James Guest

Digital consultant & project manager

Ten steps to protect against vulnerability

When looking to start a new business or create an online brand, it’s important to choose the right digital service providers. It can be very easy to end up locked-in to inflexible vendors and in a mess that’s difficult to unpick. Follow these steps to help protect yourself against vulnerability or lock-in to any single provider.

1. Keep domain names separate from hosting, and in your own account.

If domains are kept separate from your website hosting, it is much easier to move hosting in the future should this be necessary. They should also be kept in your own account, not in your website developer’s account. 123-reg.co.uk is an excellent provider. Never register with very cheap providers, “domains for 1p” types – this can tie your domain to them forever and put their advertising on your site!

2. Keep email accounts separate from your hosting.

Don’t ask your web developer to manage email for you, as it’s not cost effective for them or you. Domain name providers usually provide free email forwarding, or inexpensive POP3 mail boxes. This is sufficient for most needs. For more comprehensive IMAP email I currently recommend Google Apps email. Make sure you have at least one active, full email account (POP3 or IMAP). Ensure you have at least have an info@ address for every other domain you own, forwarded to your primary email account.

3. Host websites on your own server.

This can either be your own account on a shared hosting provider such as Webfaction, or for complex or multiple sites, your own server(s) or a virtual server(s) from someone like Bytemark. Ensure hosting is registered to your company credit card. While you should get your web developer to configure and support your hosting, you should not host on their own server or have them pay and charge on to you. While it may initially be easier for them and cheaper for you it means that your business is in their hands and vulnerable.

4. Ensure all third party services are registered in your name.

This can include things like Campaign Monitor (email marketing), Twitter, Facebook, Google Analytics, Google Adwords, Google Webmaster and so on. Register these to either your primary email address, or if one service per site is necessary, register to the info@ address for each site’s domain (ensuring it’s forwarding to an active email account as detailed above). You will need to supply log-in details to your developers, but again all accounts should be in your name, registered to your credit card.

5. Never get any email, domain, hosting or other services from your internet service provider (ISP).

Your ISP is the company that provides your connection to the internet. They often offer packages including email, web hosting etc, but these are usually severely limited and difficult to move away from. It’s always best to keep each service separate so you can swap out individual providers if necessary.

6. Keep everything separate for each organisation.

If you have several limited companies, separate organisations or web projects, it is also worth considering having separate accounts / servers for each of them. While this may be more to manage and set-up (and probably more expensive), it does mean you are totally encapsulated and portable. If there is a problem with one company the others are not effected. If you want to sell a company all digital assets are ready to go.

7. Hold the keys.

Always make sure you have a full and up-to-date record of all technology used, server addresses and log-in details. This should include system requirements, software and database version numbers, server IP address, SSH and/or FTP log-in details, superuser admin and control panel log-ins, database servername/name/username/password, and log-in details for all domain, email and other third party service providers. If you have registered these yourself as detailed above, then you many already have some of these. Your web developer or support provider will be able to supply the rest.

8. Don’t change anything yourself.

While you should hold a copy of all log-in details, you should not log-in or make changes to any server or service yourself without first consulting your developer or support provider. It is very easy to irrevocably damage things once logged-in, or at the very least bring sites down, or cause problems that will take several chargeable hours to resolve. Indeed, for this reason, many developers may refuse to provide you with the log-in access details described above unless they are also handing over full responsibility and support to you. In this case, it may be sensible (but costly) to have details held in Escrow by a third party. Usually it’s best if you agree to hold details on trust on the understanding that you (or any other developer you hire) will never access anything unless first discussing your plans with the existing developer or support provider. Any access will be logged by the server, so don’t break this trust.

9. Keep things simple and supported.

Websites can be developed in a multitude of ways using a number of different technologies. The choices will depend on your requirements and the preferences and skills of your developers. Due to the nature of digital any developments will need continual support and maintenance to ensure they keep working as intended. This may include installation of server security patches, recovery from malicious hacker attack, and website updates to fix issues caused by new web browsers or plug-in versions. All can be complex, take time and will need to be charged by your developer. For custom build projects the only people who can usually support the site cost effectively are those that originally built it. Others may be capable but they will be hard to find and will need to spend considerable time investigating the build. If they are not highly skilled and diligent they may even break as much as they fix. Mitigate this risk and the ongoing support burden by using third party ‘cloud’ services where possible. Google Analytics is a good example of this. If you need to build functionality aim to keep this simple and use suitable, mature, open source frameworks or systems like Drupal (PHP) or Django (Python). If you really must build complex custom developments ensure everything is documented and you maintain a good relationship with your developers.

10. Keep back-ups of everything.

For the purpose of disaster recovery (and to protect from supplier vulnerability) ensure you have a copy of all the latest, unencrypted, documented source code for your projects. This should also include design artwork files (as PSD’s or AI files), Flash and Flex source files (FLA, AS and MXML files) and uncompressed media assets. If you pay for a few extra hours work your developer should be able to gather and supply this at the completion of each round of development, perhaps as a download link. For complex developments you should consider hosting your own code repository or using an online service like Beanstalk or Github. Your developer should be able to set this up for you then keep all source code there as they develop. Dropbox is a good place for you and your developer to store and share the media assets and artwork. For data driven websites, also ensure you hold a ‘dump’ of the database along with the source code and also take regular database back-ups on-going. Hosting providers like Bytemark offer a back-up hosting for a monthly fee. Your developer should be able to create an automation script to interface with this. You should also aim to download the database back-ups yourself every once in a while.

Follow the advice above, and you’ll be protected from weak links in the provider chain. No one problematic service or supplier can totally bring your business down and can be swapped out with minimal disruption if necessary.

2 Responses to Ten steps to protect against vulnerability

  1. July 12, 2011 at 1:47 pm

    Thanks for a great article James, you make a lot of valid points. Although I do understand why you advise to keep hosting in the client’s own name, there are situations in which this is not practical. For instance, when a client requires the power of a dedicated server but cannot afford the outlay of renting an entire dedicated server themselves, espcailly with when very specific hosting environments are needed – this can be very expensive when you take into account set-up, maintenance and ongoing rental costs, often reaching hundreds of pounds or more per month. However, if backups are taken regularly and the domains decoupled from the hosting, if the worse came to the worse the client could recover by ‘swapping out’ the hosting service, setting up their site elsewhere and repointing the domain.

  2. James Guest says:
    July 12, 2011 at 3:20 pm

    Thanks Jamie. I totally understand and agree that specific hosting requirements can sometimes be necessary and costly for complex or custom builds. However, this in itself is a potential risk. I would normally factor in the hosting requirements when selecting a technology to use. Expensive, non-standard requirements may be a good reason to opt for an alternative technology. I also agree that set-up, maintenance and ongoing support costs are a factor. These should always be considered at that outset of a project, as they should be in addition to the hosting costs regardless of who owns the server.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>