This was originally written as a bit of a guide for my clients and collaborators, an aggregation of similar tips I have given to many of them individually in the past in so many shorter emails and conversations. Since it is relevant to most website owners though regardless of their relationship with me, I decided to share it more broadly here.
Websites require maintenance, even those with the smallest of footprints.
If you do fall behind on maintenance (it happens to the best of us!) and something goes wrong, at the very bottom you’ll find some tips on what to do if your site goes down suddenly.
The vast majority of these tasks do not require a web developer or IT person, almost anyone can perform this maintenance so long as you have access to necessary logins, can follow instructions, and are willing to set aside the time.
I say “almost anyone” because some people are understandably uncomfortable with wading in to this stuff, they may get confused or a bit daunted by the user interfaces they have to use. In that case, just be sure that you are working with someone that can hold your hand through it or can simply do it for you. Also, not everyone has access to all of their service providers. If you’re in a different situation, for example if you retain a web developer, design studio, or IT person to continuously maintain your website, then these are worthy topics to discuss with them but ultimately they will probably need to complete these tasks for you.
But that’s all just the cherry on top. If you complete the tasks below I’d say you’re pretty golden, probably a step ahead of 80% of the site owners I’ve come across.
1. Check your payment methods and contact details
I would estimate that 75% or more of the “drop everything, there’s an emergency!” emails or calls that I get from clients are related to a billing lapse that they weren’t aware of. Usually the client finds out suddenly that their website is down, with seemingly no warning of any sort. And of course this often happens at the worst possible time by coincidence: on a weekend, during a client’s much-needed vacation, or before a major event where more people than normal might be checking the site.
This is why it is important to keep your payment method up-to-date with all of your website-related service providers. Of course, it’s hard to be sure to update everything when a payment card has expired, there are so many subscriptions to keep track of nowadays. I’ve certainly had failed transactions for my own domain renewals in the past for example!
Because of this, it is essential that your service providers are able reach you. Any service provider worth their salt will warn you via email and give you a few days to get the transaction sorted. If you don’t resolve things in time though, they will rescind their service. This can be catastrophic: someone else snaps up your domain registration, or your site and all of the associated data and backups are deleted from your hosting provider’s servers.
Your main contact email address with each of your website-related service providers should be a valid email address that you or someone on your team uses regularly. You should check these contact details at least once a year. This will help you avoid a situation where, for example, a “failed transaction” email goes to a former employee or an email address you no longer use.
The service providers you need to consider will almost always include your domain registrar, your website host, and your email host. Many platforms bundle these three services together, so you may have one or more of these services with the same company. Besides these, you may also need to consider more specific functionality providers such as Google Maps or Adobe Fonts.
Besides checking the main contact email address, you should check that the rest of your contact details are correct as well. Domains in particular often have many different contact details associated with them, so be sure to dig through and correct all of the relevant areas.
And besides checking your email address with your service providers, you should also be sure that their email can actually reach your inbox. If you have spam filtering, check that their important emails aren’t caught in the spam filter and sent straight to your junk folder.
2. Review your login hygiene and security practices
Another emergency call that no one likes to make or receive: “My website has been hacked!” By “hacked”, I mainly mean it has either been defaced (for the lolz 😕), it has been harnessed as part of a botnet, it’s spreading malware, or it has been filled with spammy links for dirty search engine optimization.
Website hacks are thankfully very rare in my experience—I can count the number of times I’ve had to deal with a compromised site on one hand—but it is a huge headache when it happens. It can have a negative impact on every aspect of your web presence, including your email trustworthiness or search engine ranking, and it can be very difficult to clean up since it often takes time before the malicious intrusion is detected.
Besides the headache involved in the cleanup, there are regulatory considerations to take in to account as well. If you are subject to GDPR for example, as all of my clients are, then website security likely forms part of your compliance since most websites hold some amount of personal data.
So it is critical to put yourself in a good position by maintaining good security practices.
There are a lot of ways that a hacker can gain access to a website. Sometimes it is through poor programming, for example not sanitizing data that a visitor submits via a form. Sometimes it is through poor security practices on the part of the hosting provider, for example shared hosting services that haven’t sufficiently isolated accounts from one another. Sometimes it is due to out-of-date software with security vulnerabilities (see heading #3, Perform updates and take backups regularly!).
