The Wordfence-WPScan whitepaper is out, shedding light on the state of Wordpress security. But these threats aren’t just limited to Wordpress; virtually any website that uses a database, accepts user input (e.g. forms), or has a login page (for users or site administrators) is a legitimate target.
How do you as a small business owner with little or no technical expertise keep your website safe? Over the next few posts we’ll provide some tips and advice to ensure that your site’s security is a few rungs above average.
And as you can guess, security starts before you’ve even uploaded your site - it starts with your choice in host.
There’s a direct correlation between the amount of security provided by a host and the amount of work you’ll have to put in to keep your site and visitors safe. And if you’re not technically minded, website security can be both confusing and time consuming. So it makes sense to invest in a host that does most of the legwork for you.
In an ideal world, hosting a website on the internet should really be a transparent exercise, where you focus on visitors and content, and your host takes everything else. But unless you’ve signed up for fully-managed hosting, that’s seldom how things work out.
So let’s take a look at some of the key ingredients that a host should have that’ll keep you and your visitors protected without too much effort from your side.
Security certification is probably one of the lesser-known criteria when choosing a hosting provider. But it is a strong indicator of the amount of effort a host is willing to invest to ensure that you are protected. Certification requires a lot of legwork by the host, which means simply installing security software won’t cut it. Hosts typically have to meet an extensive list of criteria and adhere to protocols, which can be both very strict and extensive. Storm’s certification page can be used as an example. Even if you don’t host with us, use it as a reference to compare other hosts.
There’s a lot of debate whether it’s more secure to host on Linux or Windows. Everyone has their own preference - either personal, or determined by the programming framework of the website. In reality, however, both can be equally secure, as long as it is managed correctly and kept up to date. Of course, this isn’t something you’ll be able to determine from the host’s website.
Information that should be easier to come by is the versions of the software you’ll need. For example, which version of PHP, MySQL, or ASP.NET is available on your host’s server? Hosts will typically run several versions to cater for sites that haven’t updated their code to newer versions, but knowing the latest and greatest is available can suggest that a host keeps everything current, including security patches.
Secure Sockets Layer (SSL) refers to the encryption of information flowing to and from the website. In common parlance, it refers to the little padlock you see in the address bar, next to the website address.
There are generally four types of SSL certificates available to website owners. These include:
Does the host offer the SSL certificate you need? Fair enough, these can also be obtained from 3rd party websites. But in an era where SSL certificates are a necessity, expect to get at least DV SSL certificates from your host at no extra cost.
Given how long malware and computer viruses have been around, you’d think protection against malicious software would come part and parcel with hosting. But some hosts don’t include this as a basic service.
One way to tell is by checking whether your host offers a security scanning service. At the very least this should include antivirus and malware scanning. If it includes scans for common and newer vulnerabilities, even better.
With ransomware taking the spotlight, it might have been a while since you’ve heard anything about distributed denial of service, or DDoS, attacks. But according to F5 Labs, they’ve increased 55% between January 2020 and March 2021. And this can mean plenty of downtime if the network you’re on is under attack.
Hosts that take their security seriously will typically have more than one measure in place to help prevent a DDoS attack, or to mitigate its effects. For example (if we may be so bold), at Storm we rely on both hardware and software firewalls on the network, and hardcore DDoS protection at the datacentre level, to name a few.
Backups are part of our everyday vocabulary. So it would appear as if effective disaster recovery strategies are commonplace, right? Well not entirely. Although many businesses do have some kind of backup strategy, they often don’t backup regularly enough, or simply have backups that aren’t working.
The issue of backups becomes really important the day you lose data due to a breach, a hardware malfunction, or some other unforeseen event. It’s therefore not only important to check whether a host will backup your data, but how often, too. Remember, new information added to your database can only be retrieved once it’s backed up.
As an aside, unless you have managed backups in place, you’ll also have to test your backups periodically to ensure that they are capable of getting you back on track.
In our next post, we’ll briefly discuss themes and plugins, and how you can go about choosing with confidence to keep your site secure.