Reliability is the primary purpose of all website hosting. When websites are slow, unreliable or completely unavailable; marketing investment is wasted. Controlling the security of your website is the first step in ensuring reliability.
Security is particularly important when private information is submitted and stored on websites (for example ecommerce or memberships). A privacy breach can cost a business hundreds of thousands of dollars in fines, compensation and damages.
Usernames and password are you first level of defence. Most hackers already know the default usernames for website technology (for example “admin” or “root”). Many website platforms (including WordPress) publishes the author’s email address, username and/or full name in the code of every webpage. Unless you take steps to have this removed, it doesn’t take hackers much to put together a list of active usernames for your website.
75% of people use reuse passwords. Hackers rely on the lazy behaviour of these users. Over the last 15 years your team members have likely had an account that has been hacked (test you email here https://haveibeenpwned.com/). Hackers purchase passwords with email addresses on the dark web. By linking these password and email address to active website username, they begin to test for reused passwords.
Our recommendations:
- Do not use generic usernames (for example “admin”).
- Do not use full names as usernames (For example Joan Smith)
- Use unique passwords with at least 16 digits. Comprised of alphabet, numerical and symbols.
- Ensure each user registers with the 2FA (MFA) connected to the login of your website.
- Do not allow users to share usernames.
The next layer of security is having good policies and procedures in place. Limiting the permission given to each website user is essential. We often find that website owners have provided more access than users needs. This is particularly evident when marketing consultants get involved.
Marketing consultants are primarily sales copywriters. However, they regularly demand unlimited access. Far more than they need. Subsequently, website owners provide “super-administrator” access these consultants. Clients are not informed that this permits creative writers to irrecoverably delete the entire site, create unlimited administrators and install/upgrade software. They inaccurately assume marketing experts have technical qualifications and security training. Marketing consultants are experts in their field, they only needs access to the pages, written words, page metadata and visual content. Marketing consultant do not generally need access to the software, themes, raw files, server, and plugins. They should never be allowed to add or edit users.
While we have strict policies and expected conduct for hosting clients, we do not police users. Clients are accountable for their users actions and preserving the security of the website. That said, we will enforce the policies once we detect misuse.
Only a specific few people should ever be given super-administrator access. This not only limits the possibility of mistakes, it ensure strong conventions are followed and helps pin-point the source of security breaches.
Our recommendations:
- Install an advanced role manager to limit users access
- Clients store and do not use their super-administrator account
- Clients use and pay for our support team to create new users for their websites
OR Create a procedure where only one person in your organisation creates user account - Only one user is permitted to use each username (account). Each user has an individual account. Do not allow users to share usernames.
- Apply a username convention that includes at least their level and abbreviated name. (For example writer_johnsmith)
- All users, no matter their degree of experience are limited to specific uses
We have provided this information as general guidelines. Your specific security protocols should be be tailored to your business, environment and team. The main point is that you consider security, create and enforce secure procedures. Your website is public and vulnerable. One day, you may be required to show that you did everything you could to prevent a breech.
