How can you as a website owner ensure that your website is secure? More importantly, what is web security?
Web security is the cumulative phrase for all of the methods and measure that you can use and enforce to keep the files behind your website and any data of your customers safe. Security should be built into your website from the very beginning, but certain systems, the likes of WordPress, allow you to easily install security measures at any time at little or no cost. Large chunks of this post are orientated around WordPress, but some points are relevant to any and all types of website.
Here’s how you can test the current security of your website and potentially improve it yourself. We’ve also included a list of additional areas that you may wish to pass onto your web team to ensure that your website is secure.
The Basics of Web Security: Your Passwords
It goes without saying, you need to use strong usernames and passwords. To put any other means of web security in place when your website is accessible through the username ‘admin’ and the password ‘qwerty’ is wasted time, effort and money.
The common procedure on websites today is to either force a website user to use their email address as a username, or ensure that their username follows a strict pattern. On most websites today, you’re asked to create a username or create a strong password that contains ‘at least one character, one number and one special character’.
One of the main reasons behind this, particularly for passwords, is down to ‘rainbow tables‘. Your website should encrypt passwords, so that if anyone manages to steal a password from your database, they’re given a string such as ‘5f4dcc3b5aa765d61d8327deb882cf99’ instead of ‘password’. Rainbow tables are essentially huge, precompiled lists of these number/letter strings so that hackers can reverse the encryption process and retrieve your password. If your password is uncommon, contains special characters and numbers, this makes it more difficult to decipher.
Conclusion: use strong passwords, but you probably knew that already.
Core & Plugin Updates
As well as new features, updates to apps, plugins and frameworks often come with security fixes and enhancements. It’s crucial you keep on top of your updates to ensure that your website is as secure possible.
Frameworks like WordPress make updating as simple as possible. Always make sure to backup your website files and any associated databases before carrying out any updates (you may need the help of your preferred web design/development or hosting company to carry out a full backup).
HTTPS & SSL Security
In days gone by, the URL for the websites that you would visit would start with http://www. or simply http://. HTTP stands Hypertext Transfer Protocol and it’s the foundation of data communication via the World Wide Web. Today, we have HTTPS, which secures the connection between you, the website user, and the website itself. The purpose of this is to prevent a third-party from intercepting any data about you whilst you browse.
Part of securing the connection between your website and your website visitors involves an ‘SSL Certificate’. Through projects such as Lets Encrypt, you can setup an SSL certificate and HTTPS protocols on your website absolutely free. The process can get a little technical, so it’s good to have someone with some web experience close by but you can achieve setup yourself.
Alternatively, you can purchase an SSL certificate through your hosting provider. If your website is bespoke, i.e. not on a framework such as WordPress, you’ll need to work with a web agency to transfer your website to full HTTPS security. For WordPress, you can use a plugin such as Really Simple SSL that will configure your site for you.
It’s also worth remembering that web giants Google have started placing ‘Not Secure’ on HTTP websites, and Mozilla, the makers of Firefox, aim to deprecate HTTP entirely.
Please Note: HTTPS and SSL are part of web security, but they alone do not ensure that your website is as secure as possible. Keep reading.
Web Firewall (WAF)
Much like your computer should have a firewall and anti-virus, your website needs a firewall too. It’s sometimes referred to as a ‘Web Application Firewall’ or ‘WAF’.
A strong firewall will protect your website from common attacks and vulnerability exploits. You might not use any or many plugins as part of your website, but even website frameworks are susceptible to hacking. In February 2017, vulnerabilities were found in the WordPress core framework 4.7 and 4.7.1 that allowed hackers to change the content of your website. Regardless of how big or small your website is, it needs thorough web security. A firewall is a key part of that security.
But what does a website firewall do?
Part of a website’s firewall is a database of known hacks and exploits that have been carried out on websites in the past. If a user then visits your website and attempts a known hack, or something that closely matches the pattern of a previously known hack, your firewall will intervene. It will then a). prevent the hacker from pulling any data from your website and b). in most cases, block the IP address of that user in an attempt to stop them coming back to your website. A firewall is a silent hero.
There’s multiple security and firewall plugins available for WordPress websites, the leading security applications being ‘Complete Website Security’ by Sucuri and WordFence. Sucuri also have separate firewall options available for bespoke websites and data-driven applications.