info@qualityplusconsulting.com l 262.425.0026

Special note for Ubuntu users

Breakfast Bytes podcasts are streaming MP3. In order for Firefox on Ubuntu to play the streaming MP3, install the GStreamer extra plugins that list MP3 as one of the supported formats. GStreamer can be obtained through the Ubuntu Software Center.

Breakfast Bytes - Website Security

 

8/18/2016

 

 

 

Website Security, Strategy, and Developer Selection



 

All about how to secure a website, having a good website security strategy, and how to select developers

MP3 - Website Security, Strategy, and Developer Selection

 
 

 

Actually own your infrastructure

  • Domain/DNS hosting
  • Website hosting
    • You are the website master account holder
    • Website developer is a website hosting account technical contact. They can login and contact tech support.
    • Do not use a website hosting account owned by your web developer. You need to still have full uninterrupted access to your website and its infrastructure when you decide to make a developer change.
  • Owning the website content by contract
  • Email hosting should be completely separate from website hosting
 

Strategy

  • Select the correct CMS
  • Select the correct website hosting account
  • Own your infrastructure
  • Only use plugins, extensions, tools, and modules from developers that are maintaining them. Paid versions of tools are always better and have support. Outdated code is a breach vector.
  • Maintain documentation on the website, hosting, tools, plugins, modules, configuration, how-to procedures, troubleshooting steps and problem resolution and make your developer keep that documentation updated anytime they do work on the website.
  • Use GeoIP blocking
  • Use autoblocking for too many unauthorized attempts on the admin page
  • Use a custom admin page
  • Whitelist the IP addresses of website administrators and allow the admin page to ONLY be accessible from those admin IP addresses
  • Use a web application firewall
  • Learn how to use a PHP file scanner
 

Websites hacked and hardening them

I learned the hard way how to harden websites and secure them from being hacked. It is something that the vast majority of web developers really do not understand. I know they don’t understand it because they aren't using GeoIP blockers, they aren't making site admins MFA, and many other basic security features. Most web developers still use FTP which sends credentials in clear text across the internet. As a result of my experience, I now do all the management for my website because I could not find a web developer that understood security as well as I did. And my website had been hacked previously due to a lack of knowledge of how to protect the site by the person I hired to do so. I also hired another developer to un-hack the website. They were not able to actually fully unhack the website.

Only months of my persistent work was able to resolve the issue. The bad guys had intentionally hacked my website for the purposes of trying to use it to infect my internal systems. But I have so many layers of protection in place that technique was not successful. So ask yourself, what do you have time for? Would you like to spend months and months as well as thousands of dollars getting unhacked, or would you opt to have a slightly longer authentication process?

 

CMS - Content Management System selection

There really is not much contest here if you have a website budget of under $25,000 per year, but you want it to be secured.

Read an extremely important article by an industry expert on the subject of securing websites - Nicholas K. Dionysopolous

AdminTools available for Joomla but not WordPress - Why?

Joomla - the preferred content management system

 

Tools for Website Security

WinSCP

Admin Tools

We only recommend Admin Tools Pro. Admin Tools free version is nice to get your feet wet, but for access to the tools you really need, the pro version is required.

Akeeba Backup

It is crucial to have a solid backup and restore tool for your website that has support.

Guide on how to use WinSCP to securely FTP to your website hosting account. Note that this only works with website hosting companies that are actually capable of proper levels of security. Be sure to vet the hosting company before buying.

 

 

Linkedin