Who hosts your website? (Where does it live?)
Bluehost, HostGator, GoDaddy – you may be familiar with these companies but not every hosting provider is the same. Before choosing one, it is important to do research to make sure that your website will be in good hands. For example, GoDaddy does not have the same level of security that a provider like WP Engine has.
At Integris, we have chosen a provider very carefully based upon our security posture. WP Engine has the full level of security: daily backups, firewall management as well as the response time to ensure that if something does happen, they will have your site up and running again. Caveat: WP Engine only hosts WordPress websites. However, WordPress is the best content management system for small- to medium-sized businesses in terms of customization and security.
You need to make sure that your hosting provider has enough security measures in place so that in case something happens to your website, they can be a resource to assist you in recovering it.
Who has access to your website? (Who can get in?)
Internally, an employee who thinks that they know what they can and cannot touch within the website can easily make an update on the domain or the DNS (Integris Name Server). In doing so completely take down your company email and website, so that nobody can access any of it. With the DNS, if you make a change to it, it takes time for that change to propagate. So you’re looking at 24 to 48 hours of downtime.
Externally, on the marketing side, we see so many more providers in there. An SEO provider, a developer, a designer – all who have access to your site. You don’t always know how their employees feel about your company. You have no idea what’s going on in their side. So if they have access and then they have a disgruntled employee, you could be affected by that. It could be absolutely nothing to do with your own employees.
What layers of security are in place? (Is it protected from hackers?)
The first thing you should definitely have in place on your website is an SSL certificate. It’s the lock you see in the search bar next to the website name. An SSL certificate is basically encrypting any information that is submitted through that website. If you’re collecting contact information, payment information, or private data for your clients or prospects, you need to have one of those.
And this is another example of where they’re not all the same. There are ones that have certain levels of encryption, very basic level of encryption, which if you’re not really collecting private information on your website, that’s fine. But if you’re collecting payment information or private data, then you need to have a better SSL certificate on your website. That’s one of those things that Google favors, and so people have figured out an easy way to do it which is the basic level. But if you have more information on your website, then you should probably be thinking about a higher level than just that basic level to protect the information that is being collected.
Besides an SSL certificate, setting up 2FA (two-factor authentication) is also an important security protocol. Everybody knows that the WordPress login page is www.yourwebsite.com/WP-admin. You can change that, but it can make things more difficult for users. The easier and more secure thing to do (because a hacker can still figure out what that other site is) is to set up 2FA. There are different forms of it, but the best one is to have a token on your phone, which we use a service called DUO.
DUO is managed by an outside party. So let’s say you have an employee or a third party, like an SEO firm, who needs access to your website. They would log into the WP admin page, and then with that token set up from DUO, they’d get notified on their phone and confirm it. Then let’s say that you don’t want them to have it anymore, as a third party token, you can then remove it from their phone. Google Authenticator and some of these freebie ones, that’s not possible. So you put that on 2FA on your website and they had a disgruntled employee or you fire that SEO firm, there’s nothing you can do really to remove that 2FA from their phones if you’re not using a service like DUO.
2FA applications are more secure to use than 2FA texts. We have seen cases where people’s text messages have been hacked and the hackers bypassed the 2FA by getting the code from there.