On January 25, the President of the United States will stand before Congress and deliver the annual State of the Union address. Politics aside, during his speech President Obama will review how the country is doing — work that has been done, how well we’ve done it, jobs still left to do, and how best to accomplish remaining tasks. National security and economic performance are likely to dominate his address. He will attempt to explain the problems our nation faces, put those problems into context and then provide his view of solutions to those problems.
In that vein, this might be a good time for us all to give thoughtful consideration to our own online “nations” — our websites, social media networks, and over-all online presence — to evaluate how they’re doing. This message won’t be as long as the President’s address — we promise — and won’t feature a response from the “opposition”. We just want to give you a framework to start thinking about other issues that impact you. In this three part series we’re going to focus on three key areas – security, performance, and social media. These aren’t your only considerations but we believe that these three are particularly important when it comes to your online success.
Online security is a vital issue that most people do not take seriously. Breaches in online security can lead to loss of revenue, decrease in customer trust, black-listing by search engines, and more trouble than most of us want.
There are many ways that a site can be compromised – but this isn’t a primer on online security. For good information on online security, click here (HostGator’s blog) and here (World Wide Web Consortium (W3C)). What is important to know is that websites do get hacked, and even the smallest of sites can be the target of unauthorized tampering. Awareness of this threat is the first step in ensuring that you’re ready to deal with problems if they occur.
Your site is not too small or too obscure to attract a hacker.
In this post we will highlight two important aspects of enhancing online security: backup and recovery plans, and password security.
Backup and recovery plans address the “what if’s” of your online presence.
What would you do if your website crashed?
What if your website was hacked and/or vandalized?
Do you have backups of your site files and databases stored remotely and readily available?
Can you contact your hosting provider and ask them to restore your site from a back-up?
If your hosting provider is a pivotal part of your recovery plan, you may be out of luck if disaster strikes. As a rule, the major hosting companies do not provide backup and recovery services…but don’t take our word on that, read theirs (emphasis ours):
You agree to back-up all of your User Content so that you can access and use it when needed. Go Daddy does not warrant that it backs-up any Account or User Content, and you agree to accept as a risk the loss of any and all of your User Content.
1 & 1 Hosting – Terms and Conditions, section 3.1.8
You are responsible for backing up Your Data on your own computer. 1&1 does not warrant or otherwise guarantee that it will back up your data or that data which has been backed up can be retrieved, and will not be responsible for any archiving or backup of Your Data. If any of Your Data is damaged, deleted, lost or corrupted in any way, or becomes otherwise unavailable due to termination or suspension of your account pursuant to this Agreement, 1&1 will have no obligation or liability to you.
HostGator - Terms of Service, section 5
Your use of this service is at your sole risk. Our backup service is ran on Sunday of each week, overwrites any of our previous backups made, and only one week of backups are kept. This service is provided to you as a courtesy. HostGator is not responsible for files and/or data residing on your account. You agree to take full responsibility for files and data transferred and to maintain all appropriate backup of files and data stored on HostGator servers.
This is a small-but-representative sampling of the language most web hosting providers use in their terms of service. If your site files are lost or damaged, you’re on your own to replace and restore them.
The solution is to ensure that you have your own reliable and readily available backups of your sites’ files and databases. And to be truly effective, your backups need to be stored on a server different than the one where your website lives. The Impression Chefs currently offer clients whose sites are hosted with us complementary basic remote backup services. We’ll soon be introducing new robust remote backup and recovery services for those clients who want more security. Whether your web host offers these services or not, they are VITAL.
Think of backup and recovery services as health insurance for your website.
Most of us log in to a variety of sites throughout the course of a normal day. In terms of security, important questions to ask are:
- “How secure are your passwords?”
- “Do you use the same password for every site you log into?”
- “Are your passwords easy to guess?”
If the answers to those questions are “Not very,” “Yes,” and “Pretty easy,” you’re asking for trouble. Having insecure passwords is like leaving your house key under the doormat – if there’s easy access it’s not secure. Four words to remember for password security: strict, original, individual, and restricted.
- Strict — You should have a strict password policy for yourself and members of your organization. Password requirements should be consistently enforced.
- Original — Do not reuse passwords across multiple sites.
- Individual — Every authorized user should have their own username and password.
- Restricted — Only give access to users who need it. If the access can be restricted, make sure that someone has only the privileges they need to get their job done.
Delete user accounts as people leave your organization, you change developers, or the account is no longer needed
Here are some guidelines for creating passwords (I did not create this list – it’s excerpted from the Host Gator peer support forum: thanks Stef! – but it’s pretty good):
- Use a combination of letters, numbers, special characters, upper and lower case
(use at least one uppercase letter, one lowercase letter, one number, one special character)
- Don’t use a password that can be linked to you in any way – no birthdays, kids or pets names, home towns…
- Don’t use anything that can be found in the dictionary – words or acronyms
- You can use the first (one, two or three) characters of every word in a sentence
- You can concatenate two words together (like j0ke=l0l)
- You can use words without the vowels (like CntGt1n! (can’t get in!))
On a related note: you’ve also got to be careful with those password recovery/identity confirmation questions. In the days of social networking, finding out someone’s place of birth, high school mascot or graduation year is relatively simple. Revealing information in a consolidated area or manner makes the job even easier.
If your email address is viewable via Facebook, be careful that the answers to gain access to that account don’t appear there as well.
There are many tools available to help you keep track of all your passwords and keep them safe. For Windows users, KeyPass is a good choice. It works well, is secure and is free. For Mac users, Keychain is included in the operating system. There are many other options out there. Do a search for “password manager software.” Once you find one you think you like, search the title of that software with the word “reviews” to check it out.
software updates and security enhancements
Is your website running on software that is more than a year behind the update curve? If so, you’re asking for trouble.
Whenever software is released, hackers immediately start looking for vulnerabilities in that software. Software publishers work to provide patches for those holes as quickly as they’re discovered. It’s your responsibility to make sure that you’re applying those patches by updating your software. And I say “responsibility” because keeping your site updated reduces your chances of being hacked – consequently reducing the chances of your site becoming a distribution point for malware, a source of SPAM, or a tool used in other nefarious Internet activities. Plugins and other software used in conjunction with your site need to be kept up-to-date as well.
Upgrading should not be taken lightly.
These days it may be relatively simple to click a button and activate an upgrade script — but you want to make sure that everything will go smoothly. You don’t want to break your site in the process of securing it. There are a lot of dependencies in a website — the server software, the site template or theme, and plugins to name a few — you want to make sure that everything that works before an upgrade will still work after (or that you have a viable substitute for the things that wont work). This shouldn’t scare you away from updating, however…a hacked site is worse than one that is having a minor compatibility problem.
So, take a look at your site’s source code. If your site’s software is woefully out of date, take care of it! If you can’t do it yourself, hire someone who can. The Impression Chefs will be happy to help you update your site. Contact us. We offer as-needed support as well as on-going service plans that will help keep our site operating in top form.
Next Post…Performance and Economy
Any questions or comments?