Is Your Website Secure?

In an earlier post, I extolled the virtues of using a content management system (CMS) to build a powerful, yet low-cost web presence. These days, most organizations opt for this technology when building their sites.

But now a word of caution…

watch outA colleague shared a recent experience with a security breach on his group’s website. A hacker gained access to the administrative password and deposited code into the CMS database that had the potential for causing trouble for unsuspecting site visitors. Google detected the problem, placed the site in its “penalty box,” and displayed a conspicuous warning message when visitors stopped by for a visit. Needless to say, it caused major alarm bells to sound all over the organization. It will take a chunk of time and money to clean things up and get back into Google’s good graces.

How could this nightmare scenario be avoided?

FIRST: Make sure that you have strong passwords for user access and encourage users to change their passwords periodically. This rule is CRITICAL for site administrators. Strong passwords have the following characteristics:

  • They do not contain all or part of user account names, department or program names, or the Company’s name. They should not be a dictionary word, proper name, place, etc.
  • They are at least seven characters long.
  • They contain characters from three of the following four categories:
    • Uppercase characters (A-Z)
    • Lowercase characters (a-z)
    • Base 10 digits (0-9)
    • Non-alphanumeric characters (e.g., !, $, #, %, etc.)
  • Users refrain from using the same passwords for website access that they use on other accounts.
  • Passwords are not shared, printed, or stored online. They are not displayed or concealed (e.g., taped to the bottom of a keyboard) in the user’s work area.

SECOND: Make sure your core software stays up to date. While the development community works very hard to plug security holes, they’re battling thousands of miscreants worldwide who are intent upon finding cracks in their fortresses. When new methods of intrusion rear their ugly heads, the developers knock them down in the next release of software. [Think Whack-A-Mole.]

As the old saying goes: An ounce of prevention is worth a pound of cure.