How To Ensure Your Website Is Secure
We have been building and hosting websites since 1999. In that time we have seen our fair share of website attacks. We have also executed numerous security compliance audits and enacted their recommendations to ensure websites are running to the highest possible levels of security.
The steps below are a summary of possible measures you can take to safeguard your website. Often, not all these steps are warranted, but the list summaries all the processes we have carried out over the years either off our own bat or at the request of third party security auditors.
General
- Install SSL certificates so browser communication is secure.
- Get an SSL report on the website from SSL Labs to identify vulnerabilities in SSL. Enact all recommendations.
- Restrict database server access to IPs of web servers that need to access them.
- Make sure ftp access is only accessible from the IPs that need to use it.
- Once the above has been achieved, have your website scanned by an external compliance auditor. Enact recommendations.
WordPress/Linux Specific Recommendations
- Make sure SSH access is only accessible from the IPs that need to use it.
- Ensure you are using a version of PHP that uses the latest version of TLS.
- For WordPress, follow Linux security best practices when configuring your web server.
- Make sure WordPress is up to date and all plugins are up to date. Avoid free WordPress plugins.
Umbraco/Windows Specific Recommendations
- Make sure remote desktop access is only accessible from the IPs that need to use it.
- For Umbraco websites, follow IIS best practice when configuring your Windows server.
- Make sure remote desktop access is only accessible from the IPs that need to use it.
- Only expose database servers to the web servers that need to access them.
- Ensure Umbraco security patches are in place.