As we come to the end of the year, everyone will be focusing on the holidays but now is also a good time to review the security of your website. A good audit of your website only takes a few minutes and can save you a lot of headache in the future. We will cover several aspects of your website and what you need to look for. I have covered a lot of this in past articles but I figured it would be a good idea to bring them all together in one for a quick review.
Security Audit check list.
- Is all the software on your website up to date?
- Do you have a backup solution?
- Who has admin level access?
- Are you using two factor authentication?
- Do you have any unused WordPress plugins or themes?
- Is your site HTTPS?
- Who has FTP access?
- Do you use a WordPress security plugin?
Is everything up to date?
This includes WordPress core files, themes and plugins. WordPress now has an update section in the dashboard where you can see what is and isn’t up to date. By going to this part of your admin dashboard, you can update everything that needs updating from one spot. You do want to make sure that you have a good backup process in place before updating everything at one time in case one of the updates breaks something.
Back up the truck
That brings us to the second thing and that is do you have a good backup process in place. There are a number of things that could cause a website to break from a failed update to malware. By having a backup in place, you can always restore it in case something does break. You also want to make sure that you store backups in a separate location from the website.
Who has keys to the house?
Another thing to look at is who has administrator access to the site. Again, you can go to the admin dashboard and go to users and click the administrator link at the top and it will list who all has admin access to the site. Anyone with admin access can make changes and even take down the site. So you need to make sure that only those who should have it are listed.
Lock the door and deadbolt
Another security feature is two-factor authentication. This will require users who log in to have not only a username and password but some kind of second method of authentication. The most common is the use of a random number to use after you log in. Google has an app that you can download to your phone for this.
You log in to the website and then it will prompt you for a number. You will then open the app on your phone and find the number and enter it. The app changes the number every minute or two so if someone sees the number, it will only be valid for a couple of minutes.
Do you really need that plugin?
When you look at the plugins on the site. Are there any that are not active? Are there any that you no longer use? You should remove these as they can add code to the site to slow it down and also if you are not paying attention to the updates, then these plugins can cause issues with possible malware in the future. If you are not using them or if they are not active, you should look at deleting them.
Lock it up
Does your site have the green padlock on it? The green padlock indicates that you have a SSL certificate installed on your website. Basically this means that visitors know they are on your site and they have a secure connection to it. Most web host now give you a SSL certificate for free but some still charge.
If you collect any information from your visitors like email addresses or credit card numbers, you want to make sure that you have that security certificate so they know their information is secure. if you don’t have the green padlock and you think you should, you can go to the site Why No Padlock and it will review the site and let you know why you don’t.
One method of transferring files to and from your website is by using FTP or file transfer protocol. You have to have a username and password for this access and you create this access through your hosting company and not the website. You should log into your hosting account and look for ftp accounts and see if there is anyone there that should be.
If there is someone there that should, you should remove that account. Anyone with ftp access could have total access to all of the files on your site and could take it down by just modifying some of the files. They can also install malware that will infect the computers of the visitors of your site.
We have talked about the need for a security plug in before but now is a good time to install one if you don’t have one. Some of the things a good security plugin will do for you is to watch for files being changed and keep hackers from getting access to your site. The plugin will watch for people trying to force their way into your site and if someone tries to login unsuccessfully a couple of times, the plugin will block that person’s access for a while.
They can also watch for files being changed and compare the changes to what should be in the file and if it doesn’t look right, notify you of that change.
Keeping your website secure is important and reviewing these items will help you in maintaining the security of your website. If you have any questions on keeping your website secure or need help, feel free to book an appointment for a free consultation or sign up for a free website audit.