A Tip for Avoiding Security Disasters
No amount of planning can prepare you for the first time your site goes down. Whether it gets hacked, or a server crashes, or you just get a blank white screen and have no idea why – your first website disaster will send you into panic mode. Guaranteed. This is when you appreciate having disaster protocol in place, or a web company that’ll help you get back up and running.
There are a million ways a site can break, but there are solutions to all of them. (Or most of them.) Salty Key uses rigorous security measures and real-time backups to counter any disasters that may happen. While we can’t defend against everything, we have a fallback plan in case everything else fails.
We’re also very strict with who gets login access to our site, which leads us to our security tip of the day: limiting access to your site can be the difference in avoiding disaster. It sounds obvious, but consider this finding from PricewaterhouseCoopers (now PwC):
A 2014 PwC survey on the state of U.S. cybercrime found that nearly 30 percent of all security incidents were triggered by insiders, which include employees, trusted contractors and partners.
Source: PwC, “U.S. Cybercrime: Rising Risks, Reduced Readiness,” June 2014
That was in 2014. A 2016 report from SailPoint found that 20% of employees would sell their company passwords to hackers. (Some were willing to sell company credentials for less than $100!)
It’s important to note that not all insider threats are intentional. If an employee mistakenly downloads malware on their computer and any passwords on said computer are compromised, it’s accidental. But this scenario can be avoided.
How many people have access to your site? And what level of access? Are there standard procedures in place for when someone with login access leaves or gets fired? Webmasters need to know who can access their site, and how to restrict access. If all of your logins and passwords are in a Word doc, where any employee can find it, you’re putting yourself at risk. Would you want a disgruntled (former) employee having full access to your site?
Controlling Access Points
It’s always best to start with a plan of who will be editing your site and what level of access they need. You don’t need FTP or shell (SSH) access to make simple changes to a WordPress site, so there’s no purpose in providing it to everyone.
I recommend creating separate users for everyone who will access the dashboard (wp-admin) area of the site for two reasons. First, you can track which users made what changes to the site. Second, if someone on your team gets fired, it’s much easier to delete a user from WordPress than to change all of the passwords and redistribute them to everyone.
Prepare for All Possible Scenarios
As mentioned, there are numerous ways your site can break. Your team needs to be prepared to deal with each one.
Suppose you get a 500-level server error or a DNS error. You’ll probably need to contact your web/domain host to resolve the problem. Or maybe you see a bunch of spammy links at the bottom of the page? Your site has been hacked; you need to talk to a developer that can clean up your site. Or if you made a change you can’t undo? Or updated a plugin that broke your site? You’ll need to know who can restore a backup.
Sometimes Limiting Access Isn’t Enough
Disasters happen. All of the preparation and security precautions on Earth can’t help you sometimes, and it’s important to know who you can contact whenever plans A-Z don’t work.
Consider how you would act if your website went offline tomorrow. What would you do? Who would you call? If you think you’re unprepared for the worst possible scenario, we’re always here to help and get you on the right track.