What: The Website Management Policy helps you set up good security practices when using a website. It establishes a checklist and provides information so that you understand the risks and issues better.
Who: This policy mainly concerns the management and the people responsible for the website.
Approx. time: Plan a one-hour meeting to decide which practices to implement and a thirty-min meeting with the rest of the team to go over the key points.
A website management policy has three main objectives:
- Protect the website’s availability: Your website is your online showcase. Good security practices will help to maintain it online in case of a server crash or attack.
- Ensure the integrity of the information on it: Bugs, configuration errors, or human error can easily happen. Good practices will help you to minimize the impact and have the most attractive and perfect site you wish!
- Protect the confidentiality of the people who visit it: To maintain a good reputation or assure the security of the people visiting your site, you can set up a few tools so the browsing data stays confidential!
Verify the content of your website regularly
The first step to securing your website is to verify its vulnerability and content. You can do this by browsing all its pages and doing security scans that will check for vulnerabilities.
- By reviewing your site regularly, you can ensure the integrity of its content.
- In particular, check the layout of the images, texts, and medias and make sure the hyperlinks work.
- An unwanted change can indicate a bug, a configuration error, or a cyberattack.
- In relation to its vulnerability, here are some tools that might help you. If you find this too obscure, see if the person responsible for your website can handle it for you or do more research on the Internet.
Back up the content regularly
The second step is very simple: you must be sure to eliminate human error as much as possible. To do this, you need to back up your website and databases regularly.
When establishing this policy, it’s important to determine:
- Who is responsible for doing the backups?
- How often should the backups be done?
This is an important step towards minimizing the impact of an error or cyberattack.
Do your security updates rigorously
Just as with operating systems and software, security updates are key to ensuring the security of your website. We strongly encourage you to automatically update the different components (themes, extensions, programs, subscriptions, parameters).
At best, not doing the updates causes technical errors and bugs. At worst, it significantly increases the risk of a cyberattack for you and the people visiting your website.
Clean up the extensions
Similarly, if you have an extension (or plug-in) or a component of your website that is no longer being used, make sure to delete it so as to avoid having an unnecessary potential breach.
You could even consider not using a CMS—such as WordPress or Joomla—if you don’t need to. A simplified CMS reduces the vulnerability risk. In short, it’s important to make these decisions during your meeting, always based on the computer needs and skills of the members of your organization.
Activate the HTTPS protocol on all your pages
Some sites still use HTTP (without the S for security). This is an outdated protocol that doesn’t encrypt the data being transmitted or authenticate you with the user. For more information on HTTPS, see this section.
Periodically check—you can do this by visiting the pages as a user would—that the HTTPS protocol has been activated on all your pages, even those that remain “hidden.” If you see a small green or locked padlock to the left of your URL, everything is under control!
If you are not sure whether you’ve activated the HTTPS function, verify with the company that created your website or with your web host (such as GoDaddy), if you designed the website yourself. Don’t worry, they’ll understand even if you find all these protocols a mysterious language.
Develop a recovery plan
You should have expected this point: in order to avoid the worst, your need to be prepared! This means developing a recovery plan. Come up with a checklist or a course of action to take in case of a problem or service outage. Here are some questions to guide you:
- Who will you contact in case of a problem?
- Your IT person? The web host? The company in charge of managing your website?
- Make sure you have their contact information on hand.
- Where are the backups stored? How can you restore the content quickly?
- What will you do if the website is down for a few days?
- What will you do if the website content has been altered? Who needs to be notified?
- Will there be consequences (in terms of reputation, money, etc.) for certain clients, partners, or others?
Review your website regularly to ensure the integrity and availability of the content.
- Check for security vulnerabilities regularly.
- Make software updates and domain renewal automatic.
- Delete unused extensions.
- Activate the HTTPS protocol on all the pages of your website.
- Back up the content regularly.
- Develop a recovery plan in case of a problem (who to contact, what backups to use, who to notify, etc.) in order to minimize the impact and help you get back on your feet more quickly.