Quiz: Do You Know These 10 Website Security Steps?
Monday, December 11, 2017
Posted by: Alyce Ryan
Originally published on inc.com
Written by: Anita Campbell
Take the following quiz to see how much you know about website security and how your website stacks up.
Hardly a day goes by without some high-profile hacking or cyber attack in the news. To avoid becoming another statistic, it's important to know basic website security.
Even if you have an IT manager or outside website developer, knowing some basics of website security will help you ask the right questions. You will gain peace of mind knowing that your website is protected.
Take the quiz! Answer these 10 questions with a yes or no.
1) Is your CMS software up to date?
One of the most common security issues is outdated WordPress or other CMS software. Some CMS updates specifically are meant to fix security issues. Luckily, these days you can set your WordPress installation to automatically install updates.
2) Are you using trusted third-party plugins and themes?
WordPress, the open-source content management system (CMS), is incredibly popular with small businesses. Thousands of plugins and themes are available--for free. Here's the rub: that plugin or theme could have a backdoor or be exploitable and let hackers in. Always get plugins and themes from trusted sites such as the official WordPress directory, and make sure they have lots of good reviews and are up to date.
3) Have you changed default settings on your CMS?
Default settings in content management systems or other software can create vulnerabilities. For instance, some files by default may be writeable by any user (not a good thing). Or the default setup login might have been a username of "admin." By changing to a different username, you make it harder to crack login credentials.
4) Do you promptly remove outdated access permissions?
Here's a common scenario: you hire a contractor to work on your website. He or she gets administrative access to your server or CMS. After the project is done, you don't change access levels back. Once a project is done or an employee with access leaves the company, always delete their permissions. Check permissions periodically.
5) Does your website URL start with https?
The https protocol, (i.e. a "secure socket layer" or SSL Certificate) is on its way to becoming the standard for all websites, not just for e-commerce sites. Https means website data moving between users and your Web server is encrypted. This protects login information to your server from a person's browser from being intercepted in "man in the middle" cyber attacks.
6) Are you using a WAF (Web application firewall)?
A Web application firewall works between your website and malicious visitors to protect against cyber attacks such as intrusion attempts, SQL injection, and cross-site scripting. In some cases, it can mitigate DDOS attacks. WAF brands include Cloudflare, MaxCDN, and Encapsula. Or your hosting or cloud services provider may have a WAF offering. Features vary, so check exactly what each provides.
7) Is your server monitored for malware?
You may only discover your website has malware on it when your best customer tells you he sees a big red warning in his browser that your site is unsafe. This is where a monitoring service such as Sucuri, Sitelock, McAfee Secure, or Acunetix adds value. Such services scan and detect malware on your server. Some services even clean up hacked websites.
8) Do you use SFTP instead of FTP to upload files to your website?
FTP stands for "file transfer protocol" and is a common method used to upload files from a desktop computer to a Web server. Always use a secure version of FTP, such as SFTP. It encrypts and protects your login credentials during the upload process. The 3-minute video in this blog post explains more.
9) Do you have daily backups of your website?
Don't assume your hosting company automatically backs up website files daily. Some do. But with other hosting plans, you must pay additional--or arrange your own. And remember, backing up your website server is not the same as backup protection for employee desktop files. They are different things.
10) Are passwords difficult?
Make it hard for hackers! All passwords should have combinations of numbers, letters, and characters, and not be reused across different applications.
Give yourself one point for each "yes" answer. If you got a perfect 10, congratulations! But if you answered "no" or aren't sure anywhere, you've got some work to do. Either start investigating solutions, or schedule a meeting with your IT consultant to assure yourself your website is as secure as possible.
Article originally published on inc.com