A Practical Guide to Secure and Maintain Your Website
Website Maintenance and stability are two of very important aspects of websites that are not often talked about until there is a problem. They are two concepts that are often brushed aside especially by regular website owners whose websites had been designed by a third party, a freelancer or by someone who was contracted to do so. But addressing the issue of website security and been assured that your website is secure can be exciting and comforting.
Of course, it’s thrilling to experience huge traffic spikes when your latest blog post goes viral. It’s also thrilling—and not in a good way—when your site crashes because you ignored some base-level maintenance tasks.
It’s often during those thrilling-in-a-bad-way times that we look at maintenance and stability with fresh eyes. Suddenly, these concepts look a lot more attractive.
Today’s article is all about encouraging you to give website maintenance and stability the attention it deserves—by regularly following the best practices that create a stable, secure website. When things are stable, you can enjoy the thrill of a traffic spike—without the nagging worry that your site can’t quite support it.
Over nearly a decade working with Todhost customers, we have seen firsthand what works, what doesn’t, and what really doesn’t when it comes to maintaining and supporting a stable, stress-free website. Today, we'll be sharing those experiences with you. If you want to enjoy peace of mind as a website owner, consider these best practices as your guide.
Best Practices to Follow for a Stable and Secure Website
Note: The best way to enjoy a stable and secure website is to start with the most secure, stable environment you’ve got.
So, if you’re reading this while brainstorming your site, getting ready to register your domain name and select your hosting package, go ahead and give yourself a congratulatory pat on the back. You’re reading this at the perfect time. Implement these best practices now, and you’ll officially start with the most secure, stable environment possible.
Having said that, it’s never too late, and the best time is always now! There are always actions you take to make your website more stable and secure, whether your site is a year old or more.
That’s the great news. You can get pretty secure with fairly low effort on your part. You don’t have to be a tech genius to enjoy a secure website.
Follow a few simple best practices, like the ones outlined below, and you make it a whole lot harder for the bad guys. That’s what counts.
1. Stay up to date on updates.
Once you’ve launched your site, you want to keep things updated as frequently as possible. That includes your server, your CMS or builder software, and any plugins you may be using.
Also read: Best Practices for Magento Website Security
Keeping up with updates is the best way to keep your website secure. Many people get afraid of updating their website because they don’t want it to break—but that’s why you have backups (more on this in a second)! If something seems off after an update, you can quickly restore and it’s no big deal. Then, you simply wait for the developer to release a fix, and you try the update again.
Also read: Best Practices for OpenCart Website Security
The real risk with updates is delaying them. The more time you let pass between updates, the higher your risk. It’s easier (and less risky) to update from 1.1 to 1.2, and 1.2 to 1.3, and so on, then it is to update from 1.1 to 2.0 when there’s been 10 versions in between.
With each subsequent update you ignore, your website becomes incrementally less secure. But keep up with regular updates, and you have nothing to be afraid of. That’s why at Todhost, we keep servers updated for you. You’ll still need to update your website plugins and themes, but we’ll handle the core hosting updates for you!
Updates are so effective. Embrace them! A regularly updated website is a well-defended website.
2. Use secure,passwords
Passwords are still critically important. When it comes to creating a secure password, make sure you do these three things:
Make them hard. Create a unique combination that’s not a word from the dictionary or a phrase clearly identifiable to you. Include at least 12 characters of numbers, symbols, and upper and lower case letters.
Don’t reuse them. Every account you create should have its own unique password. Every single one.
Change them often. Set up a calendar reminder to go through and update your passwords every few months. A password manager like LastPass, KeePassX, iCloud Keychain, or Google Password Manager can be a good tool for this.
This password guidance applies to your hosting account, your cPanel, and your CMS logins. It also applies to every user to whom you grant access to your site (speaking of which, you should keep a detailed list of these folks so you can revoke their access when needed).
3. Make your user names just as secure
Password security is still important, but in 2019, a secure password isn’t enough. Your user names need to be just as secure.
If possible, follow the same three tips I outlined above when creating your usernames. Your usernames should be just as tough to guess, and just as unique, as your passwords—and you should update them just as frequently, too.
Those same brute force attacks that go after passwords are equally effective at cracking usernames.
