On the Internet, the threat of your website coming under attack is a constant one. You never know when you might become the target of a competitor looking to use Black Hat techniques to take you down, a hacktivist group looking to prove a point or a foreign hacking cartel trying to create chaos. No system is perfect, of course, but you can take several steps to limit the possibility of a successful hack.
The number one largest vulnerability hackers use to access a website and gain control over it is out of date software. Companies push updates for two reasons; to add features and to patch holes. If you put off updating your site, you’ll find that you’re leaving security holes open. It’s like locking the deadbolt on your front door, but leaving it open when you do. Hackers with the knowledge to exploit these security holes will find it an easy matter to do so. Apply all updates, regardless of their content; there may be hidden bug fixes that close security holes.
On that note, you should also avoid using old, unsupported software. Some companies fail and cease to support their old software. If a hacker discovers a vulnerability, the company no longer exists to create a patch. Even if the company still exists, unsupported software by definition no longer receives security updates.
All of this goes for the software on your workstation as well. It doesn’t matter if your website is secure, when a hacker with a keylogger can steal your password when you log in. Maintain active virus scanners and firewalls, keep your operating system and software up to date and only sign in through a secure connection.
If security holes are like locking an open door, weak passwords are like using a deadbolt made of paper. Take a moment to read one of the annual published lists of most common passwords. Is yours on the list? If so, change it immediately. There are a number of rules to follow to create a strong password.
There are other password tips as well; it’s a subject on which much has been written. Review articles by top security experts for more information.
Some website software, particularly WordPress, allows additional plugins and add-ons to increase functionality. One plugin you should always get is an up to date security suite. Of course, make sure any add-on your use is up to date as well.
Always be wary about the third party content you use on your site. Add-ons can be very helpful, but if they’re published by an untrusted source — or they’re several years out of date — they may be gaping security holes waiting to happen.
If you sell anything through your website, do not, under any circumstances, program your own commerce platform. There are several good commerce platforms to choose from online, all of which are designed with security in mind. Programming your own is both reinventing the wheel and opening yourself up to outside access. Use an online shopping cart suite from a trustworthy developer, process transactions in a secure manner and maximize security each step of the way.
Any data sent between the user and your website should be encrypted. This means using SSL and HTTPS for your data traffic. You want to do this for two reasons. First, in case there is any device on your network or software on your server that can monitor or access user data, the data it can access is unreadable. Second, in case your user has compromised security. You cannot control how security-conscious and updated your users are. Rather than risk data leaks from an external virus, encrypt your traffic.
When you’re updating your website, use encrypted channels as well. Regular FTP is a plaintext, easily readable format. You’ll want to use secure FTP to upload your data through an encrypted channel.
Take steps to keep your users informed about security. Let them know that there may be imitators looking to impersonate your site to steal their information, in a process called phishing. Let them know that to increase their own data security, they should maintain active virus scanners. One particularly good avenue for these basic security tips is through your e-mail newsletter. Don’t forget to add security descriptions, certificates and other information to your checkout process. The safer users feel when they use your platform, the more likely they are to return.
This goes hand in hand with using encryption to transmit data. No matter how secure your data is when you transmit it from one place to another, if that destination is plain text, hackers can simply read it without issue. Store user data in encrypted databases.
If something happens and your site is compromised, what can you do? You need to keep regular backups of your website, user data and other important information. You can store this locally, on a remote server or on the cloud. Make sure it is stored encrypted, of course. Maintaining a backup is an important part of data security.
Occasionally, a site may be infected with malware without the owner realizing. One way to learn is to search your site on Google. Google is very good about flagging a site as untrusted or malicious when there is an infection present. Make sure your site looks as it should from a search engine perspective. If you use Google Webmaster Tools, you will also receive a notification if malware is detected on your site.
No matter how good your security is, how strongly encrypted your information or how secure your passwords, it’s always possible for your site to be hacked. Don’t fall prey to overconfidence; plan for disaster. A disaster recovery plan will help you recover from a potential hacking as quickly as possible, to reassure users and to maintain your own flow of commerce. Your business can’t afford the downtime associated with lacking a disaster recovery plan.
With these steps taken, your website will be as safe as it can be. Again, no system is perfect, and it’s always possible there’s a flaw yet to be found in some software you use. Do your best to protect yourself and chances are you’ll be safe.