Your company’s website is one of the most important aspects of your business. In many ways, your website forms your company’s public presence and is your “face” to the world. Whether you are selling products online or simply providing information about your business, your company website is your public storefront, your billboard and your business card, all in one. And if your website gets hacked or replaced by malicious actors, this will be costly and embarrassing to say the least. And in the case of compromised e-commerce or personal visitor data, a website breach might even open you up to liability.
So having a secure website is more important than ever. How can you mitigate the risks of hacking and harden your website (and your company’s online presence) against attackers? Here are five tips to get you started the next time you hire a web developer.
1) Check your security certificate
A security certificate is part of the system that makes sure all the traffic between your website and your customers’ computers remains private and encrypted. If the traffic between your website and your customers is not encrypted, then anyone can view the data that is being sent, including financial info, credit card numbers and personal details. A security certificate contains mathematical keys that allow data to be encrypted for transit on the internet and is an absolute necessity for your business.
Unfortunately, a security certificate may only be issued for a fixed period of time (the certificate’s “life”). The maximum period of time allowed for certificate life used to be five years, but is now reduced to two years. The industry follows this standard because security and encryption technology is evolving constantly, and a two year certificate life ensures that no one will be too far behind the curve.
If your certificate expires and is not replaced, this could cause a variety of problems on your website. Your company website could become inaccessible (downtime!) or be vulnerable to “man in the middle” attacks where a hacker steals your customer data while in transit. So make sure your certificate is renewed periodically, and make sure you use a reliable certificate authority.
2) Remove mixed content
A web page that hosts secure (encrypted) content along with some insecure (unencrypted) content is said to be “mixed”. This is bad news because attackers can inject malicious code along with the unencrypted content and use this to steal data, inject viruses or install malware onto your customers’ computers. More so, some web browsers will block mixed content web pages, thereby breaking your website!
So make sure all content for your site is hosted on secure pages. You and your web developer can check this by making sure that all resources, scripts, links and images are referenced with an “https” prefix.
3) Sanitize user input
You never know who will be using your website or where the data is coming from. And whenever your website accepts data from another device or computer, via a form or cookie, you are opening up the possibility that someone might send data with malicious commands. Specially-crafted, malicious commands could crash your site, open up backdoors in your system and steal user data.
In the case of the internet, trust no one! All data you receive via your forms and cookies (and anywhere else) must be “sanitized”. Sanitizing user input means verifying the type of data received, the length of data, and also removing any malicious scripts or commands.
When you hire a web developer, ask him or her about securing forms and sanitizing user input… If they have a blank expression on their faces, then it’s time to get a different developer.
4) Prevent cross-site scripting
Cross-site scripting (XSS) has been one of the most persistent and widespread vulnerabilities since the beginning of the internet. Cross-site scripting will usually occur when data is passed from one website to another. Say you receive data from another website, and you display that data on your own page. If you fail to properly sanitize the data from the other website, then whatever data comes in could include code from attackers to steal credentials, financial data and really do anything, unbeknownst to you and your customers.
Cross-site scripting goes hand in hand with mixed content and sanitizing inputs, and is a specialty for a qualified web developer.
5) Use strong passwords and custom usernames
Hackers use sophisticated programs for cracking passwords, and these programs will create “brute force” attacks, where the cracking program will attempt to logon with thousands of passwords at a time. So one of the most common ways that websites get attacked and hacked is because the website owner used a weak, easily-guessable password. Like “password” or “123456”.
So if you are using a content management system for your website (i.e. WordPress, Umbraco, Drupal, etc) use a strong, long and secure password, preferably with no dictionary words or common phrases, with a combination of numbers, letters and symbols. Use a password generator like GRC’s Perfect Passwords and a password manager like LastPass or Keypass.
You can also further secure your login details by using a non-default username. Logon credentials are a combination of username and password. So if you use a username like “admin” or “administrator”, then you already did half the work for the attackers!
Also ask your web developer or designer about a plugin or code for your website to prevent these brute force attacks. And with these five tips you are already on your way to knowing how to make a more secure website!