Website hacking is on the rise and it seems no one is safe! Luckily, there are lots of steps you can take to protect yourself and your visitors. Some of them are so simple they are easily neglected.
- Use a trusted host
Maintaining security can be extremely challenging. Unless you have a compelling reason to run your own server, why not make use of industry professionals? In addition to providing preconfigured content management systems and storage you’ll also get the benefit of enterprise level security.
- Keep software up-to-date
One of the common attack vectors is to target known exploits. Check for updates daily. Consider using Linux for servers; it’s built around security and vulnerabilities are patched within hours of discovery.
- keep your operating system up-to-date;
- keep the software installed on it up-to-date;
- keep plugins for content management systems up-to-date.
- Use security software
These days all systems need security software – both a firewall and a virus/malware suite. Choose reputable brands and pay for commercial licences to get full protection.
- enforce mandatory virus scanning of all storage devices connected to your system, especially USB flash drives;
- consider a hardware firewall for even stronger security.
- Limit technologies
The greater the number of applications and plugins you have installed on your system, the greater the risk of compromise. Keep your systems clean by removing unnecessary software. We also recommend using alternatives for commonly attacked software:
- use HTML5 technologies instead of Adobe Flash, Microsoft Silverlight, or Oracle Java
- Limit Visitor File Uploads
Don’t allow file uploads to forums unless it’s absolutely necessary. Don’t allow uploads of executables. Even better, have your operating system automatically change all uploaded files to non-executable! It’s common for malicious executables to be masqueraded as seemingly harmless files, such as jpegs!
Many websites now use an SSL certificate to encrypt traffic between visitors and the server. Implementing the technology shows visitors that you take security seriously. There are several certificate authorities to choose from but there’s a new initiative worth checking out and it’s sponsored by many of the well-known names like Cisco, Mozilla, and Facebook:
In addition to encrypting the traffic to your site you should encrypt all user data that you are storing. Never store confidential data like passwords and credit card details in plain text.
Webforms are a powerful tool for interacting with your visitors and thanks to the power of HTML5 they are very easy to build. Unfortunately, they can also introduce additional security issues, especially when they interact with server databases.
- learn more about common attack methods:
Cross site scripting
- don’t allow autofill on webforms;
- validate user-submitted data both client-side (in-browser) and server-side. Strip all code (including HTML) from form data;
- use generic error messages. E.g. say the username-password combination is wrong rather than just the password
- Daily Monitoring
The more popular your website is the more vigilant you will need to be. If you get traffic on a daily basis then you’ll need to monitor your site daily too! There are always good tools for scanning your site:
- Make Regular Back-Ups
Finally, make sure you make regular back-ups. Configure your system to make backups automatically. To ensure data security, don’t keep all of your archives on the same system. Consider keeping at least one of your backups in a different physical location.
It takes a little effort to ensure you have good security but the effort is well worth it. If your visitors see that you take security seriously they’ll be more likely to trust you. If you have any doubts about security consult a security expert.