If you keep your eyes and ears open, you should know that security breaches resulting in leaks of private information of thousands and sometimes millions of people happen all the time. It’s inescapable, even if you limit your scope to just huge scandals like a recent Facebook debacle. But smaller leaks and hacks happen just as often — we just don’t hear about them that much. That is why website security should be one of your primary concerns no matter what kind of website you run, even if you don’t believe your site has anything worth being hacked for. The truth is, most websites get hacked not because hackers want to steal someone’s data but to, for example, set up a temporary web server to serve illegal files or use it as a relay for spam. Or to use it as a part of a botnet for DDoS attacks. Or to mine bitcoins. Possibilities are endless, and none of them are particularly pleasant for the site owner — and the stakes get much higher if you actually handle sensitive information about your clients.
What is most important, having airtight security and being known for it means that your customers won’t hesitate to buy from you, provide their personal information, subscribe to your newsletters, and so on. The slightest suspicion that your website security has been compromised can lead to mass exodus of clients, and it will be extremely difficult to lure them back.
Here are some website security tips and solutions that can help both you and your customers sleep soundly.
1. Keep all your software up to date
It may sound obvious, but you will be amazed how many websites, even those run by giant companies, use obsolete software that makes them highly vulnerable to potential attacks. If you don’t turn updating your software and replacing old versions into a habit, you may put it off indefinitely and eventually get a wake-up call already in the form of compromised security.
It concerns both the operating system used by your server and all the software used on your website (for example, SMS or forum). The majority of software providers use mailing lists to report any security issues with their products and will notify you about updates when they roll them out. Make sure to check them often and apply without delays.
2. Use a reliable website builder
Using a well-reputed and flexible website builder both removes many potential problems with your website’s design and sends your customers a signal that their data is completely secure with you. The more prominent among them are perceived as a standard of quality in respects of security, and being associated with them will already greatly alleviate a potential customer’s misgivings.
3. Minimize your error messages
Even something as simple as an error message can easily be used for hacking purposes if the website owner is careless enough. Make sure you keep them to a minimum and don’t let them leak confidential information (for example, passwords or API keys). Don’t give full exception details because they provide information about the structure of your code and make other, more complex attacks much easier and more likely to succeed. Show your users the bare minimum of information they have to know and keep the details safely in your logs.
4. Enforce strict password policies
It is dumbfounding how many people in 2018 are still using passwords in the vein of “12345” or “password,” despite hearing time and again how easy it is to break it. Firstly, make sure that you use strong passwords for your server and website admin area; the Internet is rife with recommendations on how to generate strong but easy-to-remember passwords, so use them.
Second, you should motivate (and, if necessary, strong-arm) your users to do the same. At the very least, you should enforce passwords that are at least eight symbols long, contain both uppercase and lowercase letters, figures, and special symbols. It may seem like a hassle for them at first, but they will thank you the next time they hear about yet another security breach.
Third, passwords should be stored in encrypted form, preferably with the use of a hashing algorithm. Even if somebody manages to steal hashed passwords, it can limit the damage as it is impossible to decrypt them.
5. Use HTTPS
HTTPS protocol guarantees to your users that they deal exactly with the website they expect and that nothing they send to it can be intercepted by third parties. If your website presupposes handling private data of your customers, you should strongly consider only using HTTPS for these purposes; otherwise, both your website security will be compromised, and your more tech-savvy customers may decide to avoid you because you don’t seem too eager to protect their data.
6. Test your website security often
You can find many security tools to help you test your website for penetration, both free and commercial ones. The way they work is mostly similar to the approaches commonly used by hackers — they test all known exploits and imitate attacks that can actually be used to compromise your website. As a result, you will be able to see not just if your website can be successfully attacked, but the exact method of attack you have to protect against.
7. Be wary of file uploads
Giving users an opportunity to upload files to your server is a big security risk because they may contain scripts that can be executed to cause immeasurable harm to your website. Checking file extensions won’t help — they can easily be faked. Even image files uploaded to a comment section can contain a malicious code that harbors a harmful script. Ideally, you shouldn’t allow uploading altogether. Or at least prevent direct access to uploaded files by keeping them outside of webroot.
These tips aren’t comprehensive nor will they guarantee 100 percent security of your website — but if you follow them, you will already do much more to ensure the safety of your site and your clients than many other businesses.