Website security – our top tips to action right now

Breaches in website security are unfortunately becoming more common. With our reliance on the digital world, the impact of these breaches become more significant.  

We’re Olamalu, technical experts in Drupal, Sharepoint and web apps, and we build and manage websites and intranets – including all things security, for a wide range of different organisations. Security is obviously an important focus for our business and we’re proud to have recently been awarded the world's best-known standard for information security management systems, the ISO/IEC 27001.

However, we know that for those outside of the tech industry, website security can often feel confusing and overwhelming, but we want to reassure you that it doesn’t need to be. With the right focus and some robust processes, you can feel more in control and be as prepared as possible if things do go wrong. The important thing to do is to get things started as soon as possible. To help you, we’ve used our wealth of experience and knowledge to share our top tips for website security that can be actioned right now.

Keep on top of your user management, and do not allow sharing of accounts. Every user should have their own account and if you're not using a secure single sign-on system, make sure that users set a strong password that is unique to your website and not used for other systems.

If a user leaves the organisation, disable their access with immediate effect.

Clearly define your user accesses. Each and every user should have a defined role that consists of a set of permissions which will determine what they can view, create, edit and delete.

Users should be given the minimal access that they need to do their job, this is the information security principle of least privilege and keeps your security tight. 

Your CMS should allow for multiple roles that can be tailored to your needs. You should avoid giving admin access to any user unless it is strictly necessary

Is your website regularly backed up? Is there a defined timetable for undertaking a backup? This is a crucial process, if something goes wrong and you need to restore your website you will need quick access to a recent backup and a tech partner who can help you to quickly spin up a new site.

Security updates are launched more frequently than ever before. Make sure that they are applied promptly. The bigger the time gap between the security update being released and you applying it, the more at risk your website.

At Olamalu, we have a website update procedure to ensure that security updates are tracked and that all the websites that we look after are updated within an appropriate timeframe - for highly critical security update we are able to respond rapidly.

Using outdated software is a security risk, so it’s vital that you know what technology is used on your website and that you have a plan for updating it. Accessories such as plugins and contrib modules are often a forgotten piece of the website portfolio but also need to be updated regularly and checked for security. We always run security reviews when we are asked to maintain a website that another agency has built. We often find plugins or contributed modules that are seriously out of date, particularly on WordPress websites. If you're not sure how to check for and run updates on all the technology on your site, look for a tech partner who can undertake an audit and then take over the site and maintain it properly for you.

Websites will change over their lifetime to continue to meet the needs of the organisation, but it’s important that requests for fixes or enhancements are managed through a properly planned and controlled process which includes risk assessment and testing to minimise the possibility of something going wrong.

Do you know who has access to your server, or when and how it is being updated? Only those with server admin responsibility should be able to log in and you should have an expert assigned to make sure that it is being kept up to date. Your website should never write executable files to the server (which is why allowing Wordpress to update code via the user interface can be risky).  All the code should be stored securely elsewhere and copied robustly to the server. These are part of our standard processes when managing sites and servers.

Are you aware of what personal data is being collected, processed and stored on your website? Pay particular attention to web forms as these can be easy to miss. You must have a valid and transparent reason for collecting and storing personal data, have the correct permissions, ensure that it is secure and that you are exercising the appropriate data protection processes as required and set out by GDPR. Click here for more details https://www.gov.uk/data-protection

Are you running cookies and data tracking on your site? You may not be managing these yourselves, but using a 3rd party service instead. Either way, do you know what is being collected, what data is being transferred, how and why? Don't get caught out.

Do you have a clear understanding of what content is on your site? Even if the content doesn’t appear in the menu of your website, if it's published, then it is publicly accessible. Do you have a process for reviewing and updating content and for clearing out old unwanted content?

We hope that our top tips were useful and something that you can put into action right away.

We are passionate about security and regularly produce content and advice around security, so check out our security hub here.

We are Olamalu, Drupal experts, experienced web developers and ISO/IEC 27001 certified. We’re a friendly and down to earth team based in West Oxfordshire, who work together to achieve brilliant outcomes. We’ve been developing websites and designing tailormade tech solutions for a huge range of different challenges for over 10 years. 

We work with many of our clients as an ongoing technical partner, but we also offer a consultancy service to solve a specific strategic challenge.