer should be able to clearly explain what the threats are to your business. They should have measures in place to guard against these threats, and they should have a backup in place in case a security breach does happen on your website.
At build/create, our approach to website security focuses on reducing vulnerabilities so that our clients aren’t easy targets for hackers to exploit. We want to reduce the likelihood that human error will lead to an inadvertent data leak, and make it harder for anyone to accidentally cause a security breach. We also pay attention to website security news, so that we can stay ahead of any emerging threats.
We can’t make any guarantees. But we can ensure that our own business practices and the infrastructure decisions we make on your behalf provide a secure foundation for your website.