Website Security

April 17, 2018 by Tim Lewis

Having an online presence opens up your site to the possibility of attack, possibly making you or your customers vulnerable. Consider these possible situations:

  1. Your customer fills out information on your site and sends it to you and it’s intercepted by a 3rd party
  2. Your customer database is stolen from your webserver or website
  3. Your customer receives malware on their computer by visiting your site
  4. Information on your website is changed by an authorized 3rd party

It’s important to defend against each of these possible scenarios, which you can be vulnerable to even having the simplest of websites.

HTTPS

It’s extremely important in this day and age to have an SSL certificate protecting your site, so that any information sent to or from your website is encrypted along the way, preventing the “sniffing” of that information as it gets to it’s final destination. Also any site that is not HTTPS can also affect your Google ranking; it has been a ranking signal for some time now. Visitors also like seeing the padlock next to your web address; it shows you’ve gone the extra mile to protect their information and that your website is run by someone who is technically astute. Finally, if you use a CMS system like WordPress, you certainly don’t want to type in your admin password on a website that is not HTTPS enabled, as there is the possibility of it being intercepted.

Usernames and Passwords

Ok so you’re online with the rest of the world, so if you’re using a Content Management System (CMS) like WordPress, people know where your admin page is, and hackers can try various methods like brute force attacks to try to guess your password. If you kept your username to something default like “admin”, you’ve already given them half the information. Change your username to something else. Passwords should also be strong, and if you need help creating and remembering a strong password, we highly recommend using 1Password or some other password keeping tool.

User Security

If you are having other people help administer your website, like writing blogs, processing orders etc., consider giving them a lower level of access. This is possible with WordPress and most other CMS systems. This has a couple of advantages – if a hacker gets into their account, they don’t have the keys to the kingdom; and if you decide to part ways from them, you only need to remove their account from your system.

Security Tools

There are a number of 3rd party plugins available if you’re running WordPress, like Sucuri, which alert you to attacks and defends against certain types of attacks on your website, and scans for malware. The first line of defense however is keeping your site’s components up to date. Have the latest version of WordPress and any plugins you use kept up to date. Generally the reason there are revisions to those items is due to security updates.

What’s your Web Developer Doing?

If your web developer is only accessing your files through an insecure FTP, this may open up your site to vulnerabilities. Make sure he is at least using an encrypted FTP connection (SFTP) or an encrypted SSH encryption to make changes for you. Otherwise the other precautions you have taken above could be circumvented.

In Conclusion

Following the steps above will definitely keep you safer. Most hackers are opportunists and looking for an easy mark. If your website has these ideas in place, they’re likely to move on. Always make sure to turn on backups at your web host as well. In the event something does happen, you’ll have a way to recover easily.