One of the biggest issues affecting any web user is security. Website security is essential for many reasons; firstly because the owner of every website has legal obligations to protect data about his or her customers. An equally important reason for running a secure website is that in the long term, it pays off in terms of customer trust. There is enough nervousness about sharing data online without taking additional risks by leaving your website open to hacking.
So how does website protection work? Internet browsers and Web servers communicate using the HTTP Secure, or HTTPS protocol. This relies on a combination of web certificates and encryption, techniques which scramble information as it travels the Internet, then confirm the online identity of websites as part of a ‘handshake’ routine. HTTP, the basic standard underpinning all Internet communications, is overlaid with a powerful and flexible encryption system, SSL (Secure Sockets Layer) to ensure the secure connection.
But SSL had some weaknesses – SSL 2.0 did not have any protection for the ‘handshake’ portion of the communication between client and server, so a ‘man-in-the-middle’ attack could go undetected.
An upgraded form of SSL called TLS (Transport Layer Security) is now widely used – in fact TLS started to replace SSL starting from 1999, and the latest version, TLS 1.3, was published in 2018.
Even Transport Layer Security is not a final solution – in 2013, Google announced that it would no longer use 1024-bit public keys, and would switch instead to 2048-bit keys to increase the security of the TLS encryption, encryption strength is directly related to the key size.
But how does the visitor know that website security measures are in place? Usually, the answer is that the browser bar will show the web address starting with HTTPS, whereas for an unsecured website the address would start HTTP.
Another visible sign that a website is secure is a padlock which the user can click on to check that the name on the site’s SSL certificate is what it is meant to be. Some web browsers colour code the address bar, green for a safe site with active encryption, or red for an insecure website and therefore a potentially dangerous one.
So, what sort of website security checklist should you go through to make sure that your website protection is up to scratch?
Why Is Website Security So Important?
Checking that you have a secure website is a multi-step process, but why is it so essential?
The problem is that your website, while functioning a ‘calling card’ to customers and an advertisement for your company, is also an open invitation to attackers. Hackers may want to deface or crash your site; they may want to steal credit card and other transaction information from your customers; or they may want to infect your site with malware to spread it to your customers’ computers and steal data from there. They may even want to add your website to a ‘botnet’ of infected sites to spread malware even further.
As your website is often your main contact with customers, if you don’t take care of website security, your relationship with your customers will be compromised. You may also be liable to legal action if you have not taken sufficient precautions to protect your users’ data. Fines and penalties for breaching data laws could be enough to bring down a small business, so don’t let it be yours.
In extreme cases, an unprotected website becomes a security risk to its customers, to other businesses, and to public or government sites, as hackers exploit unsecured websites to harness the combined power of many computers. Hackers are rarely caught, so responsibility for data breaches often falls on the website owner.
How To Check Your Website Security
Checking website security can be a complex, multistage task, but there are some essentials you should make sure to check first.
Any effort you put into security could be wasted if your web certificates expire, which would cause customers to get pop-up warnings about your site. So make sure you know when your SSL certificate expires, and that you will get a warning when expiration is due. Check that your certificate is trusted by default in the major browsers – it should be, but only if the company from who you buy your certificates is keeping up with security updates. Major updates to browsers could well make it necessary for your website administrator to re-issue certificates, or update the configuration of their servers.
Example Of An SSL Expired Pop-up Warning
Next on your website security checklist ought to be to obscure your header information. The type and version of your platform is useful information to hackers, who can use it to narrow attacks to methods specific to the weaknesses of your platform or version. This header information is not always hidden by default, so take steps to obscure it.
Once your company policies have been fixed, you should test your configurations regularly to make sure they comply. This gives your IT team a chance to fix security gaps before they are exploited from outside. Another advantage of regular configuration testing is that it pushes systems towards standardisation, streamlining workflows and making updates easier. Automated configuration testing can make the process easier, and validate all your other security measures.
Once you have these steps completed you can implement more stringent measures to improve your website protection.
Five Ways To Improve Website Security
A secure website depends on a lot more than an SSL certificate. Here are some more step you can take to make sure that yours is not an unsecured website.
1.Check SSL is sitewide
While the lock symbol in the browser address bar shows that a website has an SSL certificate, that isn’t enough unless the SSL measures are strictly enforced, and for every page of the website. As information transmitted outside of SSL connections passes in plain text and can be intercepted easily, data forms or password pages on the unencrypted side could compromise website security measures for the whole site.
Enable HTTP Strict Transport Security
HTTP Strict Transport Security ensures that browsers communicate only with another website over SSL. Any non-SSL requests from an HTTP website are converted to HTPPS requests automatically. If this isn’t implemented, your website could be prone to a man-in-the-middle attack, where a site user is misdirected to a bogus site between the SSL and non-SSL sites.
