How Secure Is Your Website?

In 2017 a Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure was passed. As a result of this order all government websites are required to use an HTTPS, to provide better security for their website users. However, website security is more than just an HTTPS server.  

A website can never be 100% secure. But by adding layers of security to your website, you can deter hackers. Website security expert Cal Evans in a recent webinar with SiteGround, provided a range of security tips to help protect your website. These are especially useful for websites built using WordPress.  

Security Tips: 

These tips range from things you can do yourself, or with a little help, to more advanced things that may require a programmer. Remember, the more measures you take to layer your websites security, the more secure your website will be.  

Lower Level Security: 

These layers of security are fairly straightforward. You may even be able to implement a few of them yourself. 

  1. Use strong passwords. Anyone that has access to your site should have a strong password, especially site administrators. The strongest passwords are usually those that are random, because they are hard to guess.  
  2. Keep things up to date. Keep your plugins and WordPress core updated. A good hosting partner will allow you to automate updates, to simplify the process.  
  3. Only download plugins and themes from official sources. Files downloaded from unofficial sources usually include additional code that opens backdoors for attackers to access your website. 

Mid-Level Security: 

These levels of security are slightly more complex. If you have some technical knowledge you may be able to do a few yourself. However, you may want the help of a programmer.  

  1. Perform regular backups for your website. Some hosting partners provide an automatic backup service. Alternatively, you can install a plugin for this. It’s best to keep a minimum of 5 days of backup, but most experts recommend 30.  
  2. Change Your Admin User. This helps keep people from hacking in by guessing who the main website admins are. This can be done three different ways:  
    1. Manually change your admin user. To do this add a new admin user, then log out and log in with the new account. Once you’ve done this delete the old account. This is one of the best methods for those without a lot of technical knowledge.  
    2. Use a plugin. This is a One-off task, meaning once you use the plugin for this, you need to remove it in order to avoid other security risks.  
    3. Manually edit the database. This may require help from a programmer, as you need to manually change the username in the database.  
  3. Implement two factor authentication (2FA). This means requiring two things before accessing the site, something you know and something you have. Usually this looks like a password and an authentication code. Text based systems for receiving codes are not very secure. It is better to use something like the WP 2FA plugin.  

High Level Security:  

These layers of security are more technical and may require the help of a programmer.  

  1. Enable a web application firewall. This blocks malicious traffic before it reaches your website. There are two levels of application firewalls.  
    1. A DNS level website firewall will route your site traffic through their cloud proxy servers, so that only genuine traffic can reach your site.  
    2. An application level firewall is a plugin that examines traffic after it reaches your site, but before loading everything. While not as secure as the DNS level firewall, the application firewall reduces the server load  
  2. Disable XML-RPC. This is an antiquated WordPress plugin, that can be disabled with one line of code.  
  3. Disable file editing. File editing is great for designing websites, but it is terrible for maintaining website security.  

 As more and more business take place online, it is important to take as many measures as possible to make your website secure. Not only does website security server to protect your organization, but it protects your users. For help evaluating your website’s security, contact a GovUnity expert today