An often over-looked part of building dynamic websites, such as CMS’s, DMS E-Commerce sites, and so on, is website security. Non professional web designers and sadly, some professional web designers often don’t fully understand how important this part of the process is, or in some case, don’t allow enough in the build budget to provide sufficient time to address security properly.
Sure, a lot about web security has to do with the web host itself, but when dealing with dynamic web sites, such as Content Management Systems, or E-Commerce platforms, it’s important that the web developer understands site security very well. Customers say that the security of a website is the number one reason why they do or do not shop on particular websites. So, it’s important that you not only look professional, but also that your site is secure and develops a reputation for being so.
Regular site updates
Most people are under the impression that once you get a website made, that’s it, it’s done. There’s nothing more to do now than add content and make money. But, the truth of it is, every dynamic website needs maintenance. Every single minute of every single day, there are hackers who are finding new ways to penetrate code that was considered secure only days ago. When it comes to making sure your website software is up to date, I like to think of dynamic websites as a lot like cars. You don’t just buy a car and then never have to put another dime into it, do you? Your site needs regular maintenance in very much the same way. The code needs to stay current so that hackers can’t get in and make a mess of all the work that’s come before. WordPress, for example, while it’s the most used platform in the world for websites, gets frequent updates. Some of these updates are to add new features, some of them are to increase performance. Those, while nice, you can live without them. But occasionally, they release security fixes. These could not be more important to updated. Once there’s a known bug, the hackers get busy looking for the sites that haven’t been patched so they can do as much damage as possible.
Another reason for regular updates is that web hosts are always updating their software in the background as well. Pretty much for the same reasons. Better performance, new bells and whistles, but most of all, security. The hosting server software will usually be backwards compatible to a point, but at most “milestones”, they’ll likely stop working with your current version of software or at the least, make it seem “buggy”. For example, most hosts are currently running PHP version 5, but some are still sadly running 4 or even 3. There are a number of known security bugs in these versions now. I know of a site that was still running on version 4 that was recently hacked because because of failure to upgrade. The problem was that his software got so far behind, that there was no clear upgrade path available to get it running on version 5, so it was just let go and ran until it was too late. Typically, if you’re making your incremental upgrades to your site, then the big milestones won’t be too big of a problem and are usually fairly seamless.
Regular Database Backups
Dynamic websites keep all of the site content in a database. This is the brains of your website. If something happens to it, that can mean the end of your site. It could just get corrupted, and then there’s a possibility of restoring it although, often through a lot of work, but if your site got hacked and the database was flushed, there would be no way to get it back. That’s why regular database backups are absolutely vital to every single site that uses them. It’s not that difficult to make regular backups. There are even tools that will do this for you. The more often you do it, the better, as this would be your restore point if something really bad happened.
SQL Injection Attacks
SQL Injections occur when the data input is not thoroughly sanitized. Most of the better CMS’s and E-Commerce Platforms now do a pretty good job of this, but there are some that still do not. Over the past several years, this has been one of the most popular way for hackers to obtain a foot-hold into the website’s database. Even recently, one of the hacks that occurred on Sony was achieved this way. I won’t go to deep into it here because it’s a very deep subject and not one that you as a website owner needs to understand the “how’s”, just that having someone who doesn’t understand it can be very detrimental to your websites future.
Locking-down permission on files and folders (directories)
All files on the web server have certain permissions. There is sometimes a fine line between being to restrictive so that the software itself can’t even access them to being to unrestricted, which could easily allow hackers in to manipulate them. Not having a good understanding of these settings, can have adverse effects either way.
Having an SSL if you are sending sensitive data
Every website which conducts business over the Internet, such as those making e-commerce transactions should use SSL. By having an HTTPS Certificate on your website, you are letting your customers know that you care about their security. Most site visitors these days will no longer enter credit card information if the page doesn’t show HTTPS in the URL. SSL prevents hackers from accessing the personal information that gets transferred when a page is submitted. It prevents eavesdropping and tampering of that information. All major web browsers (Eg. Firefox, Google Chrome, Opera, Safari, and Internet Explorer) have some built-in security capabilities, but on it’s own, it’s insufficient. SSL certificates can be purchased from companies such as VeriSign, Geotrust, who are the bigger players in the market and there are some others as well.
By making use of various monitoring services, you can greatly decrease the chances of your site falling victim to being hacked. It’s just one more tool in the website security utility belt.
What are some down-sides to not taking security seriously enough?
- Infecting your customers with malware, spyware.
- Losing trust of your site users.
- Getting de-indexed from Google.
- Having your entire site taken over.
- Having sensitive information leaked.
- Having your site used to send spam through insecure scripts.
There’s absolutely no way anyone can claim that your site will be unhackable, and if they say otherwise, they’re simply not telling the truth. Heck, even major Government sites and Fortune 500 Company sites get hacked occasionally. At Level One Web Design, we do understand security and use best practices to at least minimize the chance that this will happen.