10 tips to keep your website safe for you and your users
Keeping your website secure is a thankless but vital job.
If you don’t want to be one of the 30,000 websites hacked daily I’ve got some simple tips to keep your site safe.
1# Create an unpredictable password
Everyone involved in the support and running of a website should take responsibility for its security and the starting point is to have a strong password.
Test your password at howsecureismypassword.net to see if a hacker could break yours in years, months, days, hours or even minutes?
For example the password ‘monkey123’ would take an average desktop computer just 7 hours crack.
Strong passwords are long and varied, using a mixture of numbers, letters, punctuation and ideally at least 20 characters in length – so more or less impossible to remember – which is why you should use a password manager like LastPass so you don’t have to.
2# Check external links are safe
The security of content on your site isn’t your only responsibility. You should make sure any link to an external website is safe. You can do just that by using Google’s safe browsing checker.
3# Use two-factor authentication
To maintain your website you are probably using a content management system like WordPress or Joomla. Some content management systems, like the two mentioned, give you the option to use two-factor authentication – if the feature is available enable it.
Once enabled every time you logon to your website a text message will be sent to your mobile. You then need to enter the code before you can edit the site.
This stops a bad guy logging in as you because they don’t have access to your mobile.
4# Think twice before adding third party code
It’s tempting to use third third party code to enhance your website. This could be anything from adding Google Analytics, a Facebook Like button or referencing a library like jQuery.
However, as soon as you add the code you are entrusting the safety of your site with a company or person you know nothing about. For example in 2014 Dropbox had 7 million passwords stolen because of some poorly written third party code.
Only use third party code if it improves the user’s experience and you believe the supplier to be reputable, reliable and committed to maintaining the code.
5# Keep it patched
Keep up to date with the latest updates and patches for your site. It sounds obvious but hackers are quick to exploit known flaws.
This is especially important if you have a popular CMS like WordPress. Their popularity attracts more hackers as the rewards are bigger.
6# Review who has access to your site
If you have a number of people who edit your site you need to ensure you regularly review who has access. Large businesses have a habit of not removing a user’s edit rights months or even years after someone has left.
If you are new to your role and get told to use a former colleagues password (which I’ve seen happen) – just say no. If you can login so can they. You might get the blame for a disgruntled former colleagues edits.
7# Don’t use third-party ads
Third-party party ads, supplied by ad networks like DoubleClick and engage:BDR, are a simple way to get ads on your site. However those ads could be unknowingly serving advertising malware to your users.
A report in 2015 by Cyphort said online infection rates for third-party ads have increased by 325% in 12 months. In the same year ad blockers increased in use by 82%. This means your users are either blocking the ads or potentially being served malvertising.
8# HTTPS / encryption
Protect your users data and make your website secure by having a HTTPS connection. To do this you have to pay for a TLS certificate (sometimes referred to as SSL which was its predecessor).
You can now get HTTPS free for your site at letsencrypt.org, which is currently in Beta, using their automated, and open certificate authority. And if extra security for your users isn’t a good enough reason, Google will rank HTTPS sites slightly higher in their search results.
HTTPS encrypts communications between the user and the website. What it doesn’t do is protect the data stored on the website. If a hacker managed to get direct access to your website’s database they could get all the data stored on the site.
Encrypting your website’s database would mean the bad guys would have the data but they wouldn’t be able to make any sense of it because it’s encrypted. There are a lot of good and some bad reasons not to encrypt your website’s database. The important point is if you store any personal data you should consider doing it – in fact it may be legal requirement.
9# Test your site regularly
This point is perhaps the most technically difficult and demanding to do – you need to test your website at least once a year and when you introduce new features or start using third-party code.
Penetration testing (also called PEN testing) is the practice of testing a website to find vulnerabilities that an attacker could exploit. Normally this is done by a specialist but if you don’t store personal data you could use some free tools like http://www.openvas.org/ or https://cloud.google.com/security-scanner/
The dangers of not regularly testing your site could get you into the same sort of trouble as the United States Office of Personnel Management (OPM) found themselves in June 2015. It took over a year to discover they lost the records of 21.5 million people which included personally identifiable information such as Social Security numbers, names, dates and places of birth, and addresses.
10# Plan B: Backup your site
Hopefully you never have to resort to plan B and recover your site from a backup.
A backup could mean the difference between getting your site live quickly or losing all your content. However what it won’t do is protect you from the loss of reputation that results from a hack.
How you react to a hack is almost as important to how you protect your site. By being responsive, honest and clear about what you are doing to resolve any issues you can minimise reputation loss. Whatever you do don’t do a TalkTalk.
You can find out what to do if you’ve been hacked by going to www.stopbadware.org/
or watching this 8 minute video from Google.
Remember it’s always better to be proactive. Make sure everyone working on your website is aware of their security roles and keep testing your site for vulnerabilities as the bad guys won’t be taking a rest.
Security of your system is only as strong as the weakest link