How to improve your website security

Web

How to improve your website security in just one read

Last Updated on July 16, 2020

Most business owners know that website security should be a top priority, but how to improve your website security is a mystery. It’s a complicated issue requiring extra time to focus on it. But a lack of technical knowledge shouldn’t prevent you from crushing it when it comes to protecting your data and your people. That’s why USDP wants to offer knowledge and tips for making your website more secure.

Are you a part-time web security expert?

We’re guessing no. After all, most people aren’t. But all it takes is one website security issue to rear its ugly head, and you find yourself acting as a security expert to tackle the problem.

Let’s pretend for a minute you are a part-time security expert. What do you need to know?

Basic-level: You should be able to confidently say yes to these five questions.

  1. Does your website have an updated SSL certificate for an encrypted connection?
  2. If your site uses WordPress, are you using a website security plugin like Sucuri and/or WordFence?
  3. Are your passwords strong enough?
  4. Do you have a complete and frequent backup solution in place in case you need to recover your site?
  5. If you are storing any sensitive data (customer info., account details, credit cards, etc.), have you performed a security audit on your site?

Next-level: What are common website security issues and how do you fix them?

Issue 1: Cross-scripting attacks

Cross-site Scripting (XSS) attacks are when a hacker injects malicious code into a website. Think murder hornet. It’s not good. That bad code will activate when an unsuspecting user visits the infected page. This kind of attack can be bad for both users and site owners alike.

The main entry point for XSS attacks are forms on your website. The most common are comment forms, because the content of the comments are displayed on the site, allowing the malicious code to be displayed as well. Blog websites and online forums are particularly vulnerable. 

How to prevent it: Ensure that your commenting system “sanitizes” the content of the comments and strips out any potential bad code before it is displayed to the user.

Issue 2: SQL Injection attacks

In this type of website attack, the hacker leverages insecure code or forms in your application to access your application database, which can contain sensitive data (like your customer transactions). While this type of attack can expose precious user and business data, it is easily preventable.

How to prevent it: The best way to prevent this sort of attack is to use a trusted forms engine which stores data outside of your application.  One good example would be forms embedded on your site from a CRM system.  These forms never interact with your system which means any potential SQL injection threat will be eliminated.

Lastly, SQL injections can happen outside of “custom forms” and can be leveraged to attack any part of the application that accepts outside data. The best prevention to protect against these attacks is to ensure that your software is as updated as possible and to leverage additional security layers such as a Web Application Firewall (see below).

Issue 3: Remote Code Execution

One of the most common vulnerabilities is when a hacker is able to upload code onto the server where your site is hosted and then execute it on the server (just a fancy computer). Depending on the security configuration of the server, the hacker could have complete control over your site files, database, and any other assets on the server. (Murder hornet scary, right?

How is it done? Code can be added to the server through some pretty complicated means, but the most simple way is by cunningly uploading a file through a simple form on your website. Anytime you allow the public to upload a file, it’s critical that you ensure it’s secure. 

How to prevent it:  Restrict what types of files can be uploaded, where the files live on the server after upload, and that no files can be executed like normal code in that directory (even if they appear as images). This will assure you get the files you want and keep the dangerous files out.   

Issue 4: Third party tools and updates

Most websites today are built using a Content Management System (CMS) like WordPress, along with third party plugins that provide functionality, such as form creation or e-commerce online selling. With these plugins, you’re relying on the developers of these tools to prevent all of the attacks we covered so far. It might sound risky to trust these independent developers, but it’s actually the best case scenario because these developers spend a great deal of time making sure their code is in top shape.

So what’s the problem? We’re all human, so mistakes can happen. Developers typically release regular updates to their tools to provide the utmost security and feature set. Keeping these tools regularly updated is as important as locking your doors. Allowing large chunks of code and plugins to become outdated could lead to website vulnerabilities, allowing hackers to leverage the outdated code.

How to prevent it: Update your plugins and CMS regularly. If you’re not sure how or if you should, ask your website administrator to review the outdated code or plugins before pressing the update button. USDP frequently (and happily) reviews updates for our clients. Better safe than sorry.

Using security tools to prevent attacks

You’ve probably heard that you need to have firewall software installed and configured on your computer. Web applications often need firewalls, too. For WordPress, tools such as WordFence or Sucuri offer you professional security and protection for your website. These tools remove most of the guesswork and leverage teams of security experts so that hackers can’t get into your website, even when there could be exposed vulnerabilities in your code.

Our recommendation? Use one of these tools with EVERY website. It will save you time and headaches, and you’ll be surprised how many attacks are happening on your website each day. 

What happens if your website is hacked?

Don’t panic!

  • Contact your website administrator right away. 
  • Change any password associated with the site. The longer and more crazy the better.
  • You or your website admin will then work to restore the site from a backup clean copy. Once the backup copy is working, work on identifying how the hack was performed and what steps are necessary to prevent it in the future.

While you and your website team are tackling the hack and restoring the site from a backup, let your customers know there is something wrong and you’re working to fix the issue. But act fast, because you don’t want Google to start indexing you as a hacked website. 

Regular check-ups can keep your site healthy 

Stay one step ahead of hackers by keeping your SSL certificate updated, implementing a website security tool like WordFence or Sucuri, and making sure your forms are updated and secure.

We recommend a proactive approach, and having an expert conduct regular maintenance and check-ups to prevent issues. Waiting for something bad to happen to identify major issues puts your business at serious risk.

We know website security probably isn’t your wheelhouse. But it is ours. So if you have questions or want advice on web security, we’re here to help. Schedule a website security consultation.

Michael Whelan Image Alt

By: Michael Whelan