Is your website secure? Are you secure?
That’s a very relative question. The truthful answer is that there is no such thing as completely secure. Understanding that, we can establish some best practices both for your website and your online accounts.
You website should be running under HTTPS. If it’s not, you either need to get your current provider to make it run that way or change hosting providers. An SSL security certificate can be had for the price of free. We can provide a free SSL certificate to anyone who’s website we might host. In fact, not only do we offer it for free, but we absolutely require it. Unsecure HTTP is dead, or at least it should be. Google, Mozilla etc are updating their browser to make sure that becomes a reality.
Why is HTTP unsecure, you might ask? Because anything that is transmitted by HTTP is in plain text and can be read by G-d and everyone from point A to point B and then some. If you log into a back end on your site, that should be encrypted. If not, you might as well just post your username and password on a billboard next to the busiest highway in your area. Also, a certificate helps identify that the owner of the website is really who they claim to be and that you’re not about to hand your credentials off to someone else. It’s just good practice.
Next, whatever software you use for your website CMS (Content Management System), that stuff should be kept up to date. Either automatically or by you logging into it at least once per month and updating it yourself. Failure to do so will end up getting you hacked. I can post Google search results that will show you what happens when you don’t do this.
How many sites are on the same physical/virtual box as yours? This is definitely something to look into. If there are a hundred websites on the same virtual machine as your website, then that’s 100 times more likely getting hacked because one or more sites on the same system are not following best practices. Best to segment a few sites between individual virtual machines. That would be best practice to reduce the likelihood of your own infrastructure turning against you due to circumstances outside of your control.
Is your website backed up regularly? Both the files AND the database? Most modern sites use MySQL or some other form of database. If you are still in the dark ages of static web pages, you need to talk to us. Especially if those static pages are not mobile friendly (i.e. are not responsively designed) and don’t pass the mobile compatibility tests.
Any account that you login to should have either one or both of the following: 1) a lockout threshold after X number of failed login attempts and 2) two-factor authentication. If anything you login to doesn’t have at least one of these two features, you need to have a talk with whoever set it up because it is going to get hacked. There are botnets on the internet that spend every second of every minute of every hour of every day finding and breaking into things that don’t implement these things, and then notifies their creators of their success. So sleep easier at night knowing your logins are protected with one or both of the above mentioned security measures. This includes your social media accounts, your Amazon account. Yes, by Jesus, please enable two factor authentication on your Amazon account if you have anything linked to it that has any kind of cash value. That’s true for most people who shop on Amazon. If you don’t, well don’t say we didn’t warn you.
Are your devices implementing the most effective security best practices? We can help in that department. Endpoint security is one of many attack vectors to take into consideration in securing your website and you.
If you haven’t considered it already, now would be a great time to look into getting some sort of self identity protection that proactively monitors your social, your credit cards and bank accounts and offers a large sum of cash to insure you and your identity should the worst case scenario happen to you. It’s an absolute necessity these days.