Website administrators, especially those in smaller businesses or organizations without people dedicated to the job and large IT and web arms, often overlook quite a few basic tenets of website security. This can be quite dangerous, in the modern era of not only directed hacking, but the mass scripting attacks carried out against a seemingly endless and random pool of targets. No matter how small and relatively unimportant your site is, it can be a target. And whether you’re the person who developed the site, or just the one managing it, you may not be familiar with a few of these basic tips for website security.
If you’re an employee who’s been asked to oversee a website and are reading this article, some security considerations might sound difficult, but remember that everything you need to know you can learn. There are plenty of resources out there (including our own SitePoint Premium) that can help you with website development and administration. The important takeaway from this article, I hope, is for you to spend a few moments and really think about your site’s security.
Good password security is one of the most important considerations for your website’s security. As an administrator, you may be responsible for a variety of important passwords. The hosting account management, FTP access, SSH access, MySQL databases, your site’s control panel, WordPress admin panel, etc. All of these need to be different passwords (never re-use a password) and long. Pass phrases are better than passwords in that regard. Complexity helps too, but it should be something that you can remember, or you should use a password manager to assist you.
User Access Levels
Another thing to consider is the access of administrative users to your website. If your organization will require more than one or two users to be administering a site, you should have separate accounts for things like admin panels. Those users should also have different access levels. In terms of content management systems, the users should be limited from website administrative settings, altering other people’s content, or file management, unless they actually require those permissions.
Having user account levels and separated accounts will help to prevent accidental or malicious damage to your site, and using individual accounts will also help you track and log who makes particular changes, just in case any nefarious activity occurs (or a user is hacked). It will also help with removing users from the organization who leave your company – you can simply and easily deactivate their account without needing to reset shared passwords, if their account is their own.
Continue reading %How to Think about Website Security as an Admin%