Every day, when your customers and clients visit your website, they’re putting trust in your website security. Whether that means keeping an email private when they sign up for a mailing list, holding credit card or banking information secure for large transactions, or just loading correctly and without third-party information showing up on the screen, a secure website gives your customers confidence. An unsecured website can make you look like a unprofessional, or worse – out of business!
Website security isn’t a matter of installing the right software once and then forgetting about it. Every day, hackers get smarter, and the tools they use get more sophisticated. You have to keep on top of your website security if you want to stay in the game. Here are 10 tips on keeping your site up and running:
Keep your code up to date!
If you run a site on a service like WordPress or Drupal, that’s great – it means you can draw on a ton of community work to improve your site and add features. But the big community has a dark side: since so many people use these services, hackers know that if they can crack the code for one site, they might crack it for a whole bunch of them. Developers are coming out with new security patches all the time, in response to these threats. But no patch in the world can keep you safe if you don’t take responsibility for applying it.
Don’t just pay attention to core files
Your site probably isn’t running core, unadorned Drupal or WP or anything else. You probably have modules added on to add value, whether that’s an online point of sale system or a 24-hour online chat box or something more specific to your business. Those may have their own update processes and considerations. And if their development teams stop development on the modules, you’d better be aware of that.
If you’re doing development in-house, get a review process in place
Sure, custom code may be less attractive in and of itself for hacking. Companies can, however, attract hackers in a variety of ways: just being successful might put your site at risk. Run stress tests, seek out security audits, and make sure your development environment is safe. And make sure your developers are trained in secure dev practices.
Keep staff up to date
Hacking and developing don’t happen in vacuums. There are forums, newsletters, and official blogs that all have to do with website security. If that’s not up your alley, make sure you know who on your team does love that stuff – and make them keep you informed. In either case, keep an eye on the latest news, so you can spot problems before they happen to you.
Keep roles on a “need-to-use” basis
Would you ever give everyone in your company access to your banking details? You probably reserve that information for the people whose roles directly require that access. Your website is no different. Not everyone needs to be able to change the code, or access the database, or upload files, or get into certain parts of the site, or update the mailing list… give each access to the people who need that access, and no one else.
Change accesses when employees change roles
Has your star developer just retired? It’s time for new login information, new passwords, and if that developer had a VPN or remote desktop client, you should probably make sure that no longer works. Did a marketer just move roles to become a graphic designer? They don’t need the password to the mailing list any more. Roles should only belong to the people who are actually using them, now, at this time.
Never trust the user
Okay, that might be a bit harsh, but you should never take anything from your users at face value: if you ask for information that will go into a database, for example, you should check the information to make sure it makes sense. Is the phone number something like “555-1235”, or is it something like “drop table ‘customers’;”? Don’t put anything into your database, or try to run a transaction with any data, until you know it’s safe. And don’t let users upload files, even something as innocuous as a profile picture, until you know it is what it’s claiming to be.
Know your file permissions
Files can be readable, writable, and executable to different groups – and one of those groups is the public. The public should never be able to write to a file on your webserver. Just take a moment to imagine how that would go!
Keep your errors vague
Error messages in coding languages and website platforms are designed to give you useful information. That’s great! But you want that information useful to you, not to your visitors – or to random hackers. If a visitor loads a page and an error pops up, it should log the actual error to a file your webmaster can look at (or email it to your dev team), and tell the visitor something like “Sorry, something broke! Our web team is on it.” If, for example, the error tells them the exact database query your site was running when it broke, at best it’s a bunch of ugly code your visitor doesn’t care about. At worst, you’ve just told a hacker all about your database architecture.
Monitor, monitor, monitor!
Did way mention MONITOR! Keep an eye on your analytics. Keep an eye on the back-end, keep an eye on anything suspicious. Note any bizarre patterns in your web traffic. Is your contact form getting hit 12,000 times a day by a bunch of IPs in Russia, where you’re not doing any business? Your site may have become a target for attack. In any case, keeping an eye on your analytics is going to help your business across a number of realms, not just website security, so if you don’t have analytics set up, talk to the web experts today.
If website security is all Greek to you, Webseology is here to help! Our job is to make your website awesome, and part of being awesome is being able to laugh off hackers and viruses that try to get through your iron-clad code.