Website Security
Security is a very serious issue in relation to any aspect of your business. It should be one of the things at the forefront of your mind. For this reason, your website’s security should be of at least as high a standard as your own premises’ security.
What can someone steal from your website?
- Your email subscribers information.
- The look of your website by placing spam ads or redirects to other websites.
- It’s integrity. Your website could be a jumping off spot for any sort of website.
- Your sales. What if your customers are redirected to someone’s else’s website when they try to purchase or contact you?
- Your customers’ money. When people go to buy and they are sent through fake Paypal or bank systems.
- Malware can be placed on your website so that eventually Google takes down your website.
- Your rankings. Imagine what Google will do to your rankings if even some of the above is happening on your website?
- If you are an online business, then maybe your business along with your reputation.
The above list is pretty scary but is exactly what can happen! No matter how good your security is, someone can find their way around it. It is up to you to make that job so difficult that they will try somewhere else.
So What do you do?
Here are 12 of the main things you should be doing to keep your website safe.
- Have a proper password. Pick a password that will be difficult for a hacker to figure out. Don’t use birthdays, children’s, spouses or pets’ names. Or the word ‘Password’. Still the most common password! Pick a word that is in no way related to you, throw in a few capital letters in various places, throw in a few numbers, and finish out with a few punctuation marks. Change it regularly and by this, I don’t mean every couple of years!
- There is also multifactor authorisation. This is where the website sends you a code on your phone that must be entered before you can gain access.
- Your username should not be ‘admin’, ‘administrator’, your own name or your business name. Again pick something not related to you or your business.
- Avoid file uploads. Did you know that allowing people to upload an avatar image is actually giving some people the opportunity to place dangerous code on your website? If you feel you need to allow something like this, an automatic file extension writer can save you a lot of grief.
- Ensure you are using HTTPS. HTTPS provides security over the internet. It guarantees that you are actually on the website you think you are on.
- Error messages can cause you trouble as well. Never give away too much information when reporting a login error.
- Beware XSS attacks in your comments section. If a hacker can get an XSS attack to operate in your comments he could take control of every users’ account who views the comment. Content Security Policy (CSP) is your friend here. Content Security Policy is a header which your server can return which will tell the operating browser to limit what and how JavaScript is executed in the page. An example of this would be to disallow running of any scripts not hosted on your domain or disallow inline JavaScript.
- Set up your website so SQL injections are blocked.
- Keep your software up to date. For those of you who have plugins on their websites, you will commonly see that they need updating. This is sometimes because they are improving things but sometimes it is because they have discovered a vulnerability.
- Sensible user permissions. When giving access to employees you should only give them need-to-know access. If they only need user access or editor access why would you give them administrator access?
- If you are using shared hosting which many businesses do then you need to set up DDOS Mitigation. When someone else’s website is under attack on shared hosting you can get a taste of it too if you haven’t this set up.
- Penetration testing. There are free tools you can use that operate similarly to a hacker. They use a lot of the same codes and processes of attack that a hacker will. Some available free tools are Netsparker (Tests for SQL injections and XSS attacks) and Xenotix XSS Exploit Framework which works cross-browser.
Once you Have Completed the Above
The 12 things above to do are only a good taste. They will help keep your website secure but there is more that you could be doing. Once you have the above done make sure you finish with the penetration testing and see how you are doing. Hackers are always trying new ways to take over your website. It is up to you to do as much as possible to block them.
One final thing that everybody should do – keep an up to date backup! Preferably not on the server! In face keep 3 saved a month apart so that if you are hacked you should have at least one clean backup.
At No1 SEO Ireland all our website builds come with 2 security plugins, and your website backed up on a memory stick in case you do get hacked. We also remind you that website maintenance is very important in keeping your website secure and we offer monthly packages to clients.
If you would like to hear more call us at 089 479 9227 or use our contact form.