Skip to content

Website Security

Best Practices

Website security is a set of measures that are taken to protect a website from cyberattacks and exploitation, as well as ensuring that website data remains private and is not exposed to cybercriminals. Successful attacks can cause costly clean-up, damage the reputation of the University, and discourage visitors from coming back.

For more information on safely collecting data with online forms and data privacy, please refer to our Forms & Data Collection best practices page.

Why?

On average 30,000 new websites are hacked every day1. Specifically, cybercriminals are looking to:

  1. Steal, change or destroy information, particularly your website visitors' personal information and data.
  2. Install malware that will spread and wreak havoc on your website visitors' devices.
  3. Serve up or direct your website visitors to questionable or embarrassing content.

In a nutshell, hackers are out to embarrass and degrade the reputation of respected businesses and institutions, as well as make people's lives hard and steal their money.

How?

1. Use SSL certificates and HTTPS

  • Encrpytion is the process of making data unreadable to anyone other than the intended receipient. You can make this happen by using a security certificate (also known as an SSL certificate, a TLS certificate, or an HTTPS certificate), and serving your web pages via the HTTPS protocol rather than the HTTP protocol.
  • Your users will be able to detect this happening by looking at the web location bar in their browser and seeing "https://" in the url, as well as a padlock next to the url.
    Encrypted connection location bar
  • While this is one of the most basic website security measures, it’s so important that popular browsers and search engines are now labeling sites that don't use SSL as “insecure,” which could make visitors suspicious.
  • Please note if your website is hosted with any of the 3 central web teams - UIT, UMC or UHealth -  or with UIT's Software Platform Services team, this will be taken care of automatically.

2. Keep all software up to date

  • Make sure you keep current on updates for your entire stack of technology (OS, web server, database server, CMS, third-party plugins), particularly security patches.
  • Use auto-update features, or check for updates at least once a week. 
  • If you are running your own instance of an open source content management system (CMS) such as Drupal, WordPress or Joomla, be extra vigilant as hackers tend to target these well known systems.

3. Manage CMS third-party plugins responsibly

If you are running your own instance of an open source content management system (CMS) such as Drupal, WordPress or Joomla, vulnerable third-party plugins are your biggest risk2. There are a number of things you can do to minimize this risk:

  • Use as few plugins as possible.
  • Make sure you are using reputable plugins from reputable sites. Do your research!
    • Make sure the site is professionally designed and uses clear language.
    • Look for a valid company name and a physical address in the footer.
    • Do some Google Searches with the domain name in quotes (e.g., “example.com”), along with keywords like "exploit", "vulnerability" and "security".
    • Do the same kinds of searches as above, but with the plugin name.
    • Check when the last update to the plugin was made. Avoid plugins that haven't been updated in over 6 months.
    • Check the number of active installs of the plugin. Anything below around 1,000 may not be actively maintained.
  • Periodically review your plugins to make sure they are still in good standing.
  • Keep plugins up to date. Use auto-update features if possible.
  • Clean up and delete plugins that you are no longer using.

4. Use University authentication/single sign-on (SSO) 

5. Limit access

  • Use the principle of least privilege to ensure that users can access only the systems and functions they need to do their jobs, and only for as long as they need it. 

6. Use a website monitoring tool

  • Time is of the essence when a website is under attack. A website scanner or monitoring tool will look for threats on a daily basis and will let you know right away so that you can minimize damage to your site. Some scanners will even automatically remove known malware.

Resources

Last Updated: 3/19/21