Why would a web developer advise against a CMS? We say so because you might…
What can a business owner, marketing director, or novice do to protect their website?
If your website is dynamic (not static HTML), there are several simple but crucial steps you can take to protect your website:
We sometimes find companies don’t know who is in control of their domain. Other times they know but do have direct access to administer it. If your web guy leaves, falls ill, expires, or forgets to renew, you could lose your domain. Nobody needs to hack you when the new buyer can just set up a convincing clone of your website and company email accounts to impersonate you.
These days we prefer to connect companies with the best hosting and only sell our hosting management services. This allows customers to get free and fast technical assistance for hosting directly if needed. Meanwhile, we assist with the website’s security, stability, and awesomeness.
If you use Cloudflare, you can reap the benefits of faster website delivery, the ability to block countries or harmful agents, a free SSL certificate for your site, and most importantly: portability. You can repoint your website or parts of it to another server in seconds should you need to move a website to a better host quickly.
Most hacked websites we inherit show extreme signs of neglect from months, even years back. Others are exploited as quickly as days after an exploit is discovered, which is bad luck. If you automate your updates with server settings or cloud services, you can have software updated hours to minutes after new versions are released. Be sure backups are a part of that automation. With WordPress you can use Snapshot alongside Automate, or do this through Cpanel via Softaculous or Installatron.
For WordPress, this would most likely be Wordfence or Defender. Be sure to get the Pro version if you can, but even the free versions make you 100 times more well-protected. The best WAFs can be configured to send you email alerts for suspicious activity, malware found, or other vulnerabilities such as outdated plugins.
Don’t let people subscribe as users unless you have an e-Commerce website and need customers to register. Subscription to any site adds risk for users and site owners. User-level-elevation makes up a large percentage of exploits – fancy little tricks to turn a guest user into an administrator. If you are allowing people to register just so they can comment, and you are not using a high-end SaaS (Software as a service) CMS/CRM, stop.
If your CMS does not come with regular plugin or software updates and Web Application Firewalls, migrate to a well-supported CMS or plain HTML
We get it. Your top engineer gets a lot of downtime because he is just that good. Not only can he perfectly program an induction heat treater down to the micron, but he also put together a great website in the hottest new thing for technical programmers – Webhook, CodeIgniter, Ruby, Drupal, PhpBB, Meteor, OpenCart, OSCommerce…
If it is not being regularly-maintained and updated, this might be a good time to migrate to something new and hire someone specifically for web maintenance.
Is that web developer you had two years ago still an admin? What about that “SEO” company from last month? Do former employees still have access? What about Dave, who only needed to make a quick update, and uses the same password everywhere on the internet? Delete non-user users immediately.
A good security suite can be configured to force website users to change passwords if those passwords are published to the dark web. If you do not have a security suite, use the password checker at haveibeenpwned.com. Use their email checker to see what leaks your worker’s emails have been included in this year or this week as well. If you know, they can be prepared for that next phishing email that appears to come from HR.
This may come as a surprise we’d recommend this, but some small, even large-sized businesses can be better served with a website that has no forms or other vulnerabilities.