All UCSB websites must meet minimum security standards, as outlined by UCSB IT and the University of California Electronic Information Security Policy.

All websites are under constant automated attack. Poor security practices lead to compromised sites that leak private information or spread malware to infect other systems and end users.

Good planning is crucial to ensure that you have a solid strategy for website security as an integral part of a wider cybersecurity stance. This includes developing formal strategy procedures, fostering a security-first culture throughout the organization, and documenting your web assets so you know what you’re working with.

Best Practices

 

  • Keep software up to date, be aware of security bulletins and critical vulnerabilities. The Cybersecurity & Infrastructure Security Agency has comprehensive alerts and bulletins.
  • Be careful of what you put on your site. All HTML comments and JavaScript code can be seen by site users.
  • Review user accounts for your site on a regular basis. Remove user accounts no longer performing admin tasks or content creation.
  • Be cautious of allowing non-authenticated guests to submit data thru forms especially files.
  • Do not share credentials amongst anyone administering your website, web app, etc.

  • Create unique logins and passwords for each person that works on your site.

  • Review user accounts for your site on a regular basis. Delete users no longer performing admin tasks or creating and editing content.

  • Do not allow non-authenticated guests to upload files via webforms.

 

Hosting

 

  • Always use HTTPS (SSL/TLS certificates) on your sites, this prevents "not secure" web browser warnings, helps guarantee information integrity, and protects passwords and submitted data.
  • Use automatic renewing certificates or set up calendar reminders to manually renew certificates.
  • Do not share credentials amongst anyone administering your website, web app, hosting provider, etc.

 

Passwords

 

  • Always use encryption (HTTPS, SFTP, SSH, etc.) to log into a system, never send passwords in the clear.
  • Use complex and long passwords. The best passwords are auto-generated by and stored in a password manager.
  • Create unique logins and passwords for each person that works on your site.
  • Use multi-factor authentication when possible like email/SMS/authenticator one-time codes or push notifications.

 

UCSB Web Theme Sites

 

If you are using the UCSB Web Theme, almost all web security needs are met. The Office of Public Affairs team applies the Drupal security patches weekly so you don't have to. Auto-updates are pushed to all Web Theme sites where the site owner is messaged about new updates to audit.