Website Security – Who’s Responsible?

Website Security – Who’s Responsible?


a very insecure lock indicating bad website securityYou hear stories daily about online security breaches and website security issues. We at Focus 4 often live it. It’s a big part of any web-focused business, and we know what to do about it.

In answer to the question above, we ALL share responsibility for website security, but the website host is primarily responsible for it.  If this language isn’t in your hosting agreement or contract, it should be. If breached, in most cases your website host should be responsible for repairing.  (Note that this does NOT mean they should be required to repair it at no additional cost.) A breach of security on your website sometimes means that there’s a potential breach of the security of the entire server. The hosting service should be ready and willing to take prompt action, because it could potentially affect all of their clients.

The Importance of Secure Passwords

Websites built on popular open-source platforms such as WordPress, Drupal and DNN should be updated as program (version) updates become available. Security is the purpose of many of these updates, and if you don’t make them, your website is at greater risk for a breach. Keep in mind, though, that a little less than half the breaches are done by hacking into the website programming itself. About 50-60 percent are made possible because someone figured out the administrative user’s password. It’s of paramount importance that you not only have a strong password that has a combination of numbers, letters and symbols, but also that you change it frequently. Hackers use software to guess passwords, and can also use spyware on your own computer without your knowledge. If your website is breached, you should be immediately required by your host to change your admin password for the website back end. Smart website owners do this even before being asked.

Some precautionary steps you can take to discourage a website security breach:

  • Review your password strength for the admin login to your website. It should be highly difficult to predict.  It should not include names of your children, spouse, pets, or grandchildren, favorite color, etc. The days of easy-to-remember passwords are gone. For companies, never use your company’s name or address or main product (or any form of these) as your password.
  • Never send (or have anyone else send you) a password via standard email in the same message that contains your username or the login web address. Better yet, don’t send passwords via email at all.
  • Check your computer for viruses and spyware/malware at least once a month.

Partnerships and Associations

gawtopMGR 2014analytics