Skip to content

Website security

Maintaining a secure website is essential to protecting University of Washington data, users, and digital infrastructure. Whether you’re managing a WordPress site, a Drupal installation, or a custom HTML/CSS/JS project, following these best practices will help reduce risk and ensure compliance with UW IT security standards.

Keep software updated

Regularly update your content management system (CMS), plugins, themes, and server software. Updates often include critical security patches that protect against known vulnerabilities.

Use strong passwords

Require strong, unique passwords for all user accounts. Avoid reusing passwords across services. Where possible, enable two-factor authentication (2FA) to add an extra layer of protection.

Limit user access

Grant users the minimum level of access necessary to perform their roles. Review permissions regularly and promptly remove access for users who no longer need it.

Use HTTPS

Ensure your website uses HTTPS to encrypt data in transit. Most UW-hosted services support HTTPS by default. If you’re managing your own hosting, obtain and install an SSL certificate.

Back up regularly

Maintain regular backups of your website and database. Store backups securely and test them periodically to ensure they can be restored in the event of data loss or compromise.

Avoid unvetted plugins or themes

Only install plugins and themes from trusted, actively maintained sources. Avoid using outdated or unsupported software, as these are common vectors for security breaches.

Monitor for suspicious activity

Use logging and monitoring tools to detect unauthorized access, unexpected changes, or other suspicious behavior. Review logs regularly and investigate anomalies promptly.

Follow UW IT security guidelines

Refer to the official UW IT security resources for policies, tools, and additional guidance.