Website security Q&A: most common client questions

According to a study by WordFence, 17.4% of WordPress users self-identify as novice or less when it comes to website security expertise. Considering WordPress powers 25% of all websites, that’s a lot of security risk, not to mention nearly 40% of respondents to the above study said their website had been compromised in the last year.

Being a novice in website security when your website has sensitive information isn’t really an option these days, and our savvy clients know how important their data is. So Dusted offer you our most frequently asked questions on website security, and how you can make your website more secure.

How can we be positive that connections to the website are secure?

When a user is accessing your site, they’ll be sending lots of information and you’ll be sending it back. This information, if unprotected, can be hijacked by hackers, so a secure transfer of information is needed. HTTPS (or Secure HTTP) is a more secure method of transferring that information. We encourage all the clients we work with to run their websites with HTTPS by installing an SSL certificate. For e-commerce websites, payment services (e.g. PayPal Pro) require you to have SSL in order for you to use them.

To add to the convenience of this idea, as of 2014, Google offer search ranking boosts to websites with HTTPS, so all the more reason!

How can we control what users logging in can see?

Controlling who can get access to your CMS (Content Management System; see our essential list of terminology!) is one thing, but controlling who can see what is another. There are several types of users available for a CMS. For instance, we may bring in a guest blogger and we can offer them access to write and edit their own article but none others.

Users have defined roles and permissions to make sure they cannot affect other areas of the site. Drupal (our first choice for CMS) has a highly customisable permissions system. Preset roles of ‘anonymous user’ (i.e. visitors to your website), authenticated user (i.e. given permission to edit only areas specified by the administrator) and administrator (i.e. boss-man) offer basic levels of permission, but you can also set specific permissions for specific users. Having that level of freedom of permission offers more development potential, like allowing any user to create blog content but not to delete any, or setting up a secure area that clients can access to download private documents. At Dusted we help educate clients using a CMS to set-up and manage their users, roles and permissions to ensure great security.

Where is our CMS content stored and is it secure?

Content entered into the CMS is stored in a database on the web server. This in and of itself is secure to a point as access to this database is limited by server security. However this content isn’t encrypted (i.e. the content that is displayed on the site is exactly the same as is saved in the database) which usually isn’t an issue as the content is on a public-facing website anyway. Some sensitive data, such as user passwords to access the CMS, is encrypted within the database so even if accessed directly by a malicious data pirate (e.g. database hacking), they would need permission to decrypt and read the data.

How do you detect and protect from intrusions?

At Dusted we recommend a service called CloudFlare, in addition to our own hardware firewall. Essentially how it works is all data coming in via website-users, hackers or bots, etc. goes through CloudFlare, which is able to tell (using various techniques, including checking the user’s IP address) if the visitor is hostile or benign. Think of it like an incredibly savvy club bouncer, able to spot anyone who’s looking for trouble and refuse them entry (or anyone wearing a hoody because, c’mon, this is a swanky place).

How do you know if a site has a virus?

There is software to help scan for viruses available, and it’s recommended that all servers have it! We use stopthehacker.com because it can be installed on the server and automated, keeping a constant vigil on our data.

You can also use Google Search Console, which, among its useful abilities, can monitor/resolve malware on your site. Alternatively just use virustotal.com, which can immediately report on any virus or malware.

How do you keep your server software secure?

There is a lot to consider here, but one of the most essential parts of keeping your software secure is to install updates as soon as they are available. We make sure we set time aside specifically for this purpose.

It might seem like a pain or nuisance to have to keep updating your software: after all, you get little messages at inconvenient times and stuff. What a hassle! But those little update reminders are often fixes to potentially dangerous security risks. Security holes can very quickly be taken advantage of by hackers and it’s best you beat them to the punch by keeping everything up to date.

If you are using a managed hosting solution then you have less to worry about, since your provider should take care of it.

Those are the most common questions we’re asked regarding website security, but we’re looking forward to receiving more. When a client is interested in and aware of the importance of security for their data it’s an encouraging sign for us. We take your data very seriously because we know how important it is to you.