Back in 2007, I saw a rather shocking product video for a bullet-proof baby stroller, designed for safety-conscious urban parents. The site was slashgear.com, whose tag line is “Feeding Your Gadget and Tech Obsessions.” I thought it was silly and, with a price tag of $600, seriously overpriced. Still, when I started planning this article on website security, that was the first image that popped into my mind.
Like most owners of small businesses and professional practices, my reputation is my carefully-nurtured baby. As someone who designs, writes copy for, and maintains websites and blogs for other business owners, the security of my own website is a major concern. I’ve recently completed a major site re-design and—as part of that effort—am reconsidering what precautions are necessary and reasonable to maintain site security without wasting time and money on a panic-driven lockdown that might render the site intimidating or completely unusable for my clients.
So far, each security option I’ve installed has been reactive. When the server where my static HTML site was hosted got hacked in 2003, I changed hosting companies and switched to the new host’s content management system. When that site fell victim to a database injection attack in 2008, after the hosting service refused to allow me to run more recent/more secure versions of PHP and mySQL, I switched hosting companies again and followed their recommendation to use WordPress as my CMS. Since then, although I haven’t noticed any problems, I’ve snapped up every security-related plugin I stumbled over. Inevitably, that practice led to frequent plugin conflicts and incredibly long load times for every page.
Finally, I’m taking a more rational approach, and planning it out ahead of time before I install anything beyond the latest WordPress basics. And I’m going to take you with me, one step at a time.