[et_pb_section fb_built="1" fullwidth="on" _builder_version="3.18.9"][et_pb_fullwidth_post_title categories="off" featured_placement="background" text_color="light" _builder_version="3.18.9" title_font="||||||||" title_font_size="40px" meta_font="||on||||||" meta_font_size="18px" text_orientation="center" custom_padding="250px||250px||true"][/et_pb_fullwidth_post_title][/et_pb_section][et_pb_section fb_built="1" specialty="on" _builder_version="3.18.9" custom_padding="0|0px|0|0px|false|false"][et_pb_column type="2_3" specialty_columns="2" _builder_version="3.0.47" parallax__hover="off" parallax_method__hover="on" parallax="off" parallax_method="on"][et_pb_row_inner _builder_version="3.18.9"][et_pb_column_inner type="4_4" saved_specialty_column_type="2_3" _builder_version="3.0.47" parallax__hover="off" parallax_method__hover="on" parallax="off" parallax_method="on"][et_pb_text admin_label="REPLACE" _builder_version="3.0.87" background_size="initial" background_position="top_left" background_repeat="repeat" use_border_color="off" border_color="#ffffff" border_style="solid"]

Website security is sometimes neglected, or treated as an afterthought. Focusing on securing only one layer of your website leaves you vulnerable. Let's prevent that, shall we? Websites are static vectors for targeted and blanket attacks. To put it bluntly, if you have a website, you need to keep security first and foremost in mind. When it comes to website security there are many layers that need to be taken into account.

Before sharing key things to keep in mind when addressing security issues for your website, I am going to continue my theme of sharing my experiences so you can learn from my mistakes. I have had websites hacked before. If you have not experienced that stomach-dropping moment, let me tell you, it’s enough to turn your blood into ice, and cause your hands to start shaking. But it is not the end of the world.

It won’t happen to me

See no vulnerabilities, speak no vulnerabilities, hear no vulnerabilities
If you take nothing else from this post, take the knowledge that it is not a matter of if, but when your website will be compromised. We live in a world where the “bad peeps” are ahead of us technologically and the “good peeps” are playing catch-up. There is no such thing as 100% safe. Simply being online is a risk. Having that domain URL makes your target static and increases your risk of compromise.

Back before I really understood all the different layers of security that needed to be implemented, I thought I was safe. I was one blog in a world of millions of other blogs. I didn’t write about anything political. There was nothing being posted that could be considered controversial. Still, I woke up one day to an email from a university's admin informing me that my website was attempting to attack one of their systems. Cue the cold sweat.

I was using WordPress, and my first thought was that the vulnerability was my site. I sat down with my host, and through a sleepless and stressful 26 hours we discovered the issue was not my site at all. It was previously unreleased vulnerability that targeted the hosting server. We were able to patch it and put rules in place to prevent it from happening again. In a way, I thank the bot that attacked the server, because it inspired me to focus on internet security for my Masters degree and really dig into what is really going on behind the scenes in all the click-bait news.

Website security is cake

Discovering that website security cake
You didn’t read that header wrong. Your website does not exist in a vacuum. The website is a collection of code which produces content for people to see. To serve that content a service such as Internet Information Services or Apache is running. Depending on your site, a database is used to store content. To run these applications, they need an environment.  This is usually a hosted server (physical or virtual).

These operating systems, along with all those other collections of code, are all individual attack vectors. These different systems are just for your website to exist. For a visitor to reach your site, they use a domain. That domain tells the computer to go out onto the internet and find the IP address associated with that unique name and direct all traffic that way. This adds yet another attack vector.

One thing I rarely see mentioned when it comes to website security is the users. Who has access to your site? Who can login to your site? Are they using a secure password? Are they using 2-factor authentication? When they login are they treated as an admin? Can they see and update everything? Does the person who is responsible for creating new job listings need to have access to editing the blog post that was written by someone in a different department? Now imagine if that user account was given carte blanche and its password was compromised.

As you can see, your website is actually a layered cake. Each layer works together to create that sugary goodness that presents your brand, content, and marketing to visitors. With all these layers to watch, it can seem daunting and instil a sense of impending doom. Do not fret though fellow website owner. Every single layer can be protected.

