The University of Michigan is committed to making certain that all of the institution’s websites are safe, secure, and protected. To help achieve this goal, the ITS AFS Website Upgrade Project team has been partnering with ITS Customer Relations and Unit IT teams over the last several months to encourage website owners to upgrade their websites hosted on the ITS Web Hosting Virtual Host Service.
HTTPS (not HTTP)
The most basic step in securing your website is to ensure you use HTTPS instead of HTTP. HTTPS provides a more secure site that encrypts the data before it is transferred and protects the integrity of the data. (It will also eliminate that pesky security warning pop-up that web browsers like Google Chrome display when accessing an HTTP website.)
Update your software regularly
You should use the most recent software version, particularly the most recent version with a security patch, whenever possible! Website owners should regularly check and keep their websites on the latest stable/official version of the software they install. Over time, updates are released for Drupal and WordPress with and without security patches. As these updates are released, a website that did not previously need a WordPress or Drupal upgrade may now need one. Staying on the most recent software version also helps with compatibility in other areas of website security. For example, if you want to use Drupal for your website, you must be on a compatible version of PHP.
ITS Web Hosting is in the process of moving customers from ancient versions of PHP that stopped being supported long ago to newer, still-supported versions. The ITS Web Hosting team currently provides support for PHP 8.1 and PHP 7.3. The PHP 8.1 upgrade is now available and is recommended sooner rather than later.
Discontinue using Cosign by June 30, 2023
Originally designed at U-M, Cosign is the open-source software that was once widely used across higher education. Now only a handful of universities still use Cosign, and the open-source community that once maintained and developed it has dwindled. The ITS Web Hosting team recommends using U-M Weblogin with OIDC to replace Cosign for website authentication and to start this effort ASAP.
The team also recommends that website authentication be done at the web application (or website) level and not at the web server level. Performing authentication in the web application rather than the web server gives the web app more control of the authentication process.
We all know technology, both hardware and software, evolves fast. We have to evolve with it in order to keep our sites 1) up and running, and 2) safe and secure.
Visit the project website for information on the AFS Website Upgrade Project, including step-by-step instructions on how to upgrade your website(s).