7 THINGS WEB DESIGN CLIENTS SHOULD KNOW ABOUT WEBSITE SECURITY
1. Understand the Responsibilities of Your Hosting Company
Client’s Concern: “Shouldn’t the hosting company or web development agency be held liable if something happens to my website?”
Priority Web Services Advice: The hosting company is akin to a landlord who leases you a property where you can stay. In this case, the property is the server in which your website is hosted. If something happens to your home, like when your valuables get stolen, your landlord won’t be held responsible for the accident. Similarly, hosting companies or web development agencies aren’t legally obliged to provide support if your website’s been hacked or plagued with malware.
While competent web hosting companies implement a certain degree of protection to their servers, they still can’t guarantee full protection or recovery. As such, we strongly advise business owners to learn how to regularly back up their website to make way for a full recovery should anything goes wrong.
2. Conduct a Regular Backup of the Website
Client’s Concern: “If full protection isn’t guaranteed in the first place, then the web development agency must constantly backup my website in case anything goes wrong”.
Priority Web Services Advice: Web agencies may or may not constantly back up your website, depending on their process or service standards. Since websites nowadays are dynamic, business owners personally update and manage their contents via the Content Management System (CMS). When this happens, the web development agency will be unaware of the changes made to the website, which is why it’s impossible to know when a backup is necessary.
With this, we advise you to engage reliable web agencies like PWS Design that can provide you with hosting services which come with automatic weekly backups. However, we still recommend that you regularly backup your website, especially if you always update your website’s content. It will protect you from losing important and sensitive data, as a backup will serve as a safety net for recovery of your website especially in the unlikely event that your web hosting company’s backup fails or gets corrupted.
3. Change Your Default Password Immediately
Client’s Concern: “My website went live and my web development agency provided me with a complex cPanel and CMS password. I’m thinking of not changing the password because they may need to access it in the future. If I do change the password, I may just reset it into something that’s easy to remember.”
Priority Web Services Advice: We don’t need to know your password after project handover unless you need our backend support. It’s just like lending your key to your house decorator. Once their work is done, they won’t be needing your key anymore. Instead, you ask for your key back to ensure the security of your place.
In terms of your cPanel and CMS passwords, it’s important to change them as soon as your website goes live. Never use a simple or easy to remember the password, otherwise, you’ll be putting your website or business at risk. By rule of thumb, it must consist of letters, numbers, and even special characters. Since access to cPanel and CMS won’t usually be on a daily basis, you can keep such complex password on a Word or Notepad document, and put them on a safe folder in your computer.
In addition, avoid sharing your cPanel password with everyone in your team. If a member of your staff needs to update or manage contents, you can just give them your CMS password to do so.
4. Safeguard Your Visitors’ Personal Data
Client’s Concern: “How do I ensure that my website complies with the Personal Data Protection Act and that I won’t be penalised by the Personal Data Protection Commission?”
Priority Web Services Advice: Your website is strongly required to have an SSL Certificate particularly if it has a feature which asks for a user’s personal details like their name, contact number, email, among others. If you still don’t have an SSL Certificate or unsure about having one, please consult with us.
You must also ensure that you’re fully compliant with the Personal Data Privacy Act because once your website gets hacked and a breach in privacy occurs, the PDPC will check the following items below:
- Do you have an SSL Certificate on your website?
- Do you use a Web Application Firewall for your site?
- Do you keep your password complex and secured?
- Who can access the information you collect from the website?
- Are site administrators the only people allowed to access data collected from the website?
- Who is your web hosting company and/or web development agency?
These things will allow them to know if you are using the best practices for your website, or if you’re just saving costs for the sake of putting your business online. Bear in mind that engaging a competent web development agency and a reliable hosting provider is more cost-effective in the long run, with the chances of a breach or attack being reduced drastically.
5. Be Familiar with Malware
Client’s Concern: “I’ve been informed that my website has malware. Can you explain what malware is and what will happen if I do not remove them? Is there any web hosting provider that can guarantee a malware-free website?”
Priority Web Services Advice: Malware in website or server is akin to a virus inside humans. There are different types of malware and they have varying effects on your website. While some malware redirects your visitors to a potentially harmful website, some steal credit card information.
With this in mind, not removing your site’s malware will have varying consequences depending on its severity. In extreme instances, your website can be defaced and will no longer load. The malware can also be suspected to be phishing for credit card details. When this happens to your website, you will be contacted and investigated by the Singapore Police Force.
Minor malware-related incidents may cause the web hosting company to suspend the website or limit its admin features, including not being able to edit the CMS, and disabling all enquiries and orders.
When malware starts to occur on your website, we strongly recommend you to immediately work with a reliable web agency who can remove the malware, at the same time find ways to prevent another one to surface.
Unfortunately, no web hosting company can guarantee that your website won’t suffer from any malware, just like no doctor can provide you with an all-in-one vaccine that can protect you from all known illnesses. However, most web agencies or hosting companies offer website packages that include support to remove malware.
6. Be Careful About Some Bad Computer & Internet Habits
Client’s Concern: “Apart from learning to regularly backup our website and to keep our password complex, is there anything else we need to know?”
Priority Web Services Advice: We recommend you to only access the cPanel and Content Management System on computers you trust. Otherwise, your site’s login credentials may be exposed to malicious entities especially if the computer doesn’t have any anti-virus or anti-malware software installed. Other safety measures include:
- Not ticking the “remember password” checkbox when logging in
- Avoiding cPanel and CMS access on Cyber Cafes, free computers on airports, public networks, and more.
- Equipping your computer with reliable anti-virus and anti-malware software
7. Know That Anyone is Prone to Attacks
Client’s Concern: “I am only a small business owner, and only a few people visit my website. I am sure my website won’t be prone to hackers or malware. I don’t even see any news about small websites being attacked by hackers or malware.”
Priority Web Services Advice: Malware harms websites, computers and even servers of any kind, regardless of size and popularity. They are intentionally designed to attack digital entities with weak security protocols, so unless you observe proper security and maintenance on your website, know that you are very vulnerable to threats from the cyberspace.
Even if you aren’t able to read or hear about any news on small websites being attacked, it’s unwise to assume that there are little to no cases about them. In fact, there are hundreds or thousands cases of SME websites being affected by malware. In this day and age, it’s always better to be safe than sorry.