Protection as Prevention

Put all your pieces on the board to start, not after
Every day new vulnerabilities are being discovered which threaten to poison your brand or service. New attacks are created to exploit these vulnerabilities. In most cases, the attacks are not targeting your company directly. Instead, they become part of blanket attacks--testing every single domain, and IP, to find an attack vector. True website security requires each layer to be addressed. There are four key steps you should keep in mind:

Update - When the platform you’re using for your site, plugin, component, extensions, database, operating system, etc has an update, and it’s security related, then you must update. If your site is mission critical to your brand, you need to decide if you push that new update out without testing, but you need to keep it updated. The amount of websites still being defaced because they did not update the core code is staggering. Don’t become a victim to a situation you could have prevented.

Backup - Don’t just backup your website. Back up that database too. Hosting providers should be doing the same thing to their servers. And test the backups! I cannot tell you how many times I, and many other security professionals, have been called in to help fix a compromised site only to discover that the last working backup was from six months ago--or in one extreme case the backups never worked in the first place.

Protect - There are so many security tools out there for websites. Use them. Many offer anti-rootkits, firewalls, and antivirus. Those tools should also be used for your database and your hosting operating system.

Access Lists - Be aware of what each user can do, has access to, and the login process. Add 2-step verification to the login process. It is important to know who can do what. If Jim is no longer responsible for creating new blog posts for you, change their access level. Keep it updated.
As I said before, there is no such thing as 100% safe. Instead, what you can do is work to ensure each layer of your website is protected. This is one of the biggest reasons I advocate having someone whose sole job is to protect your website. This allows you to stay focused on making your company and brand shine.

[/et_pb_text][/et_pb_column_inner][/et_pb_row_inner][/et_pb_column][et_pb_column type="1_3" _builder_version="3.0.47" parallax__hover="off" parallax_method__hover="on" parallax="off" parallax_method="on"][et_pb_sidebar orientation="right" _builder_version="3.18.9"][/et_pb_sidebar][/et_pb_column][/et_pb_section]

No one likes rejection. Whether it's a romantic relationship or a business transaction, it's a similar sting to the heart. As a business, there are right ways and wrong ways to handle how you react when a client either rejects you or replaces you altogether. I can't help you on the romantic issue, sorry.

Keep Calm

If you discover a project you were slated to work on was passed off to someone else, don't get upset. Well, don't call your client screaming and yelling about it. They won't respond to that very well and it might kill your professional relationship with them. Feeling bad from the discovery is perfectly normal, but don't be controlled by your emotions. Instead, walk away from your computer/phone, take a deep breath, have some coffee, grab a snack, do literarily anything other than press SEND on that email you drafted. Take as long as you need to come down from your rage. It could take hours or days, but give yourself a chance to soothe your emotions to a calm state. Once you've calmed down enough to be rational, move on to the next step.

Ask What Happened

If you emailed or called your client about that project but heard nothing back, contact them again. Clients get busy, just like the rest of us, and maybe they lost your email in an inbox that is swimming with notices and meeting requests. They could have forgotten to get back to you about an update on the project. The date moved, or the money fell through, or something outside of their power occurred and they simply forgot to inform you of it. The likelihood it was something personal is very low, as long as you have been professional with them. Never take rejection personally.

Be Upfront

If you want to know more about what happened, be honest that you'd like to know if it was something you did. Was the project not going in the direction they wanted? Was it over budget? Were you not emailing them often enough? Were you emailing too often? Open the lines of communication and inform your client that you'd like them to be honest about what happened. Let them know that you'd like to avoid similar situations in the future, either with them or with other clients. This will make your client feel more in control and assure them that the truth won't hurt your feelings. It's a big reason why clients don't confront their designers. Rejection isn't easy for either party. Imagine how they might feel having to inform you that you've been replaced.

Always Be Professional

Throughout the entire process of discovery and inquiries, always be professional. If you see the end result of the project that was taken away, don't bad mouth it. Even if the quality is below what you would have produced, say nothing to your client about it. Again, the reasons for switching to another freelancer could have been outside of their control. They might not like the end results either but needed it done for one reason or another. Even if you never find out the real reasons why things fell through, don't forget to be professional.

Rejection Will Happen Again

The first few times you get rejected or replaced will hurt, but you'll get through it. It will happen again too, even with all the safety nets in place, it will happen again. The best practice is to learn how to deal with it like a pro and move on. Unless your client shuts the door of future opportunities, never shut one on them. They might come back later when the budget is bigger or someone else is in charge. Keeping an open door policy with past clients is better than shutting them out because your feelings got hurt. Don't take rejection personally.