Don’t let the “name” in username confuse you. It’s better to have a username that anonymizes you, versus one that makes it clear you’re the person behind the account. Just as you wouldn’t use your social security number as your email address, you shouldn’t use your name as your user id.
4. Back up your website often, and in more than one place
Here’s something scary to think about. In the modern internet age, it’s safe to assume that every website will become compromised at some point, just like everyone’s home or car will inevitably be broken into.
Here’s something even scarier: It takes 197 days on average before you find out you’ve been compromised and someone’s accessed your website data.
Your website getting hacked is bad luck. Not being prepared to boot it back up is bad business, when you consider the number of easy, automatic, and low-cost website backup services you have out there.
Regardless of which website backup service you use, I strongly recommend the following:
Schedule your backups to run often (at least daily).
Create a new backup with each change you make on your website. This allows you to instantly restore your site to a specific moment in time.
Keep your old backups for at least a year. Even if your website is acting fine, it doesn’t mean it can necessarily be trusted. Like said above, it could take half a year before you find out you’ve been hacked.
Make a backup of your backups, and store it in another secure place, like on a different server or on a separate hard drive at your house.
Backup your database, too. People often don’t realize they need to backup more than their files, but those are only part of your website. For a successful restore, you need to backup your files and your database at the same time, and save them together.
5. Choose a well-known, reliable website building option
It seems like a new web builder gets released every day. Okay, that’s a bit of a stretch, but my point is: there are a ton of options for building a website today.
There are the big names we’re familiar with. These are the established Content Management Systems (CMS), like WordPress, Magento, Drupal, and Joomla. Many web hosts also offer drag-and-drop web builders. Then there are dozens (hundreds?) of newer options.
Whatever you choose to build your website, make sure you pick something that you’re comfortable with, and that is established. By established, we mean something that you can Google and find no shortage of videos, blog articles, support documentation. There should be forums, social media, and a community.
For example, if you search for “set up wordpress with Todhost,” you’ll find our own branded help articles, along with blogs and YouTube tutorials by other users and IT pros.
Your website is not the place to be experimenting; it’s your business. If you run into an issue with your website, you want to be able to find knowledgeable experts easily. Your website building software should be established enough for you to be able to hire the kid down the street to help you out if you run into aproblems.
6. Follow a simple approach to web design
Along the same lines, you don’t need to be bleeding-edge with your website design. Sure, it should feel unique, and it should represent you or your brand, but you want to keep things simple and recognizable for your users.
Don’t get creative with standards. If there’s a common mechanism for menus and navigation, stick with that. You want the design of your website to be familiar enough that people instantly understand how to use it.
Use the same approach with your site functionality, too. Don’t go add a hundred plugins to your site in an attempt to piecemeal together some functionality. Instead, seek out plugins that offer a more comprehensive feature set so you can minimize the total number of plugins you use.
Everything you add to your website makes it less secure. For instance, the WordPress platform itself is super secure and rigorously tested. The same can’t necessarily be said for their plugin library. If you’re on WordPress, always vet your plugins to confirm that they’re compatible with your version of WordPress, that they’re regularly updated, and that the reviews are positive.
7. Use SSLs
An SSL certificate is that handy little green lock you see when you visit a secure website.
SSL stands for Secure Sockets Layer, a technology which protects and encrypts any data transferred between a visitor’s browser and your web server. In simpler terms, it shields your customer’s data (like their name, credit cards, account info) form getting hacked. Even if your site is hacked, and this data gets stolen, the hacker won’t be able to decode it.
SSLs have become quite popular in recent years, as privacy becomes a growing concern. It’s also been a Google ranking factor since 2014, so you’ll enjoy a nice (albeit little) SEO boost from adding SSL to your site.
As they increasingly become a web standard, SSL certificates are more affordable than ever. At Todhost, we include them for free with all of our hosting plans. Activating your free SSL with Todhost just takes a few steps.
Be creative with your content and your services, not with your website. It’s not the 1990s anymore. Crazy mouseover effects and Comic Sans are no longer the “it” thing.
If you want a secure website that works well, avoid beta technologies and flashy new software. Stick with reliable providers that have been around for years, with a large user base and a wealth of online resources for you to lean on.
For even more protection, check out SiteLock. This website security checker scans your site for malware, removing it automatically and protecting your site from attack.