An Easy Guide to Website Security
Posted February 7, 2019 by Lee
Website Security is not something to ignore. Keeping your website secure is very important; not only to protect your customer’s data but to ensure you can provide your service without unwanted intrusions.
In today’s online world there are a few security features that customers are expecting to see on your website more and more as they become aware. If you aren’t able to provide essential security features; then it could impact your business.
This list is by no means exhaustive; however, these are what we believe are six of the best website security tips; that you can apply to your website today.
Regular Software Updates (including WordPress!)
As a website owner, your utmost priority should always be to ensure that you are running the latest and greatest versions of all software your website relies on – for example; WordPress, all themes, plugins and any other scripts your site uses.
While we are mentioning updates for your website – it’s also advisable to update your devices themselves; applying any security/maintenance updates regularly to your devices and the software within, including your web browser.
Protect Your Website Code & Database
Hackers can use something as simple as a web form to find vulnerabilities in your code and then exploit these insecurities to make it act unusually. It will lead to many problems for you and your website (none of which you want).
An example of this is an insecure contact form script on your website. Most people with a web site have a “contact us” page, with a similar kind of form on it where visitors input their name, email address, telephone number, and a short message/enquiry – which is then emailed to you, or entered into a CRM system. If your contact form does not have CAPTCHA protection already, that’s an excellent place to start.
Your form inputs (the boxes where people can enter data); especially when results are submitted to a database; should be clean. Cleaning inputs (and we don’t mean with hot soapy water!) will help prevent SQL Injections in your database. If your contact form submits data directly into a database, it’s a good idea to clean the input before putting it into your query.
It’s good practice for the developer of the form to implement it from the start; however, if this is not the case for your contact forms – you should seek assistance from your website developer.
Monitoring Blog Comments
WordPress is excellent, we love it. However, straight out of the box, it’s not secure (and neither is most other open source blogging software). Further steps need to be taken to prevent bots from attacking the comments sections on your lovely new blog post!
In WordPress, there’s a couple of neat website security features under ‘Settings’ then ‘Discussion’ which let you apply to filter to comments automatically. You can filter out specific comments by name, email, domain name, IP address and even the content of the comment; or add the same phrases to the blacklist, and they will be sent straight to the trash. You can use these features to prevent spam submissions of web addresses, and inappropriate content by filtering out keywords and formations to should stop anyone from abusing your comment boxes.
Make Error Messages Simplistic
If you can modify the error messages on your website – try to keep them as simple as possible. You will want to avoid giving away the full error as this can be used by attackers to find vulnerabilities in your software or script. It’s best practice to keep the message short, sweet and user-friendly. “Something went wrong” along with some useful links to continue browsing your website should suffice.
User Validation & Two Factor Authentication (2FA)
When users are logging in – make sure you pass validation checks to verify their identity and lower the risk of attacks on compromised accounts. There are many ways to validate users, two of the most popular are CAPTCHA Protection and Two Factor Authentication (2FA for short).
Using Two Factor Authentication (2FA) is becoming more and more popular among the technology industry, social media and banking sites to confirm the users’ identity with a text message, email or time based token.
These methods are becoming increasingly popular and are pretty simple to add to your existing website. There are many free and paid modules and plugins available for a range of different software which bring this additional security to the table and offer reassurance to your users that you are protecting them, and their information as much as possible. It will go a long way to building trust in your business website.
HTTPS / SSL (and why you should be using it already!)
Since 2014 when Google declared that it was going to use SSL as a ranking factor in SERPS (Search Engine Results Pages) – there was widespread adoption of SSL Certificates with nearly every website you’re likely to visit daily (Facebook, Twitter, Unlimited Web Hosting…) using valid SSL Certificates. There are many different types of SSL Certificates; some are free and others (Premium SSL) that you have to pay an annual fee for to your web hosting company.
SSL Certificates encrypt the connection between the customers’ web browser and your web server for better security. If your website is not already using SSL and providing encrypted connections for your customers – you should make this your priority.
We include FREE SSL Certificates powered by Comodo (if you are using cPanel Hosting) or LetsEncrypt (if you are using Plesk Hosting) with our UK unlimited web hosting packages. We also offer a range of Premium SSL Certificates should you require a warranty on your certificate.