Website Security Checklist
(Classified under: Security)
Posted on 5 February 2018
We recently invited subscribers of our newsletter to take a simple four-step check on a couple of commonly ignored aspects of website security. You can view this article at https://cornerstoneweb.com/blogPost/16/Website-Security
This checklist is a little more extensive than the newsletter checklist but is not a complete list, by any means. Rather, we hope that it will help stimulate discussion between you and your web developer to have those really important conversations around your website security plan…
SSL Certificate Security:
- Does our website load securely using a valid and recognised SSL security certificate?
- Does our website actively require a secure connection for our Login page?
- Are our Login pages protected against Brute Force Attacks?
- Do we have ways to defeat automated login attempts?
- Have we inactivated the default system username(s)? Are we still using the “admin” user to log into WordPress, for example?
- Does our website require users to choose complex passwords?
- Does our website force users to change their password if it hasn’t been changed recently?
- Does our website prevent users from reusing old passwords?
- Does our website allow the use of an “additional factor” (such as SMS verification or using a time-based PIN generator like Google Authenticator) to verify our users’ identity?
- Where can our login page be accessed from currently?
- Have we restricted access to this area of our website?
- Have we tested that IT High-Risk Countries are prevented from even loading our Login page?
- Are there restrictions to what our users can access and change once they log into our website’s Administration Portal?
Outdated Code (including Themes and Plugins):
- Is our website currently running outdated code and how can we tell this?
- Who is responsible for updating our website’s code (including Themes and Plugins) to ensure that it is kept up-to-date with the latest security patches and releases?
Software-specific Code Considerations:
- Are there any specific considerations that you need to make for the particular software that runs your website?
Using a current version of PHP:
- Are we using a currently-supported version of PHP to run our website?
- How would we know if our website has been hacked?
- Do we have monitoring in place for Internet Blacklists?
- Is there a regular plan in place to download backups for our website from the cPanel?
NB: Information presented here is general in nature, does not take into account your particular situation and should not be used in place of professional IT consultation.