Website Security Checklist

(Classified under: Security)

Posted on 5 February 2018

We recently invited subscribers of our newsletter to take a simple four-step check on a couple of commonly ignored aspects of website security. You can view this article at https://cornerstoneweb.com/blogPost/16/Website-Security

This checklist is a little more extensive than the newsletter checklist but is not a complete list, by any means. Rather, we hope that it will help stimulate discussion between you and your web developer to have those really important conversations around your website security plan…


 

SSL Certificate Security:

  • Does our website load securely using a valid and recognised SSL security certificate?

Tip: Did you know that there are search engine ranking benefits to having a secured site?

Login Pages:

  • Does our website actively require a secure connection for our Login page?
  • Are our Login pages protected against Brute Force Attacks?
  • Do we have ways to defeat automated login attempts?

Tip: Did you know that your website will actually run faster if you block malicious traffic?

Authentication:

  • Have we inactivated the default system username(s)? Are we still using the “admin” user to log into WordPress, for example?
  • Does our website require users to choose complex passwords?
  • Does our website force users to change their password if it hasn’t been changed recently?
  • Does our website prevent users from reusing old passwords?

Tip: Read more about helpful ways to remember complex passwords

Multi-Factor Authentication:

  • Does our website allow the use of an “additional factor” (such as SMS verification or using a time-based PIN generator like Google Authenticator) to verify our users’ identity?

Tip: MFA doesn’t necessarily reduce the risk that someone will try to hack your site, but it will greatly reduce the likelihood that they will succeed!

Access-Based Security:

  • Where can our login page be accessed from currently?
  • Have we restricted access to this area of our website?
  • Have we tested that IT High-Risk Countries are prevented from even loading our Login page?
  • Are there restrictions to what our users can access and change once they log into our website’s Administration Portal?

Tip: CWS blocks malicious traffic to our servers by examining the log files of each and every hosting account to see who’s been up-to-no-good. However, it is better to incorporate such checks into your website so they are done at the time your login page is requested, not after the event.

Outdated Code (including Themes and Plugins):

  • Is our website currently running outdated code and how can we tell this?
  • Who is responsible for updating our website’s code (including Themes and Plugins) to ensure that it is kept up-to-date with the latest security patches and releases?

Tip: It is said that the pain of regret is far worse than the pain of discipline. It’s easier to keep your website updated and secure than have to recover a hacked site and explain the situation to your customers…

Software-specific Code Considerations:

  • Are there any specific considerations that you need to make for the particular software that runs your website?

Tip: A very good introduction to WordPress Security can be found at https://sucuri.net/guides/wordpress-security

Using a current version of PHP:

  • Are we using a currently-supported version of PHP to run our website?

Tip: View the timeline for current versions of PHP If your website is running anything below PHP 5.6, then you need to update your website urgently!

 

Website Monitoring:

  • How would we know if our website has been hacked?
  • Do we have monitoring in place for Internet Blacklists?

Tip: CWS monitors each of our servers on a minute-by-minute basis for availability and any other issues that might affect your hosting, CWS CMS or email services.

Backups:

  • Is there a regular plan in place to download backups for our website from the cPanel?

Tip: Please don't use CMS plugins for your website backups – they are grossly inefficient and potentially unsafe, given that they often require the process to be triggered from outside your website, then store the backup within potentially web-accessible directories on your site! Stick to the backups that you can download from the cPanel.

 


NB: Information presented here is general in nature, does not take into account your particular situation and should not be used in place of professional IT consultation.