Security concerns don’t have an off-season. Now is always the right time to perform an audit of the way you approach security on your clients’ websites.
It’s worth noting that this is a battle you’ll often have to fight on two fronts. On one side, you’ll need to contend directly against those who wish harm to your clients’ sites. However, you may also experience some roadblocks put in place by the clients themselves. The good news is that the requirements for a safe and secure site are both minimal and achievable.
In this post, we’ll look at how to determine what your clients may need to ensure their websites’ security, and how to discuss this topic with them. Let’s talk!
What Do Your Clients Actually Need for Their Sites to Be Secure?
Most developers are on the same page when it comes to security. However, just to be crystal clear, here’s what we believe are the bare minimum requirements for a secure site:
- Protection against brute force attacks
- One or more methods for eradicating spam (or even better, stopping it at the source)
- Server protection against malicious attacks (and not just at the application level)
- A secure HTTPS connection for all visitors
Some of these elements (especially SSL certification) could be considered optional. However, these days Google is insisting that using an HTTPS connection is important for all sites, and effectively penalizing those that don’t comply. Therefore, we’d argue that it’s become a necessary component of site security.
Of course, some of your clients may feel that this list doesn’t go far enough. The business needs of each client will naturally play a role in how much you do for their site – which means you need to have a conversation with them.
How Should You Discuss Website Security with Your Clients?
The easy answer to this question is: The same way you’d discuss any other business-critical subject with your clients. However, we appreciate that in many cases, there’s an unspoken assumption that you will judge what security provision is needed on your own. This isn’t necessarily the wrong approach, but involving the client is usually a better choice.
Having the client onboard will not only get your security plan approved faster, but will also help the client self-manage their site in the future. In other words, you’re asking them to take some ownership in keeping their site safe. This is key when implementing a security-first approach, as it gives your client the autonomy needed to play an active role.
What Tools Will a Secure Website Normally Require?
Ideally, the tools you’ll use will be the very best options available. Of course, this assumes that the client’s budget is up to the task. If money isn’t a serious barrier, you’ll likely want to include:
- A Web Application Firewall (WAF) from the likes of Sucuri or Cloudflare, which sits in front of the server and blocks malicious traffic.
- One or more premium WordPress plugins to help protect the site at an application level. Solutions such as Wordfence and Jetpack are excellent picks.
- A Content Security Policy (CSP). This is a fairly new option, but it offers a valuable layer of protection from Cross-Site Scripting (XSS) attacks.
- A premium Secure Sockets Layer (SSL) certificate.
- High-quality, enterprise-grade hosting. You’ll want to look for an expert in WordPress hosting that knows how to protect its users.
Of course, you can scale down from this list as needed, depending on your client’s specific requirements and budgetary restrictions. The majority of micro and small businesses, for example, can get by with the following:
- An application-level WordPress security plugin – either free or premium.
- A free and open-source SSL certificate, which can be easily secured from Let’s Encrypt. This is a leading and fully-featured solution that’s supported by a majority of hosts.
- Potentially a WAF for added protection. However, lots of smaller blogs will forgo this element, and handle hits on the server in conjunction with their hosts (which should still be of the very best quality).
What about clients who are simply small-time bloggers without design experience, who have employed you to carry out the grunt design work (and ad hoc consulting)? In these situations, you may be able to suggest using plugins such as Jetpack and Akismet, and leave it at that.
Ultimately, the tools you use to make a site secure will be dictated by each client’s budget, willingness to implement multiple techniques, potential risks, and legal obligations. You’ll want to consider all of these factors before moving forward with a security plan.
Can Your Clients Work Towards a Secure Site Without Your Input?
Finally, you may wonder if your clients can (and should) take steps to improve site security on their own. The simple answer is: Of course! In fact, there’s plenty a client can do to complement a robust and well-implemented security plan.
None of these techniques are enough to halt hacking attempts or malicious attacks on a site completely. Even so, they can go some way towards helping your clients develop a security-first approach when managing their websites:
- As always, it’s important to use strong and secure passwords.
- Usernames should be relatively ‘uncrackable’, with user roles restricted appropriately.
- Spam management is vital since clicking on unwanted links in comment and contact form submissions can bring a site to its knees.
- For more ambitious clients, there are plenty of code snippets available that slot into the .htaccess file and help protect a site under the hood.
Of course, you may want to work closely with your client on these tasks at first, especially the last one. These may even be steps you’re tasked to take care of on your own, and that’s fine. After all, what matters most is that the client’s site is as secure as possible, and taking control of the situation can still be the best way to do that.
The security of your clients’ websites is one of your most vital responsibilities. Fortunately, many clients already have some idea about what’s required to run a secure website. Even so, it’s still smart to have a discussion about this topic, so you can direct them towards a safe setup that you know how to maintain.
When it comes to discussing site security with your clients, we recommend that you approach this task the same way you handle other business-critical decisions. Ultimately, each client should have a way to protect their server, site, and content from malicious intent. Stellar hosting is also a key component, as are the plethora of WordPress security plugins that are available.
How do you discuss site security with your clients? Let us know in the comments section below!
Featured image: Pixabay.