Website security: Key points that administrators must know
Website administrators of small businesses or organizations, especially those without full-time staff and large IT and network teams, often overlook many basic website security principles. In today's era, not only targeted hacking attacks exist, but also large-scale scripting attacks targeting seemingly endless random targets, which is very dangerous. No matter how small or low your website is, it can be a target. Whether you are a website developer or an administrator, you may not be familiar with some basic website security tips.
If you are an employee in charge of website management and are reading this article, some security precautions may sound difficult, but remember that you can learn everything you need to know. There are a lot of resources (including our own SitePoint Premium) to help you develop and manage your website. I hope the most important gain of this article is to let you spend a few minutes thinking about the security of your website.
Good password security is one of the most important considerations for website security. As an administrator, you may be responsible for a variety of important passwords: managed account management, FTP access, SSH access, MySQL database, website control panel, WordPress management panel, and more. All of this requires a different password (don't reuse it) and the password length should be long enough. In this regard, password phrases are better than passwords. Complexity helps, too, but it should be something you can remember, or you can use a password manager to help you.
Another thing to consider is to manage user access to your website. If your organization needs more than one or two users to manage the website, you should set up a separate account for admin panels, etc. These users should also have different access levels. In terms of content management systems, unless users actually require these permissions, they should be restricted from accessing website management settings, changing other people's content, or file management.
Having a user account level and a separate account will help prevent accidental or malicious damage to your website, and using a personal account will also help track and record who made specific changes in case any malicious activity (or the user is being Hackers). If the user's account is their own, it also helps to delete the organizational users leaving your company - you can simply and easily deactivate their account without resetting your shared password.
The importance of a good backup process cannot be overstated. Effective (this means occasional testing!) backup systems will prevent data loss in the event of negligent behavior, code errors, malicious actors, catastrophic hardware failures, or natural disasters. Even for small information sites that don’t change frequently, the lack of backups can cost businesses thousands of dollars to rebuild their websites.
Our hosting partner SiteGround solves this problem for all customers, providing them with free daily backups.
With Google's latest requirements for SSL certificates, websites that do not use HTTPS and accept sensitive user information will be marked as unsafe by the browser, and perhaps soon all websites that do not use HTTPS will be tagged in this way. Therefore, almost every website needs HTTPS, especially newly developed websites. You will protect users’ information, and if your website does not accept sensitive information, you will still provide confidence and peace of mind for your viewers, and with candidates like Let’s Encrypt coming up, you can do it for free. If you are using shared hosting, many hosting providers (such as SiteGround) offer free Let’s Encrypt certificates directly from your control panel, which makes protecting your website much easier.
Databases are now critical to many website platforms, including most content management systems and websites with users and backends. However, the database also has security risks. If the data is being stored, it is now vulnerable to access by malicious entities. You need to consider the security of your database. Who can access the control panel of your website, or if you have them, you can access your server's SSH account, and are their credentials safe? What about the actual database? Do your database users have the appropriate permissions to their own database? Do they have global permissions that they shouldn't have? Is their password secure?
In addition, you may need to view how the database is accessed. Ideally, you can lock access to UIs like phpMyAdmin to a specific IP address, or ban remote database access altogether, but use command lines via SSH, or use tools like MySQL Workbench or Sequel Pro to reduce the number of vulnerabilities.
One of the things you might also want to do is set up some kind of website alert monitoring service to get near-instant notifications when downtime or when using alerts such as excessive RAM or CPU usage. If you are using CMS like WordPress or Drupal, you can also use security plugins to get security-related alerts, hacking attempts, and more. There are a number of services (such as Uptime Robot or Pingdom) that can provide you with these types of alerts, from free health checks to paid service packs for detailed monitoring and reporting.
Of course, this is just some reminders and tips. The most important trick is to really change the way you think. Think about these things, and more. Consider vulnerabilities both within and outside your organization. Consider the level of access your users have. From a development perspective, consider how you filter and validate information directly from the website users. How did you cancel your account for employees leaving your company? Are there any shared credentials that need to be checked or changed? Does SSH access need to be revoked? What about the version control system?
The more you think about these things, the more successful you will be in protecting your assets. Hopefully this article at least inspired your thinking about website security, especially if you have never thought about this before. If you have more security issues that beginners recommend to consider, or have a story to tell, feel free to comment below!
Website administrators play a vital role in maintaining website security. They are responsible for setting up and managing user accounts, ensuring that the website software is up to date, and regularly backing up website data. They will also monitor the website for any suspicious activity, respond to security incidents, and implement security measures such as firewalls and encryption. In addition, they may be responsible for educating other users about online practices of security.
Website security is crucial to administrators because it protects the website from potential threats such as malware, hackers and data breaches. A secure website not only protects sensitive data from companies and their users, but also helps maintain the reputation of a business. In addition, it ensures the website runs smoothly and prevents service disruptions.
Website administrators can improve website security by regularly updating website software, using powerful and unique passwords, and implementing SSL encryption security. They can also use security plugins, regularly back up website data and monitor the website for any suspicious activity. In addition, they should educate other users about safe online practices.
Some common security threats that webmasters should be aware of include malware, hacking, phishing attacks, and data breaches. These threats can lead to loss of sensitive data, disruption of website functionality, and damage to the reputation of the business.
In the event of a security incident, it is the responsibility of the website administrator to identify the source of the problem, control the incident and repair any damage caused. They may also need to inform users and other stakeholders about the incident and take steps to prevent similar incidents in the future.
Webmasters can educate other users about online practices of security by providing users with information and resources on topics such as creating strong passwords, identifying phishing attempts, and keeping devices safe. They can also implement policies and procedures that promote security and regularly remind users to adhere to these practices.
There are many tools that can help website administrators improve website security. These tools include security plug-ins, SSL encryption, firewalls, and antivirus software. In addition, tools for regular backups, user management, and website monitoring may also be beneficial.
Regular backups are essential for website security because it ensures that website data can be restored in the event of a security incident or other disaster. This helps minimize the impact of events and ensures continuity of website operations.
Website administrators can ensure that the website software is up to date by regularly checking and installing updates. This is important because outdated software can have vulnerabilities that can be exploited by hackers.
Some best practices for password management in website security include using a powerful and unique password, changing your password regularly, and using a password manager. In addition, two-factor authentication can provide an additional layer of security.
The above is the detailed content of How to Think about Website Security as an Admin. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
