Since the outbreak of Covid-19 many companies have pushed to online solutions in order to keep trading. If you are considering this, or have already made the move, the following advice can assist in helping to keep your business trading safely and securely online;
Use trusted software from official sites
The big three Content Management Systems (CMS) are WordPress, Joomla and Drupal. They each have their own strengths and weaknesses. It is important to research and find which system best suits your situation and which developers can help you to create the functionality and design you require.
Where to buy templates
The big 3 CMS all have official templates that come with the websites, but they also have extension directories where you can see other people’s reviews, read the feedback and then get the template from the official source. Avoid getting your templates from aggregate sites that sometimes offer further reductions. Code added to such templates from unofficial sources could be malicious and compromise your site’s security.
Where to buy extensions
There are loads of great extensions that help to add functionality to your site. Some are paid extensions and it can be tempting to search the web for sites that offer free or cheaper versions of these official extensions. Don’t be tempted to buy from such sites. This is where malicious code is added and the extension repackaged. If added to your site, it compromises your security. It’s not worth the risk. Always purchase from the software owner’s site.
Read the reviews
Whether a template or an extension, always do the due diligence before you add it to your site. You may not have the understanding or knowledge to determine if the extension or template is well built but chances are others have already installed, tested and evaluated it. Check out the official template and extension directories to see what others say. They will often comment on the level of documentation, ease of extension and the support that is on offer.
Visit a user group
If you want to find good developers, administrators and designers then visit a user group. Many have an online presence during this lockdown so it is still possible to attend online. The three main CMS all have active user groups in the UK. There you will find enthusiastic users who have the knowledge you need to make your site secure. They will often offer review, suggest improvements and recommend contacts to assist with your site development.
If getting any extension or template ensure that it has been regularly updated and that the developer is still active. If the site has not been updated with information and releases in the last year the chances are it is a dead project and you will be installing an extension that will not get security patches. If in doubt just email the developer and ask if they are actively supporting the extension you want to use.
Passwords, dos and don’ts
Always use a strong password. Many websites have password policies that you can turn on. This will force you and your users to set strong passwords. In the better systems, you can also force a password reset for your users so that the next time they log in they will need to change their password. This is useful if you have not set a good policy from the start and now need to implement a change. If using a developer, always give them a separate login and never your own credentials. And never create generic group logins. These are not needed in the main CMS systems and should never be used.
Always keep your website up to date
You should always ensure that your website is kept up to date by installing the latest updates (patches), as by not doing so you are leaving your website open to attack.
Most websites have release cycles of a month to six weeks, so you either yourself or your developer should be installing the update patches about that often. However, before installing an update always back up your website in case the update causes a problem. Ideally, you should also test the update on a development copy of the website first, to ensure that third-party extensions are not affected by the update and still work. Once you are happy that everything still works correctly, install the update patch for your website.
Two-Factor Authentication (2FA)
All the major CMS websites offer 2FA. This is another layer of security and is something worth considering for your sites.
Often it can be done on a user group or user level so that you can secure the users with the most privileges.
Often the 2FA works by sending a text or code to your phone that you then need to add to the website alongside your password. These codes will be different every time and add a good extra layer of security.
Secure Sockets Layer (SSL) Certificates
SSL Certificates are small data files that digitally link a cryptographic key to an organisation’s details. When installed on a web server, it activates the padlock in the browser window. It is important to then make sure people only view your site via https and not HTTP. Many browsers have a security tab to help you make sure you have the certificate installed and it is working correctly. It has the added advantage of boosting you in some search engine ranks which should more than cover the cost of the installation. Typically they need renewing every year from a trusted source.
Backups and Archives
Always, always have a backup solution and consider an archive.
A backup is a snapshot of your site so that you can replace it if it’s damaged in any way. An archive can be thought of as a series of snapshots going back in time so you can go back to a backup before the damage happened. If you keep just the last few backups and they are overwritten, it may be awhile before you realise that something is not working and the backups you hold may not have a working copy of what you require. Ideally, if your data changes every few days you would have daily backups and then keep the first of every week going back over many months. That way you can go back in time should a problem be found.
Test your backups and archives and host them separate from your website
However, this can cause problems as if the hosting company has issues then so will your backups, so it makes sense to keep the backup separate. A way of doing this is to host with one company but store your backups in a storage service such as Google drive, amazon s3 or dropbox.
There are others but a lot of website software is designed to push to these services so that if you need the backup you can retrieve it securely from anywhere and restore your site with your hosting company or a new hosting company.
If in doubt there are support forums for all the main systems where you can research and ask questions. If you can give as much information when doing so and you have first searched to see that your question has not already been answered then you are sure to get an enthusiastic and helpful response.