According to reports, a massive 30,000 websites are hacked each day. That’s pretty damn scary! And it’s a sobering thought for anyone who thought their website was safe online.
Like any good website developer, you know how important security is to your website, as well as your company’s website. Security issues can leave a website vulnerable to attack, and they can cause your customers to lose trust in you. This is bad for your brand and your sales. And if you developed the website, it will fall back on you, too.
Unfortunately, no one can create a website that is 100% bulletproof. That said, there are still website security best practices you can put in place today that will bolster your defenses and keep attackers at bay.
Wondering what the heck they are? Let’s take a look at the 6 website security best practices.
Use a Secure Host
Dedicated web hosts can help to protect you online
A secure host is the foundation of website security. If you get this bit right, you will minimize potential security risks straight away. Fab.
Naturally, the type of host you go with depends on the type of website you’ve got. For instance, if you run a personal blog with, say, 3,000 monthly visitors, you can get away with shared hosting. This is because it’s cost-effective and has the resources you need to handle your modest traffic.
But if you’ve got high traffic, high volume site, it’s always a good idea to use a dedicated web hosting. A dedicated web hosting, such as AltusHost, offers better performance for large websites, but crucially it’s more secure than, say, shared and closed hosting.
Why? Because you have a server all to yourself, which is to say you’re not sharing it with anyone else. This ensures the risk of interception, infiltration, and data loss is reduced.
If you’ve already got a host, make sure to assess how vulnerable your web host is.
Use Strong Passwords
Password generator tools walk you through all you need in order to create complex passwords
Weak passwords are surprisingly easy for hackers to crack, especially if they’re using a password-guessing program that keeps guessing until it’s cracked your password.
And the problem is that passwords are often low down on our security policy, simply because we always assume that our password is strong enough!
Worse still, many organizations make the mistake of using the same password over and over because remembering new, complex passwords is tricky (believe me, I’ve tried).
However, one of the easiest ways for a hacker to get into your system is via your password. It’s therefore important that all your passwords are unique. You should also advise your clients on how they can keep their passwords safe. For example, never write them down on paper, never use the same password more than once, and keep your phone locked.
You could also use a password generator and management tool to help you come up with difficult passwords, too. Moreover, a password management tool helps you access all your passwords with one simple master key.
Use SSL Encryption
HTTP protects vulnerable information, such as banking information, and it’s always a good idea to use it.
However, it’s also really important that you don’t limit yourself to HTTPS encryption. Instead, consider implementing SSL encryption for all user data that is sent to – and received from – your server.
Why? HTTPS is definitely effective at preventing some attacks. But because most attacks happen via insecure software, you’re still vulnerable if you’re using just HTTPS. It doesn’t fix most of the holes by itself, and it certainly isn’t enough if someone has access to the server.
SSL encryption adds an extra layer of security to your website. Also, advise your system admins that they need to test and verify their certificates regularly to make sure they’re up-to-date. This is because SSL certificates go out of date after 1 –
2 years. If they expire and you haven’t updated them, you will lose the trust of your site visitors.
You can buy SSL certificates separately, or you can find them included in a web host plan, such as the one provided by GoDaddy:
There’s really not much difference regarding how you get your SSL certificate, and your main consideration will be related to cost and how the terms benefit you.
Use a web application security platform
A good web application security platform protects your clients’ websites against threats.
They provide you with automatic updates for vulnerable software, threat intelligence software that scans hacker forums for mentions of your domain, blacklist monitoring, vulnerability monitoring, security reports, and more.
They also add an extra layer of credibility to your resume as a web developer because companies will see that you’re committed to implementing proper website security best practices.
Make Sure Your Cookies Are Secure
Cookies help us learn more about our site visitors. But are yours secure?
When developing a website, it can be really easy to overlook the importance of cookies. And yet most websites use them. Cookies gather and store information about our site visitors, allowing us to learn more about them so that we can, in turn, provide a more personalized user experience.
However, cookies can also cause a LOT of damage if they’re used to store super sensitive information, such as banking information. This is because an attacker could be lurking with a malicious script that is activated each time someone visits your website. As a result, their session cookie is transferred to the attacker, who then steals them and uses the information for their own gain.
Cookies, then, should never be used to store super sensitive information.
It’s also a smart idea to set brief expiry dates. Why? There are two types of cookies:
- Session cookies
- Persistent session cookies
Session cookies expire whenever a user’s session finishes. Persistent session cookies, however, continue to live on, thus introducing a security risk. If you use persistent session cookies, request authorization every fortnight. This minimizes security issues because you’ll know that an authorized user is entering your site each time.
Keep Web Apps Updated
It’s essential that you keep all your web app software and apps up-to-date. If you don’t, you’re putting your company at risk.
Because new vulnerabilities and security flaws pop up all the time, and hackers are constantly monitoring websites for them. If your apps and software aren’t kept up-to-date, they won’t be safeguarded against the latest threats.
Update your third party services and software regularly (once a week at least). You should also keep your libraries within your app infrastructure up-to-date as well. If they’re out of date, they will create a security risk. Take another look at your documentation and find the libraries you’re using. If there are ones that aren’t making any difference to your web app anymore, considering eliminating them whilst updating the rest.
Also, if the latest version of each library is stable, you can use that.
Ask Professionals To Test Your Site
Lastly, a really easy way to get acquainted with your security flaws is to invite a professional to try and attack it. This will allow you to understand any techniques and entry points that hackers might use to get inside your system.
A professional will also help you learn more about:
- Cross-site scripting – A web security vulnerability that an attacker exploits by adding malicious code to your web application
- Broken authentication – This refers to multiple vulnerabilities that allow an attacker to impersonate other users, such as someone on your team
- SQL injection attacks – An injection attack that allows a hacker to implement malicious SQL statements into an entry field
- coro – This is when an application inadvertently exposes sensitive data, such as banking details. It’s not to be confused with a data breach
Because attackers will eventually locate these themselves, it’s a smart idea to get there first.
There is an entire cottage industry surrounding penetration testing, aimed at helping business owners test their systems and identify vulnerabilities in a legitimate manner. You can refer to Intruder’s guide to vulnerability scanning for deeper insights in this regard, and a better understanding of the options available.
You could also try to hack your site yourself if you know how (not easy!), and doing so will cast light on the techniques hackers use, as well as any security issues you’ve so far overlooked. Make sure also to only attack your own site in an isolated environment.
It’s somewhat surprising how many different things you need to do in order to secure your website. But completing the checklist above is in your best interests – and your customers/clients’ best interests.
Make sure to always use a secure host, and then do all the right things from there. Remember, though, that cybersecurity is an evolving sector, so keep checking for new developments so that you know what to do next, and what to look out for.