Online Security for the Small Business Owner

photo of multiply-locked door As a small business website owner, you may be wondering what you can do to improve your online security — within the context of your current setup. Here are ways to keep people out of your accounts in the first place and limit the damage they can do if they gain access.

Limit Access

Your first goal is to keep unwanted people out of your accounts in the first place.

Be difficult. Strong passwords are the key element of limiting access! Lifehacker has a great article on strong but remember-able passwords if you need some assistance. A password manager can be a big help here as well, remembering all your strong passwords for you (except for the one you use to get into the password manager). You can compare various password managers at PC Mag and Lifehacker, or search for “password manager reviews.”

Be different. Never use default usernames: they give someone trying to crack into your account one sublimely easy guess. In particular, on WordPress your administrator account username should not be “admin.” If it is, though, you can fix it. Usernames on WordPress accounts cannot be changed, but attribution of blog posts and pages can be transferred. If you have admin as your username, to change it you’ll create a new account with administrator privileges (and a stronger name), log out of your “admin” account and into the new one, and then delete the “admin” account. As part of the deletion process, you will be able to assign authorship of admin’s blog posts and so forth to your new account. For screenshots and more details, check out BobWP’s post How to Delete Your Default Admin Username Safely.

Be current. Keep your software up to date. Even in the most well-tested software there can be “back doors” that hackers can exploit to damage or access your site. When those are discovered, fixes are implemented and updates released, but those releases amount to announcements that older versions are vulnerable.

Be cryptic. Another sort of access you can limit is access to the communication between your website and its visitors (including you): SSL. SSL secures your website by encoding all information that passes between the site and the user, such as your password when you log in. Your site will become HTTPS instead of HTTP, and most browsers will show a closed lock image in the address bar to indicate to visitors that the site is secure. Note that going “HTTPS everywhere” can require some changes behind the scenes to maintain full functionality, but the benefit is security, increased visitor trust, and a boost to your Google rankings (see HTTPS as a ranking signal on Google’s Webmaster Central Blog). The easiest way to go HTTPS is to buy an SSL certificate through your web host, but you can also get free certificates through Let’s Encrypt.

Side note: Never enter credit card information or social security numbers on non-HTTPS sites.

Limit Impact

The second goal of online security is to limit the damage a hacker can do if one gains access to one of your accounts. There’s only one rule here: least privilege. Everyone and everything should have only as much access as needed to do the required work. This is a process of restriction and separation.

Least-Privilege Passwords: Use different passwords for different sites. If you have the same password for your blog, social media, and email accounts, then obtaining the password to one means gaining access to all. Imagine if losing your car keys meant your house and office were at risk as well! Again, a password manager can be very helpful for this.

Least-Privilege Hosting Accounts: If someone got access to your web hosting account, how many sites could they harm? Having distinct accounts is another separation you can make. There is a convenience cost to having to log into different accounts for different sites, and possibly a monetary cost for not “buying in bulk,” but if you have particularly sensitive websites, consider giving them their own hosting account. Your web hosting company should be willing and able to move the site files for you.

Least-Privilege Site Accounts: WordPress allows user accounts with varying permission levels. The endgame here is to have two accounts on your site, one with full permissions (Administrator) and one with only enough to let you write and edit posts and pages, add media, and manage comments (Editor). Log into the Editor account most of the time, and the Administrator account just at regular intervals – and on trusted internet connections – to apply software updates or edit widgets. Fewer logins means fewer opportunities for someone to grab the account’s credentials, so this way the account from which someone could do more damage is also less at risk. Enacting this change is very similar to changing your admin username: create a new Administrator account and log into it, but instead of deleting your previous account, change its role (permission level) to Editor. You can read more about WordPress user roles and permissions at The Theme Foundry.

Bonus Tip: Restore

You will never achieve 100% security, and damage can occur, so here’s your bonus tip: Make regular backups! An exploration of all the options would be a post in itself, but your web host likely offers backup service – in fact, some degree of backups may be included for no extra fee – and there are many WordPress plugins to assist you as well.

Keep it secret. Keep it safe.

Exploring Website Components: Domain

Exploring Website Components: Domain on Aquilino Arts | Example of domain brainstorming Your domain is the main address of your website, the part that ends in .com, .org or similar. Domains are registered with a central agency so that everyone across the world reaches the same website if they enter the same domain name in their browser.

The domain came late in There’s No Page Like Home, but can be very early in your actual process: in fact, you can register domain names well in advance of securing a hosting account, much less building a website. This allows you to reserve domain names for business ideas even if their timeline is years long. Domain names typically go for about ten dollars per year, so it’s an inexpensive investment to make sure you can get the name you want.

How do you go about securing a domain name?

  1. Start with your business name plus .com – that is what your customers will expect your web address to be. If your business’s name is more than three words long you may want to abbreviate or truncate it to avoid a superlong web address, but make sure people will recognize it as the same business.
    For example, if your business were Sue Ann Joseph’s Deep-Dish Pizzeria, SueAnnsPizzeria.com would be a recognizable shortening; JosephsDeepDish.com would likely be confusing.
  2. Check that domain’s availability. Your hosting provider should be able to do this, or you can visit a site like Whois.com and type the domain into the search bar.
  3. If the domain is available, register it! WhoIs does those transactions, and every web hosting company I’ve encountered does as well. You are free to have your domain registered through a different company from your web host; having them together simply gives some additional convenience, such as having a unified bill.

Sidetracks: When it’s not as easy as 1-2-3

There are three cases where you’ll have to consider alternate or additional domains:

  1. Your business name is unavailable.
    Smucker Companies, an insurance, rental, and construction business in Ohio, is at smuckercompanies.com. Whether they tried for smucker.com is unknown, but that domain belongs to the J.M. Smucker Company, of Smucker’s preserves.
  2. There are multiple versions of your business name people are likely to type in to a browser.
    The aforementioned Smucker’s owns both smucker.com and smuckers.com.
  3. Your business name leaves something to be desired as a domain.
    Essentially every non-Spanish-speaker needs Aquilino spelled for them.

If your business name is available as a domain, we recommend registering it, even if you also want another domain. You can have multiple domains pointing at the same website, an idea we’ll revisit later in this series.

In brainstorming additional domains, consider alternate shortenings of your company name, your products, location, tagline, and other terms and phrases used in your marketing materials. For example, compare apple.com and applerecords.com, or sunrisefarm.com and sunrisefarmvt.com. When we looked for a domain that was easier to communicate orally, we turned to our tagline and registered OneSizeFitsOneDesign.com as an alternate route to our website. It’s long, but shorter than spelling out Aquilino.

Just keep in mind that your site is for your clients or customers. As long as it’s easy for them to remember and to associate with the correct business, it’s a great domain.