Website security is often an area many overlook or simply prefer to pretend doesn’t exist due to the complexities and cost involved in doing it right; but the reality is, website security and best practice should be one of the top priorities on any businesses agenda, no matter what the cost or effort to implement.

Forget about great UX, outstanding design or perfectly coded php, if the security for a website isn’t right and a compromise occurs, the damage done to your brand reputation, customer confidence and public perceptions will be a far more expensive issue to put right than the initial security procedure itself.

On average, putting a security issue right costs 10 times more than it would have done to do properly in the first place, which is why security, encryption and protection against the likes of Ddos attacks, SQL injections, Remote/Local File Inclusions and a whole host of malicious ways of breaching a website should be protected against from the outset, and be a fundamental part of your website’s planning and specification.

There are a few things you should be looking out for at a very basic level to help secure your website, so here are my top tips for keeping things secure. Obviously, these aren’t exhaustive, and much more can be done for those who want to take their protection to the next level, but these are a great starting point for any business heading towards best practice.

Update your software

This is so simple, but one that many website owners neglect. New software updates from the likes of WordPress, Drupal or Joomla are available almost every week, and have important security patches and updates in place to protect from new known vulnerabilities. By simply updating your website software and plugins, you’ll keep your site safer, whilst making it less appealing to hackers looking for known, easy to target vulnerabilities.

It’s important to remember that most attacks are also automated, using bots, rather than people. This means they work around the clock, searching out any outdated software for them to compromise, so it’s not as easy as just updating once a month and expecting things will be OK – things move much more quickly in today’s environment and systems to keep up to speed are key.

Use strong passwords

Strong passwords, whilst a pain to remember, make your site much harder to breach. Common breaches are often due to website owners using their child’s name, date of birth or their pets name as a password (gulp!), all of which are easy for humans to guess, let alone automated bots.

By enforcing strong passwords across all your websites, you can be safe in the knowledge that a breach due to insecure passwords is much less likely. If you then struggle to remember your password, consider useful password tools such as LastPass, Keeper or Zoho Vault.

Use two-factor authentication (TFA)

Consider if a hacker did for some reason gain access to your website’s password. At that point, they can simply navigate to the website and use that information to login and do what they want, potentially locking you out, infecting your site or changing its content. From a marketing and PR perspective, this would need months of hard work and damage limitation to remedy, and based on government stats, cyber-crime is a key reason many SMEs close their doors after an attack due to the financial and reputational damage done.

But there is a way to reduce the likelihood of leaked passwords becoming an issue, and that’s through two factor authentication (TFA). By setting up TFA on your website, you can use the Google Authenticator app, or email verification to allow a login to the site. This means that any hacker would need access to your emails, or phone (using the app) to be able to breach, as well as your login credentials. This not only slows them down, but often prevents them from getting any further, keeping your site safe and secure.

Don’t store your passwords in a word, excel or any other document on your desktop

Storing your passwords on a handy desktop file such as passwords.xlsx is never a good idea. Hackers are always on the lookout for information like this, so if your personal / work computer gets breached, and then passwords are stored unencrypted on that machine, say bye-bye to your website, and any other accounts you have too.

Use a secure password manager as mentioned above, to keep things central, encrypted and safe. Also consider if all users really need to be able to see the login credentials for certain things. By giving them one-click logins, they are able to access sites, but not store their data elsewhere.

Have suitable user access

Rather than giving all people admin access, consider carefully what they need to do on the website, and what they don’t need to do. Once you have that in mind, setup suitable user roles and groups that allow them to carry out the tasks they need to, without access to the things they don’t need access to. This helps to limit the effect of any potential hack via their accounts, which reduces the likely issues of a breach via one of their user accounts.

Have a robust backup procedure

Ideally, you’ll never need to reinstate a backup of your website, but it’s no good hoping for that to be the case. Instead, it’s important to have a robust backup procedure should the worst ever happen with your website.

Backing up locally to your server is never a recommended standalone solution, as server breaches could also infect the website itself. We therefore recommend both local, and external backups, via third party systems such as Dropbox, Backupbuddy or VaultPress.

This means, that if a site were compromised, you can take a clean, secure backup to get your site back up and running quickly, reducing your businesses reputational damage.

Install an SSL Certificate

With GDPR now well and truly ingrained in people’s minds, it’s really important to ensure that data we process is secure and encrypted. Installing an SSL certificate (Secure Sockets Layer) will encrypt and secure data being transferred between users and the server, meaning data such as passwords, credit card information or personal details submitted via a website form are protected and secure.

It’s important to mention however that SSLs do not protect your site from attack, they simply remove another potential vulnerability via password interception. It’s also good for user confidence, and anyone not installing an SSL certificate in this day and age is probably not considering the importance of their web presence adequately.

Go Bespoke

With superb open source systems on the market such as WordPress, Joomla and Drupal, it’s easy to believe that building a new website is just a case of going online, picking a theme and installing. Done.

Well, it’s not really that simple.

Buying a pre-made theme, with all the pre-made structures and architecture, can leave your site vulnerable. With those themes and configurations being available on the open market, this means that other users, hackers and automated software can learn the site’s structure, and identify its weaknesses in order to compromise it.

Instead, have your site built bespoke, by a team who specialise in custom website development. By doing this, the site is unique to your business, not available on the open market, and can be configured to be secure and non-standard in its configuration. Simple changes to the website’s core structure and architecture can stop automated attacks in their tracks. By removing these lazy default settings, hackers will often move on to another website which is ‘lower hanging fruit’.

Your developers should also be considering techniques such as ‘away modes’, file permissions, software and physical firewalls, as well as regular malware and virus checks to ensure your site is safe, secure and up to date.

Use a website firewall

Whilst software firewalls and physical firewalls protect a number of attacks and potential breaches, a website firewall can take your website’s security to the next level and add a further solid layer of protection.

Website firewalls use a complex global network of servers and connections to understand current, live attacks on other websites out there in the public domain. This system will help to patch any security holes in your software instantly, as soon as updates are released, whilst protecting against known breaches on sites from anywhere in the world, that could also affect yours. This keeps your security ahead of the curve, and in a small minority of sites that are ahead of the curve.

Another benefit of some website firewalls such as the ones provided by Cornerstone, is that they also provide what’s known as a CDN, or content distribution network. This helps to speed your site up and serve data more quickly to your visitors no matter where they are in the world.

Setup a maintenance plan

Whilst many see website maintenance plans as money-spinners, when done right, they are a critical part of your company’s backup and support network. By maintaining, auditing and security checking your website regularly, your developers can ensure that the site is configured and secured to latest standards, whilst carrying out other critical checks that are not so easily achieved via software or automation.

Whilst the above hints and tips aren’t an exhaustive list of website security and development best practices, they’re a good starting point for any user wanting to do their due diligence and secure their site more robustly.

By David Wadsworth, Managing Director. Read more about our web services here.

web security

Cornerstone DM