Security Tips for OA Websites

Last revised:

While it is relatively easy to create a website, security and maintenance can push the limits of a service body’s capability. First, using a reputable website builder can help because the builder will release regular security updates. Second, it is critical that everyone with access to your website use a complex (strong) password and two-factor or multi-factor authentication to log in.

User accounts

  • Change all passwords to complex (strong) passwords.
  • Delete accounts for all past users.
  • Require two-factor or multi-factor authentication for all users.

WordPress (tips may apply to other website builders)

  • Change and hide the login URL (Uniform Resource Locator) from the default /wp-login.php or /wp-admin/ to a custom, hidden URL. Example: Use the “WPS Hide Login” plugin.
  • At your discretion, disable editing of the website theme and plugins through the theme editor and plugin editor.

Web applications

  • Implement a secure password feature in the web application.
  • Users must use complex (strong) passwords.
  • Make sure appropriate file permissions are set up in the web application installation process.

MySQL

  • User accounts used to access the database via the web application should have limited privileges to execute SQL (Structured Query Language) commands and should not be a root-level user.
  • Only allow trusted administrators access to a MySQL root user account.

Web server

  • Revisit all users and passwords for the web server account.
  • Only give web server (e.g. Apache) users on the server “write access” (e.g. file uploads) to any public directory.
  • Limit administrative server access, which gives direct access to the server. This generally takes one of two forms: a user account on the server accessed either over SSH (Secure Shell) or via SFTP (Secure File Transfer Protocol). SSH access is strongly preferred, where only users with valid SSH keys can access the server and password access is disabled. SFTP is vulnerable and can be gained with access to the host account.

Repository (e.g., Github)

  • Use a private repository to limit access to the codebase.

OA Responsibility Pledge
Always to extend the hand and heart of OA
to all who share my compulsion;
for this I am responsible.

OA Board-approved.
© 2023 Overeaters Anonymous, Inc. All rights reserved.

Overeaters Anonymous, Inc. World Service Office
Location: 6075 Zenith Court NE, Rio Rancho, NM 87144, USA
Mailing address: PO Box 44727, Rio Rancho, NM 87174-4727, USA
Telephone: +1 505-891-2664

Literature Titles
Automatically translated literature titles appearing on this page are for reference only and may not exactly match the official titles approved by OA, Inc. and A.A. World Services, Inc.

Translation Permission
All registered OA groups and service bodies have permission to translate and reprint any OA document or text currently on the OA website. Permission includes the right to distribute automatically translated material and the right to correct errors in automatic translations. Translation corrections should be as close as possible to the meaning of the original English text, with nothing added or omitted. Translated materials must include this statement in the language of the translation: This is a translation of OA-approved literature. © Overeaters Anonymous, Inc. All rights reserved.

To translate OA documents with significant graphic design, see Free Licensed Images, Translation, and Graphic Design Platform for Intergroups and Service Boards Registered as Nonprofits/Charities.

To obtain OA-approved literature in your language, contact your service body or see the Digital Files in Translation list and Guidelines for Translation of OA literature.

Volunteer to improve translations on staging-frontendrebuild.oa.org. Apply here!