editione1.0.0
Updated October 9, 2023The next step of protecting your website is to turn on automatic operating system and software updates that will both prevent attacks and also help you recover in case something goes wrong. While there is the risk of an update causing a bug or issue, it is one less thing you have to think about or make time to do. For most websites that lack technical complexity, automatic updates are pretty low risk—unlike an unpatched website software that is relatively high risk.
Your website and its content is simply made up of many lines of code. More often than not, that code is not perfect. Think about it like building a fence. Anyone can go down to the hardware store and get wooden planks and make a fence. You don’t have to be a builder to do it, you just need some tools and have an idea of what you are trying to make. After making a fence, you need to maintain it. Maybe you built it to a certain height, but now there is a new neighborhood dog (or threat) that can jump it (or bypass the security of the fence). Or maybe the weather has taken its toll and over time the fence has fallen apart and caused gaps to show up.
The software you use to build your website is the same as the fence. You have to keep the software up to date to manage any new security holes that are found and also to maintain the code base it is built on. Updates for you are less about the flash new features, and more about maintaining security.
important If you are using a website builder service, you might not have to worry about underlying website software because this is taken care of by the vendor. If you are running your own website, or pay someone to run the software for you, you’ll need to make sure you or the software manager keep it up to date. Websites also have the concept of “plugins,” or additional apps or software that provides a specific feature. Common plugins include shopping cart features, customizable forms, or features to help you with SEO. Keep website software and plugins in mind when you are toggling on updates to happen automatically.
confusion If you don’t have the option for automatic updates, then you need to set a reminder to go into your accounts regularly to hit the update button. Updates can be released at any time, and a good frequency to check would be once a month. So set a time in your diary where you are often doing most of your month-end processes, and add in some time to log into your website hosting provider and CMS to run updates.
In addition to automatic updates, you need to have automatic backups. This will be a more common feature you can turn on, and will be important to have when something does go wrong. Maybe you miss updates for a few months, or someone gets access to your hosting provider or CMS account and wreaks havoc. Backups are like hitting a reset button to restore back to a period in time before the attack happened.
The problem is you often don’t know exactly when an attack happened. While you can always get help to find and restore the right backup, what you can’t do is to hire someone to fix the problem if there are no backups available. Think of it like having a spare tire in the trunk of your car. It is easier to flag someone down to help you replace your flat tire, but they can’t help you if you don’t have any tire to swap to.
important Configuring automatic backups is probably one of the single greatest actions you can take now that future you will greatly appreciate. You can most likely configure this with a button toggle in your hosting provider or CMS.
If not, chances are there is a well-reviewed and often-updated plugin you can download to handle this for you. When turning it on, there are two other things you’ll want to think about and configure:
How far back do my backups go? By default, most hosting providers create and save the past 30 days. This is better than nothing. If you have the space and you can, save up to six months worth. Most incidents are not noticed right away, and you might only notice after 30 days have already passed. A common approach is to save daily backups for 30 days, and then store one backup from each of the previous months.
Where are my backups stored? This comes down to who manages your hosting for you. A website builder will take care of storing these backups in most cases. For everything else, configure a backup solution that stores backups in a cloud account, like OneDrive, Google Drive, or Dropbox.
Cloud backups are essential because if an attacker gains access to your website, the first thing they will do is delete any logs and local backups, so you won’t detect their activity right away and won’t be able to reset everything when you do. They surely don’t want you to undo all their hard work. Storing your backups in a cloud account protects them separately from your website so an attacker can’t destroy or mess with them.
We spoke about how your website is just made up of lines of code. The more lines of code you have, the more problems you could have. If the fence you are making is miles long, it carries more risk than the one that just goes around a small house. If you don’t have to have all that software installed and running on your website, then now is the time to do spring cleaning. This is similar to the advice we gave on removing old apps from your phone that you no longer use.
When you initially set up your website, turn off any features or default software that you don’t need. Your website builder might by default come with different features like mail or file transfer features. These are commonly misused features that can be turned off right from the word go. If you have outsourced setting up your website, contractors might have remote access services enabled so they can get things set up for you. When they are finished, have a close-out chat where you go over how to maintain the new website, while also closing up any access that they might have left behind.
During your monthly check for updates, if you notice that some plugins, apps, or software have not had an update available in a long time, it could be that they are no longer supported. This isn’t an emergency now, but with time that feature can fall apart and become unsafe, so you will need to set aside time to replace it with something that is supported.