Naughty or Nice Websites

Santa Claus is coming! Was your website naughty or nice this year?

Here is a quick checklist of the top 10 bad things that can harm your website security and the top 10 good things that can improve your website security.

If your website falls into any of these categories, this is the perfect time of year to start thinking about improving your security posture.

1 – My website has outdated software.

I do not check if there are any plugins that need to be updated. I don’t know what is my content management system (CMSs) latest version, and I cannot remember when was the last time I updated everything.

2 – My website uses the same password everywhere.

I have a weak memory and prefer to use the same password everywhere so I don’t get locked out of my accounts.

3 – My website has an unrestricted login page.

I have never created an IP whitelist for my website login page. It is freely accessible to all IPs.

4 – My website has an open-registration form without CAPTCHA.

I don’t really like CAPTCHAs and am not concerned with brute force attacks, so I don’t add them in my website.

5 – My website doesn’t have 2FA.

I believe my website password is too strong so nobody could sneak into my website.

6 – My website is sharing hosting space with all of my other websites.

I don’t believe a compromised website can be as contagious as the flu virus, so I don’t see why have one server per site if I can just stack them all on the same server.

7 – I grant everybody admin access.

No matter what any of my website contributors do, I like to give them admin access. I don’t want to waste time thinking about the roles they actually need to perform.

8 – My website uses default CMS settings.

If my WordPress website uses the default settings it is secure, isn’t it?

9 – My website has as many plugins as possible, especially free ones.

The plugin is free and I need it, why not install it right away?

10 – My website doesn’t have automated backups.

I don’t need to backup my website all the time. I don’t even update it as much.

If your website fits into most of these checklist items, congratulations! Your website has been a good boy (or girl) and should get its security badge from Santa.

1 – My website is 100% updated.

I always update my website’s plugins, extensions, and CMS. I don’t like to leave any security holes open.

2- I use unique and complex passwords.

My memory is not as great as a computer. I use a password manager that creates and stores long, unique, and complex passwords for me.

3 – I am the only admin on my website.

I carefully define the roles each of my contributors have. If anybody from my team needs admin permission to do something, I grant it only for the time they need to perform a specific task.

4 – All my plugins are handpicked.

I keep as few plugins as possible and I always check when they were last updated.

5 – My website is constantly monitored.

I use an automated remote and server-side scanner. I want to know what is going on.

6 – My website has backups of backups.

My website is so important to me that I don’t want to run the risk of losing anything. Not only do I have automated backups, but I also use redundancy.

7 – My website uses HTTPS.

Data encryption is vital and I don’t want my website to be seen as insecure for not having a green padlock on it.

8 – My website has 2FA.

I like to make sure if a hacker ever finds out my website password, there is still a way to block them with my 2FA code.

9 – My website is not available to the whole world.

I use Geoblocking to reduce potential malicious traffic to my website.

10 – My website is protected by a WAF.

I know that a good web application firewall will virtually patch and harden my website. I can go to bed knowing that the risks are small that my website will be hacked.

Here are some website security tips for you:

You can read our post on 10 Tips to Improve your Website Security to know more about how to have a good website security posture.

If you want to start next year with a secure website, we can help.

*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Juliana Lewis. Read the original post at: https://blog.sucuri.net/2018/12/naughty-or-nice-websites.html