Use Secure Cookies
Cookies, small files carrying user-specific data, can be intercepted, making it possible to impersonate a client to a web server. Secure cookies, which can only be transmitted across an SSL connection, prevent this happening. Of course, to use secure cookies, you first have to ensure sitewide SSL, as secure cookies cannot be delivered over unencrypted connections. Another approach is to use HttpOnly cookies, restricting access to cookies by client-side scripts.
Secure Your Forms
Forms that accept user input are vulnerable to SQL injection, where malicious code is used to compromise a database. Data input mechanisms should be validated so that only proper data can be entered and stored in the database.
Protect against DoS attacks
It’s difficult to defend your website against Denial of Service attacks completely, as they use legitimate lines of connection, flooding servers with data until they overload and cannot respond to legitimate requests. But there are measures you can take to resist DoS attacks, such as in-house mitigation (though this will be limited to your internal resources), or using a cloud mitigation provider which will identify and block malicious traffic, and offset the load of a DoS attack.
Once you have these protocols in place, you have the beginnings of a security policy. But what more can you do to make sure that yours is not an insecure website?
One of the essentials of website security is the principle of backing up all your data. Hackers, accidents or management errors could lead to loss of data, and if you aren’t able to restore your website and associated data from a backup, you could lose more than your customers’ confidence.
There are two basic principles to making backups; one is that they must be done regularly, the other that they must be stored offsite (though it also makes sense to have a backup locally).
Cloud storage now offers simple ways to back up your data offsite, and if you don’t have the facilities for local backup, why not keep offsite backups on two different cloud services?
As for regularity, you can’t really back up too often – your schedule should match the frequency with which you update your website. If you have very active user engagement with daily comments, you should back up daily. Otherwise, weekly or monthly might do, but if you only feel the need to back up once a year, you aren’t doing enough to keep your website busy.
WordPress sites, for instance, can be backed up using a plugin set to back up your files and databases regularly, and to delete unwanted old backups. If your backup is hosted in the cloud, you can always download a copy for local storage too.
Many web hosting services also offer backup functions – these can help you to restore your entire site in case of catastrophic data loss, or to roll back your site to an earlier version.
You can even perform a manual backup, using tools such as FileZilla and phpMyAdmin, creating dated folders for each separate backup.
You might find constant software updates a chore, but most of them are designed to address security issues, often fixing dangerous potential breaches, so they must be taken seriously.
When website security measures are not addressed through updates, serial infections can occur; and smaller sites are often the most vulnerable as they are less likely to have rigorous update protocols in place.
For effective website protection, make sure the following are included in your regular updates:
Your content management system, whether it’s WordPress, Drupal, Joomla or other, should be top of your list for updating.
You should only download and use plugins from trusted sources, and you should check regularly for security updates from the supplier. If they are not regularly updated, they may become vulnerable to malicious activity.
Themes can be a minefield of malware, particularly if they are free. Again, ask yourself whether you really need them, and use them only from trusted sources.
Browsers and browser extensions can be a source of attacks, so again, install them only from a trusted source, and keep them up to date
Your server itself, whether it is NGINX, Apache, IIS or any other system, is as vulnerable as your website, and unless you are a developer you may not be aware of the risks. So, as with the other aspect of your website’s structure, your server software should be updated regularly.
Though automatic updates for all these systems may sound sensible, this can cause functionality issues, so it’s best to back up the entire site, then have a developer help you with the update processes.
Ensure Strong Passwords
Top of your website security checklist should be password safety. “It’s important to have strong passwords because 81 percent of hacking-related breaches are due to weak or stolen passwords, according to the 2018 Verizon Data Breach Report,” says Darren Guccione, CEO & Co-Founder of Keeper Security. “Passwords are the single easiest entry point you can protect.”
Guccione’s top ten tips for password security are:
Don’t use a common phrase – ‘123456’ or ‘abcdef’ are right out, as are words such as ‘admin’, ‘password’ or ‘hello’. In fact any common phrase, or a variation using a simple symbol substitution, is vulnerable to a ‘dictionary’ attack.
Make it long – longer passwords are less vulnerable to hacking, and if it’s long and contains random numbers and letters, even better.
Don’t re-use – old passwords or those from another account should not be used
Test your password – you can check if any of your accounts have been breached using the site haveIbeenpwnd.com. A password strength meter will help you decide on a strong password, though this is not an infallible trick.
Store passwords carefully – don’t store them in your browser or on your smartphone, and definitely don’t write them on a sticky note and put it on your monitor!
