From hosting to user access: a team approach to website security

Keeping a website secure is a team effort.

It involves us, as the agency that built the site, the host provider, the IT team in your business, and, of course, your colleagues editing content in Craft CMS.

I like to imagine each part as a protective layer of defense against attacks, with the aim of stopping any perpetrators from reaching the center.

In this article, I cover some of the top-level aspects of security that you should consider as part of your setup: the website build, hosting environment, and user management.

At this point, my aim is not to delve into the details of specific types of attacks but to provide some practical steps you can take and questions you can start to ask teams.

Why is security so important?

One way to address this is to examine the risks. Let’s make it real!
What is the reputational or financial cost to the business if:

• Content is maliciously deleted, edited, or added.
• Sensitive data is downloaded.
• The website goes offline for a period of time.
• The site drops off search due to an SEO poisoning hack and goes unnoticed for weeks.
• Your site is inaccessible due to an army of bots.
• Visitors to your site are inadvertently redirected away.
• You lose all the content published on your site.
• … insert your worst nightmare here!

In our experience, the risk of any of these events occurring is relatively low if you follow good practice; however, it only needs to happen once for stakeholders to panic and for the consequences to be costly to the business.

Given this context, you might think that security best practices are an easy sell; unfortunately, that’s not the case. It takes time (and therefore budgets are involved), and an ongoing coordination between teams is required.

And perhaps most crucially of all, you need buy-in and support from within your organisation.

Mapping your layers of defence

The robustness of your setup relies on teamwork. People from across organisations need to collaborate on an ongoing basis.

A good place to start is to sketch out your website setup and identify who is best placed to advise and maintain each part.

Each layer is there to make it harder for someone/something to achieve their goal, whether that be stealing information or disrupting access to your site.

Here are some of the things that should be considered:

CMS User management

Managing people’s access to the website is a vital and simple part of your security strategy.

I would break it down as follows:

Managing who has access

How do you determine who requires access, and what’s your process for removing access if they leave the business or their role changes? I suggest speaking to your HR team, if you have one, to discuss how website access can be included in any offboarding process. We have often found users with active accounts long after they have moved on to new pastures.

How users are given access

Ensure you use the activation links rather than sharing a password via email. I recommend including training and a guide on how to use the site, including instructions on how to keep access details confidential. If you’re a larger organisation, you may need to take advantage of Craft CMS's native single sign-on through the enterprise offering, for example, by controlling access via an Azure group.

What they can do once they have access

Discuss and agree on predefined user groups to manage the permissions assigned to each user. This would be determined by your particular website content setup and team. Craft CMS offers granular permission options that are additive, allowing you to assign multiple groups to a user.

Ensuring your users maintain their details properly

This one is important, so I’ll go into a little more detail…

• Ensure that two-factor authentication (2FA) or passkeys are activated for all users.
• When a user sets a password, check its strength. Is there a mix of uppercase, lowercase, numbers, and symbols? There is a handy plugin for Craft that does this for you.
• Require users to reset their passwords every 90 days.
• Passwords should be stored in a company-approved password manager. If you don’t have one, we can recommend one. Bitwarden, 1Password, etc.
• If you want to take it one step further, you can run the Craft CMS control panel on a separate subdomain and restrict access with something like Cloudflare One Time Pin. This requires users to gain access to the domain by verifying their email address is on the approved list.

Hosting Craft CMS securely

One of the great things about Craft is that you can host it anywhere you want (as long as you can meet the minimum requirements). But not all host providers are built equal! For many sites, Craft Cloud or Servd are great Craft dedicated providers. The sites sit behind their enterprise Cloudflare firewalls, offering decent backup options, support services (image resizing, content delivery networks, etc.). We have successfully hosted on a wide range of other providers.

But there is always more you can do, and it’s worth checking for weak points. For this, I would simply ask your web agency or host provider lots of questions:

• How is access to the hosting platform managed? Who are the people outside your organisation who will have access? Is two-factor authentication (2FA) available and activated for your account? Is the per-user access role-based? Who decides who gets access?
• Is a software firewall sufficient, or do you need a dedicated firewall? Is it locked down by default?
• Are your website's DNS records proxies? This means that the real address of your server is hidden from the outside world. One reason this is important is that it can help protect against Denial-of-Service (DoS) attacks.
• Do you have a DoS defensive layer in place? Cloudflare is one of the most well-known players in this space.
• What kind of backups are available? And does your business require offline backups from time to time? If you need to restore from a backup, what is the process?

How the website is built and maintained

We have secured user access and verified that the host provider meets our standards, but we also need to consider how the website is built and maintained.

Underpinning it all is the need for the development team to follow good coding practices. For example, giving particular attention to scenarios when data needs to be input by a visitor.

A strict Content Security Policy (CSP) is a key consideration that impacts many aspects of the website's frontend. This will rule out certain popular JavaScript libraries (to the frustration of some developers) and require that any external scripts added to the site be vetted and approved.

This often involves tracking scripts or tools, such as live chat or embedded functionality, like a form. To manage this complexity, we recommend documenting which scripts have been added, who approved them, their use, and that they have been whitelisted to run in the browser on your website.

Many of the larger corporations we work with now require a CSP to pass a security audit and/or a penetration test. And we can confirm from experience that retrofitting a policy is far more painful than considering it at the start - as with many things!

Lastly, CMS updates! We typically agree on a reasonable cadence for testing and applying updates released for Craft CMS, as well as any installed plugins. Critical bugs require attention outside of routine updates, and an SLA must be established for the speed at which they are tested and deployed.

Some general considerations

While I’ve just touched the surface in this piece, complexity can quickly compound. One of the risks associated with this is that no single person has a comprehensive understanding of the reasons behind past decisions. To counter this, I recommend summarising your setup and sharing manageable actions with clear roles and responsibilities.

However, I still suggest that one person be appointed in an organisation who maintains the checklist and audit process, and checks in with everyone involved to ensure that everything agreed upon has been implemented. This person should also set up recurring reviews, e.g., to verify whether the list of CMS users is up to date.

Ultimately, it comes down to fostering a culture where good security practices are embedded. One key factor to consider when evaluating any agency or company you work with is its accreditation, which demonstrates its commitment to good processes. This could include things like Cyber Essentials in the UK or an accreditation specific to your industry and the type of data being handled.