Website security is one of those unglamorous subjects that is easily neglected but can become urgent very quickly when something goes wrong.
It’s also one of those areas where early investment can save a lot of time, stress and money. Failure to pay attention to the security needs of your website can lead to it being hacked. This could disrupt your website or at worst lead to major reputational damage and the need to re-develop the website from scratch again.
In this post we explain in simple language the key concepts you need to understand to stay ahead of the game.
Security vulnerabilities on your website
The best place to start is to understand the bits of your website that could be attacked. Once you understand these the available safeguards will make more sense.
Control of the files that make up your website
This is the simplest to understand. If the wrong person gets access to your website they can create pages freely and they may publish things that are damaging to your organisation’s reputation. Even worse, if someone gets deep permissions to edit the files that your website developers use to configure the site then the whole thing could be deleted or re-programmed to start doing malicious things.
So controlling access to the website configuration and files is very important.
Quality of the modules that make up your website
Just as a house built with flimsy doors and windows is easier to break into, the components of your website are fundamental to its security. Lots of website design agencies (including us) make use of popular open source content management systems like Drupal and Wordpress. These systems rely on an ecosystem of apps and widgets developed by a community of developers and some of them are better quality than others. If your website is constructed with poor quality or outdated modules then this can make it easy for hackers to create ‘back doors’ into your website.
Snooping on data as it travels across the internet to your website
Even if your website files are secure, malicious systems or people can sometimes spy on data that is submitted by individuals to your website. A great example of this is forms. When someone completes a form, that information must move from their local computer over the internet to the safe harbour of your website. While it’s in transit it can be vulnerable.
Distributed denial of service attacks (DDoS)
This is a particular type of attack which doesn’t involve getting access to your website but instead sabotages the server on which your website is running by artificially creating high levels of fake traffic to your website that causes it to crash. Sneaky eh?
How to keep your website secure - our top tips
So how do you beef up your defences and keep nasty people from messing with your website or your users’ data? Here are our top tips:
1. Educate your organisation about secure passwords.
Google even ran an advertising campaign about this on national media but it still remains the case that people think ‘John1’ is a secure password! One better option is to use a strong password generator (google it - there are lots of options). Another is to use a password manager like LastPass (we use their enterprise version to share passwords across the organisation). Or staff can learn to create your own memorable long passwords by using phrases that are memorable rather than single words.
2. Do a security audit of the website modules used by your website
If your website runs on Wordpress or Drupal and you haven’t specifically asked about security then it is probably worth commissiong someone to run through all of the modules that make up your website to check they are all well maintained and up to date. There may be simple ways you can remove unnecessary modules that could cause a security issue in the future. Simpler is always easier to maintain and troubleshoot if something does go wrong.
3. Get a maintenance contract that includes regular updates
Ensure that whoever is hosting your website is also regularly updating it. Ask them how regularly they do this and check it is at least quarterly.
4. Encrypt traffic with an SSL certificate
SSL certificates are used to encrypt data submitted to your website through forms and other means. This makes it much harder to snoop. We recommend you definitely get an SSL certificate when submissions to your website contain:
- financial information (payment details, bank details), or
- sensitive, private information about users of the website.
When submissions to the website contain personal information that is less sensitive (name, public biography, contact preferences) it is less crucial but can have the following benefits:
- Instil a sense of trusts.
- Protects against advanced attacks trying to steal admin passwords.
- Minor improvements in Google’s page rank.
Enabling SSL does have some knock on effects on management of your website so you’ll need to chat to your website agency. To give you an idea, we offer two options:
- Dedicated basic SSL certificate where we set up and maintain everything for you. We do this for a small monthly fee.
- Use of a content delivery network to add SSL protection. The provider we recommend is Cloudflare but there are many others. Good ones will push you to some form of monthly subscription. These systems also provide good protection against DDoS attacks (see above).
Security can be a daunting area but getting a good basic understanding of the issues will help you manage your organisation’s website security effectively and can avoid hours of future stress. If you have questions about website security feel free to give us a call or drop us a message.