Making security considerations a key part of your community setup and maintenance can save you from many future headaches.
You've worked hard to get your community moving. Don't make yourself an easy target and undo that work.
Here’s our current advice to our customers.
1. Enable HTTPS
HTTPS is fast becoming the standard way to serve websites. In 2016, more than 50% of web requests were served under HTTPS for the first time. Chrome and Firefox now explicitly warn users on login forms that aren’t sending data over HTTPS, and it’s not hard to imagine that in the near future all insecure pages will receive the warning.
HTTPS simply means that website data is served over a secure connection and can’t be read or tampered with by a ‘middle man’ hacker. You can identify a site using HTTPS because the address in your browser will show ‘https://’ (instead of http://), and normally a lock icon or the word ‘secure’.
Invision Community supports HTTPS by default simply by changing your base URL configuration to include HTTPS. Of course your web host will need to support it as well and our Invision Community Cloud services support it by default. Contact support if you have any questions.
Recommendation: Set up HTTPS for your entire community to prevent ‘man in the middle’ attacks.
2. Set up Two Factor Authentication
Invision Community supports Two Factor Authentication (2FA for short), and we highly recommend making use of this feature for your users, but especially for your administrator staff.
2FA is a system that requires both a user’s password and a special code (displayed by a phone app) that changes every few seconds. The idea is simple: if a user’s password is somehow compromised, a hacker still wouldn’t be able to log in to the account because they would not have the current code number.
You may already be familiar with 2FA from other services you use. Apple’s iCloud, Facebook and Google all offer it, as do thousands of banks and other security-conscious businesses.
Invision Community supports 2FA via the Google Authenticator app (available for iOS and Android) or the Authy service, which is able to send codes to users via text message or phone call. You can also fall back to security questions instead of codes.
You can configure which members groups can use 2FA, as well as requiring certain groups to use it.
Recommendation: Require any staff with access to the Admin Control Panel or moderation functions to use 2FA, to ensure that no damage can be done should their account passwords be discovered. Allow members to use 2FA at their discretion.
3. Configure password requirements
The password strength feature displays a strength meter to users as they type a new password, showing them approximately how secure it is, as well as some tips for choosing a good password.
While you can leave this feature as a simple recommendation for users, it’s also possible to require them to choose a password that reaches to a certain strength on the meter.
Recommendation: Require users to choose at least a ‘Strong’ password.
4. Use Admin restrictions
It’s very common that many different staff members need access to the Admin Control Panel depending on the role. You may have design staff, billing staff, community managers, and so on, all with particular tasks they would like to achieve.
Invision Community can help improve the security of your Admin Control Panel by allowing you to restrict the functions available to each administrator, granting them access to only the tools needed to do their job.
Recommendation: Audit your community’s administrator accounts and applying restrictions where it makes sense to do so.
5. Stay up to date
It’s important to ensure you’re always running the latest release of Invision Community. With each release, we add new security features, audit code and fix any issues reported through responsible disclosure. Falling behind can therefore make your community a tempting target for potential hackers.
Your Invision Community Admin Control Panel will let you know when a new release is available, and you can also check out our Release page to track releases.
For our Enterprise customers, we’ll automatically apply updates for you shortly after release as part of your plan. For our self-hosted and Cloud customers, you can easily apply new updates via the Admin Control Panel with a couple of clicks.
Our Invision Community Cloud contains all best practices for security. However, if you are self-hosted, be sure to work with your web host to ensure your server is setup properly. Ensuring that server software, firewalls, and access controls are in place is very important as an insecure server can be your worst enemy.
Recommendation: Aim to install latest updates as soon as feasible.
6. IP address restrictions
For organizations where staff are centrally-based in one location, or are required to use a VPN, you can improve your community security by restricting access to the Admin Control Panel to the IP addresses your staff will be using. This is a server-level feature, so contact your IT team to have this facility set up your installation. Enterprise customers who wish to utilize IP restrictions should contact our Managed Support team, while Cloud customers can submit a support ticket to have this set up.
Recommendation: Where staff all access the community from a small number of IP addresses, restrict Admin Control Panel access to those IPs.
Don’t leave security as an afterthought. Invision Community includes a range of tools to help you ensure your data and members protected, as well as industry-standard protections ‘under the hood’. Make use of these features, and they’ll help ensure the wellbeing of your site.
As always, if you have any questions or need advice, our support team are on hand to assist you.