To maximise the security of your website during the development stage you must be aware that you are only as strong as your weakest link. In the case of software this weakest link is usually the users. As most security conscious companies will be very aware, the main threats to the security of a website come from those with administrator privileges when their login details are compromised, either through weak passwords or infected local machines. To ensure our clients’ websites are protected we normally suggest the following precautions:-
- Setting strong administrator passwords
- Ensuring security software on the access PC is correctly configured and all anti-virus definitions are kept up to date,
- Ensuring all browsers and plugins/add-ons are kept up to date with the latest patches
The website itself needs to be secure from other threats such as SQL injection, remote file inclusion and password attacks. To prevent these attacks we normally suggest the following:-
- Use trusted content management systems that offer regular security updates (e.g. WordPress)
- Make sure all file and folder permissions are set to read-only (unless required otherwise)
- Disable shell access (SSH) on the server by default
- Using a host that backs up the server data each day to offsite storage servers. The data should also be encrypted during transfer and when stored.
- Enable login limits – so the login is locked after a specified number of attempts – and delays – so a single incorrect login locks the account for a short period of time.
To ensure we practice what we preach, we follow our own advice and keep our PCs and software up to date, and use password managers (such as 1Password) for storing and accessing passwords.