Maintaining a secure website is essential to protecting University of Washington data, users, and digital infrastructure. Whether you’re managing a WordPress site, a Drupal installation, or a custom HTML/CSS/JS project, following these best practices will help reduce risk and ensure compliance with UW IT security standards.
Keep software updated
Regularly update your content management system (CMS), plugins, themes, and server software. Updates often include critical security patches that protect against known vulnerabilities.
Use strong passwords
Require strong, unique passwords for all user accounts. Avoid reusing passwords across services. Where possible, enable two-factor authentication (2FA) to add an extra layer of protection.
Limit user access
Grant users the minimum level of access necessary to perform their roles. Review permissions regularly and promptly remove access for users who no longer need it.
Use HTTPS
Ensure your website uses HTTPS to encrypt data in transit. Most UW-hosted services support HTTPS by default. If you’re managing your own hosting, obtain and install an SSL certificate.
Back up regularly
Maintain regular backups of your website and database. Store backups securely and test them periodically to ensure they can be restored in the event of data loss or compromise.
Avoid unvetted plugins or themes
Only install plugins and themes from trusted, actively maintained sources. Avoid using outdated or unsupported software, as these are common vectors for security breaches.
Monitor for suspicious activity
Use logging and monitoring tools to detect unauthorized access, unexpected changes, or other suspicious behavior. Review logs regularly and investigate anomalies promptly.
Follow UW IT security guidelines
Refer to the official UW IT security resources for policies, tools, and additional guidance.