Be creative with your keyboard – try setting a password sequence by tracing a memorable shape on your keyboard.
Try diceware – this generates a completely random password. Of course, you then have to remember it, so –
Use a password manager – you’ll never remember those gibberish diceware passwords, so store them in an encrypted vault application.
Use two-factor authentication – this adds a second layer of protection such as a code-generating app on your smartphone, a numeric key fob or a USB key.
Use security questions carefully – they may seem like a useful extra layer of security but can often be guessed, so make sure to select questions to which only you can know the answer
Use Encryption For Logins
One essential in creating a secure website is to make sure that you do not keep a record of all passwords in an easily readable form. Even major corporations such as Adobe have made this mistake, to their cost.
Increasingly sophisticated hacking methods demand increasingly sophisticated encryption techniques. It’s simple to encrypt a password using a Data Encryption Standard, perhaps storing the key on another server; but this isn’t particularly secure. After encryption, the passwords should also be hashed (mixed up using a random input) to make it harder to decode, but this is still vulnerable to attacks using massive CPU power.
Repeated hashing with thousands of iterations is the preferred method – you then store the iteration count, the random input used to ‘salt’ the hash, and the final hash in your password database. As hacker tools increase their power, you should increase the iteration count to maintain your website security.
Make Sure You Are Using An SSL Certificate
An SSL Certificate (Secure Socket Layer) shows that your website is encrypting any information going to and from its server, so you need it if you are collecting any sensitive data. The lock symbol and HTTPS at the start of your URL shows that you have web certificates in place and reassures your users.
The actual function of your certificate is to show that your website is what it claims to be – if it doesn’t have a web certificate or a URL beginning with HTTPS, it could be an insecure website.
Setting up a website with an SSL certificate is fairly straightforward.
- Pick a host with a dedicated IP address, so your website is not sharing with any others
- Buy an SSL certificate – this contains a complex password which is checked for each visitor to your website, and if it matches, the website is verified and data going to and from it is encrypted
- Activate the certificate – generate a Certificate Signing Request and provide a receiving email address for your SSL certificate
- Install the certificate – you can do this yourself or have your web host do it for you
- Update your site to use HTTPS – crucially your login and cart checkout pages, but as we’ve said earlier, it’s safest to make sure that all pages are enabled for HTTPS.
The Transport Layer Security (TLS) Handshake Protocol is responsible for the authentication and key exchange necessary to establish or resume secure sessions. When establishing a secure session, the Handshake Protocol authenticates the server and the client, exchanges session key information, and negotiates the ‘cipher suite’ – the system of encryption which is going to be used on the exchanges between the website’s client and server.
Where Do You Get A Website Security Certificate?
A website security certificate is bought from a third party called a Certificate Authority (CA). Any web browser, such as Chrome, Firefox, and Safari will maintain a list of trustworthy Certificate Authorities, so when a user accesses what should be a secure website, the site presents its security certificate to your browser. If the certificate is from a trusted CA and is up to date, the user is allowed to enter the website and complete transactions without warnings – if the website is not certificated, or the SSL certificate is not up to date, a warning will be given.
Current popular CAs include Comodo, Symantec, GoDaddy, GlobalSign and DigiCert; the list does change occasionally due mainly to mergers and acquisitions.
How A Web Development Agency Can Help Keep Your Website Secure
If all this sounds like maintaining website security is a real chore, the good news is that a web development agency can help you.
If you are having any problems with website protection, need advice on setting up and maintaining a secure website, or are confused by jargon such as SSL (Secure Socket Layer), TLS (Transport Layer Security), or HTTPS (Hyper Text Transfer Protocol Secure), ask a web development agency for help.
A few of the ways a web development agency can help you to maintain a secure website are:
- KEEPING YOUR SOFTWARE UP TO DATE
- ENFORCING STRONG PASSWORD POLICIES
- ENCRYPTING LOGIN PAGES
- CHOOSING A SECURE HOST
- CLEANING YOUR WEBSITE
- BACKING UP YOUR DATA
- SCANNING YOUR WEBSITE FOR WEAK SPOTS
- RUNNING SECURITY AUDITS
TRON Media can help with all your website security requirements. TRON Media has a highly qualified team of trained specialists in website security, email marketing, paid search marketing, PPC, Google Ads, organic SEO, content marketing, web design, digital strategy and social media, and can work with you to develop your ideas and build a website security protocol perfect for your business.
TRON Media is a leading website protection agency located in Brighton, offering the easiest and most cost-effective way to guarantee you have a secure website. Get in touch today to find out about our latest website security services, email marketing services, pay per click services, SEO services, web design services, and what a web development agency can do for your business.