How secure is your (or your client’s) website?

Something that a lot of people take for granted, is the security of their website.

You pay a web designer to build you a website, and get it online… do you even think about security? Does it cross your mind, at all?

The one thing you might think of, is “does it have a padlock?” – that symbol that globally indicates whether a website is “secure”.

Obviously, it doesn’t indicate the website is secure, it indicates your connection to the website is secure (although it’s only as secure as the computer you’re using). The website itself could be hacked to shreds, and your connection to it could still be secure.

A worrying though, no?

Over the years, I’ve seen hundreds of attacks/hacks on websites, and in the vast majority of cases, the client had literally no idea what could have happened, or why… but in the grand scheme of things, it was simple.

The software was out of date.

WordPress itself was outdated, plugins were outdated, or something else… but it largely comes down to: if you don’t keep your website up to date, you’re likely to sustain an attack at some point. It might be in days, weeks, months or years… but it’ll come. And when it does, fixing it is hard work.

You need to identify when the exploit first happened, and rewind the code back to that date. Or, you need to go through every single file on the website (and in the case of WordPress, that’s a lot of files) and look for suspicious code. It can truly be a nightmare.

A client of mine, some years ago now, experienced this. We only had 30 days backup at the time, and it looked like the original exploit happened before that (often exploiters will make small changes at first, to see if anyone notices, and can sit in the background for a while unnoticed!). So we had no choice but to try and fix it.

And try we did.

I (and one of my developers) went through the code dozens of times… but every time we thought we’d cracked it… 24 hours later, they were back in. The solution? We rebuilt their website.

I did that all at no charge, because… well, I felt partially responsible. It wasn’t our hosting per se, but it was me that was representing the hosting. And it was the hosting that ultimately let it down. How are YOU (end users) supposed to know what and how to keep up to date? You’re not a web designer, after all….

So can can we do, to keep your website as secure as possible?

Updates

It’s why automatic updates are one of the key features of our hosting. We monitor our client websites for updates, and where there are updates that can’t be automatically applied – we apply them, make sure the website is fully functioning before we leave it. That way, you can sleep easy, knowing that your website is as up to date as possible.

Code

How your website is written, the theme it uses, the plugins it uses… all of these things contribute to the overall security of your website. And if you handle sensitive data, you should segregate that from your main website into a secure location. We often run two separate servers for our clients, one of which is for their website, and one is to handle client data.

Passwords

If you can, password protect the overall system – even if it’s a really weak username and password (i.e. something all clients share to gain access to the website before they actually login). This just acts as a shield, protecting you from the average bots and other ‘opportunist’ type hackers. It’s a bit like locking your car. It’s not going to stop someone getting in, but it makes it harder.

But on the note of passwords, when it comes to your actual logins, use a different username/password for your website than anything else – and make sure it’s secure! Dogs123 is NOT a good password! Complex passwords are a pain in the backside to remember, and if it’s easier, using something like LastPass or similar, that’ll store passwords securely for you… but if you use a simple password, expect to get hacked!

Hosting

Most hosting is secure, and most hosting is handled by responsible hosting companies. But I’ve seen too many incidents, where “cheap” web designers rent a single hosting account, and have all their clients in the same webspace area, using the ‘addon domains’ feature in the control panels in order to do it. It means that they can host dozens or even hundreds of accounts, for a hosting bill of about £50 a year.

The security of which is shocking… because they’re not the sort of people to keep your website up to date. So, one website gets hacked, then they all get hacked.

At DataLords, because I’ve always been obsessive over security, and wanting to keep things as hardened as possible… when we came up with the concept of “dedicated only” hosting I loved it.

It means every single website we host, is on its own dedicated server (at point of writing, we’re in a transition period following our datacentre move, as we decided to rebuild our platform from the ground up – having treated the previous 12 months as a learning exercise) and everyone’s on a shared (but a ‘proper’ and secure shared!) environment – but we’re now just a day or so away from having our new management system foundations built, meaning we’ll be moving people back on to dedicated servers. I’ll talk more on the management system next time – as I wasn’t able to find what I wanted off the shelf (believe me I’d have loved to) so we’ve been writing it ourselves for the last few months.

In Summary

So there you have it… a few things you can keep your eye out for when you’re checking out hosting. But if you’re not sure where your website is hosted… one of the things that can set off alarm bells, is simply this: ask for your hosting login details. For no reason, other than you just want to look it over… if you’re in a proper, segregated shared hosting environment, your web designer/hosting company will just give you the login. If they’re doing things they shouldn’t, they’ll give you every excuse under the sun to avoid giving you details (or will outright refuse, because “all our client data is on there”)… in which case, it’s time to move, fast. Get in touch with us, here.

If you’re an agency, we can do all the above at scale, so if you have hundreds of accounts, and struggle to keep them all up to date – we’ll monitor and update your WordPress based sites for you (and our chief techies all have at least 10 years experience in web development and server management – so you know the websites are safe). if you’d like to find out how to join our beta program (and get FREE hosting!) click here.