But in my experience, by far the most common cause of a breach is lax login details. This is frustrating because it is a so much easier and less expensive (!) to preemptively enforce strong logins than it is to clean up a compromised website. A little bit of maintenance in this regard can go a long way.
Top tip: Get a password manager
My very top recommendation: get a password manager. I quite literally cannot imagine working without it, and I’m not sure how any organization could manage data compliance successfully without a password manager.
Password managers all broadly offer the same thing, a way to keep on top of the hundreds of username+password combinations you’ve created over the years. But they do vary in terms of the features they offer and their cost.
When deciding on a password manager, you want to look for one that is compatible with your computer and smartphone and syncs smoothly between those devices, allows you to share login details securely with coworkers or other important people, gives warnings for duplicate or weak passwords, warns of accounts that have been compromised due to a hack of the service provider, suggests secure passwords for new accounts, and allows you to keep sensitive documents or card details safe. Personally, I can’t say enough good things about 1Password.
Login and password best practices for all
Besides this, these are a few basic login best practices everyone should follow.
- Never reuse passwords across multiple accounts; this includes minor variations in passwords such as
- Never reuse old passwords; see above regarding minor variations on old passwords
- Do not use common passwords;
test, curses, etc.
- The longer the better; unless there are restrictions enforced by the platform, your password should be at least 10 characters, ideally 14 or more
- Avoid using real words in your passwords where possible, instead opting for a random string with letters, numbers, and symbols
- If you must use real words for memorability, do not use words that are tied to your or your organization’s identity, and include numbers and symbols as well
- Don’t share login details in plain text
Points 1 and 2 are important because at this point, it is very likely that past login details associated with your email address have been part of a past hack. These data dumps are then used for future hacks. If you’re curious about whether or not your own email address has been associated with a compromised login in the past, try entering it on haveibeenpwned.com to see which hacks you’ve been a part of. Fun! 🙃
Points 3–6 are relevant because of brute force attacks, where a bot basically spams your login area with passwords in an attempt to get in. The more common passwords are usually tried first, and then more random combinations. The longer and more inexplicable the password, the longer (if ever) it will take to get in.
Point 7 basically means that you shouldn’t store or share passwords in spreadsheets, notes, or other text files, and especially not in the plain text of an email. If you have to share a password with someone, use an encrypted method such as Signal or iMessage. WhatsApp and Slack are encrypted as well, but since it is a little easier to gain access to a WhatsApp or Slack account, they’re probably best avoided for password sharing. I’ll say it again: get a password manager!
Additional security-related steps that should be taken wherever feasible
Beyond these basic password best practice suggestions which everyone should follow, there are a few other security-related steps that are worth taking where possible or if relevant.
- Don’t share login details with others
- Turn on multi-factor authentication wherever you can, particularly for your most important accounts
- Remove or demote a user account if it is no longer in use
- Turn on security notifications where you can
- Turn on domain privacy protection
Point 1 ensures that each person maintains responsibility over their individual account, makes it easier to isolate when or how a breach may have happened in relation to a particular account, and makes it less likely that you’ll slip up and share a password in plain text (why would you, when everyone has their own account?). It’s also critical for point 2, you can’t generally have multi-factor authentication if people are sharing accounts.
Point 2 is an absolutely surefire way of increasing the security of your accounts. Multi-factor authentication usually means logging in and then entering a code which you are sent. Where possible, it’s worth using an app like Authy for multi-factor authentication. Relying on multi-factor authentication via email or text can be less secure since phone SIM cards can be compromised, and of course email accounts can be compromised. If you set up multi-factor authentication, be sure to follow the instructions carefully including saving any login tokens they give you so that you can regain access to your account in the event that your multi-factor authentication fails (you lose your phone, you lose access to your email, etc.).
Point 3 ensures that old accounts won’t come back to haunt you. In some cases you might be able to delete old user accounts. In other cases, for example in the event that a content management system user has authored some blog posts and you don’t want to erase that authorship or their blog posts, it might be best to just demote the user to the lowest-possible access.
Point 4 is dependent on your service provider. Some service providers will give you notifications in the event that an administrator has logged in or a user has been locked out for too many password attempts. Have a dig around for these settings or ask your service provider for more information if you’re unsure whether or not this applies to you.
Point 5 is to avoid unnecessarily broadcasting the contact details associated with a domain registration. This can help avoid slightly more sophisticated attacks where someone uses these contact details for phishing or taking over your domain registration.
Where to start cleaning up your passwords?
Password cleanup is Sisyphean. It never, ever ends. So then the question is, where do you even start?
Again: a password manager really helps with this eternal climb up password mountain. Once you’ve installed a password manager on your devices, you can gradually begin collecting your username+password combinations via the software’s automatic prompts as you use logins in apps and online. You can begin tidying things up as more are collected, particularly if your password manager supports warnings for insecure or duplicate passwords.
But if you can’t get or use a password manager for some reason and just want to start somewhere, start with your own email address logins, as in the login details you use to access your emails on the web or in an email client like Mac Mail.
So much information can be gleaned from an email inbox. Password reset links, old login details (if you’ve ever slipped up and sent them via email in the past), information that can be used for social engineering hacks, it’s all in broad daylight. If you do nothing else, at least secure your inbox!
3. Perform updates and take backups regularly
This is somewhat related to the point above regarding security. The top reason to perform updates is to patch security vulnerabilities.
Besides this though, updates are worthwhile to extend the longevity of your website. It is a lot more straightforward to perform updates gradually over time than it is to make a major update from a very old version to a brand-spanking-new version of some software. By making updates periodically as opposed to waiting years, your website is more likely to grow with you as opposed to becoming a thorn in your side, and you can spread the cost (either financial or time-based) of maintenance as opposed to paying for it all in one go.
Unfortunately in many cases, you will not be able to complete website-related updates yourself. For example updating the PHP version used by a server is risky unless you can be sure that absolutely all of the software you are running on that server is compatible. Another example is updating a content management system. Although I would love to, usually I can’t give clients the ability to update a content management system themselves because there is too great a risk that some future update would break an aspect of their website due to a deprecation or another incompatibility. The exception is perhaps WordPress sites. Usually it is safe for a client to perform a WordPress update themselves so long as it isn’t a major version change (for example from v4 to v5), and to perform plugin updates themselves so long as the plugin is declared compliant with their current version of WordPress. Usually, but not always!
So with websites, it’s worth checking in at least once a year with your web developer to see if anything should be updated. If you have a WordPress site that you can’t or don’t want to update yourself, you should check in much, much more often. WordPress sites are unfortunately very heavily targeted by bots, making the updates that much more important.
What you absolutely can do, however, is keep your own computer, devices, and installed apps up-to-date. Vulnerabilities in these places can lead to email being compromised, which can open a whole can of worms with your website and beyond.
It is a similar situation with backups. In some cases you may be able to take backups of your website yourself, or your hosting provider may make regular backups for you.
If you don’t feel comfortable taking a backup yourself or your hosting provider doesn’t provide backups, then you should hire someone to do this for you at least once a year. You should do this much more often if you edit or add new content frequently. Or better yet, get your site moved on to a better hosting provider that includes backups as part of their service!
People and organizations have very different opinions on privacy policies. This is partly because the regulations vary so much throughout the world, and they continue to shift.
Finally, tips if your site suddenly goes down
If you’re ever in the situation where your site has gone down suddenly and you don’t know why, the first thing to do is check what’s going on with your hosting provider. You know how earlier I said that 75% of emergency emails I get from clients relates to billing? I’d say almost all of the remaining 25% is due to hiccups with hosting, servers going down temporarily and that sort of thing.
First, search online for any status pages or social media accounts maintained by your hosting provider. This will often tell you if it is an uptime issue on their end and how long a particular problem is likely to last. If they don’t publicly provide this information, reach out to your hosting provider’s support team. You can do this by phone, but I’d recommend email or a support ticket instead since a paper trail will be useful if you need to share it with your web developer or IT person later. Be prepared to let them know the last time you recall the site working normally, when you noticed that it was down, and any further details such as if it affects just one page or the whole site. The hosting provider should be able to shed some light on the situation whether it is a server problem, a billing issue, a fatal error, malicious behavior, or something else. If your hosting provider can’t provide an explanation, check in with your domain registrar’s support team in the same fashion.
The vast majority of the time, your hosting provider or domain registrar will be able to sort you out. If they can’t get to the bottom of the issue or can’t help though, it’s time to get in touch with your web developer!