Design 101 – Website Security Overview

The internet can be a dangerous place for businesses and their websites. People are always on the prowl looking to break into a website that potentially holds personal details. These can be used by fraudsters to target customers or inject malicious code that targets incoming web traffic.

During our latest blog post, we explain what you can do to help minimise the risk. There is always a risk, and I think that’s the best thing as a website owner to understand.

Passwords

It seems like everything these days comes with a password; it’ll not be long before you need to put one into your cornflakes box.

Most people have so many accounts they tend to use the same password for multiple accounts. Usually something easy to remember like a date or a word that means something to the individual.

The problem here is that if someone breaks into one account but guessing the password or a brute force attack, all accounts are compromised.

So what should we do?

You might have heard the term strong password but what does it mean?

Essentially, a strong password is a mix of letters, numbers and special characters. It must have no ties to your personal information and is not a in a dictionary. The longer, the better to protect against a brute force attack.

If your someone who has lots of accounts that need passwords, a password manager such as 1Password my help.

We ensure that we set minimum standards of password security to help minimise the risk.

SSL certificates

Another good step to protect people visiting your website is installing an SSL certificate. SSL stands for Secure Sockets Layer. Most websites (and all should) that ask for personal information such as emails or credit card information should use a certificate. If a website has a certificate installed, you will see a padlock in your browser address bar.

What does an SSL certificate do?

Essentially it makes information from your customers device to your website unreadable. Traffic is encrypted so that it can’t easily be read without someone breaking the encryption algorithms.

SSL Certificate

If you don’t use an SSL certificate, the nosey neighbour on the table across from you in the coffee shop could easily read all data sent back and forth. Not Cool.

We ensure that your sites all have certificates installed, so traffic is encrypted, helping to keep your customer’s data safe in transit.

WordPress Themes and Plugins

The front end of your website is designed around a theme. A theme contains all of the code that a browser translates so you can see your website online. Plugins on the other hand, are extra pieces of software that you can bolt onto your site. These ‘bolt ons’ allow additional functionality such as a booking system.

Depending on what you want to achieve online, you might have a few different plugins only one active theme. As we mentioned, earlier people are always on the lookout to break into websites. Usually by attacking core files such as plugins and themes that are known have been compromised to get access into a WordPress site. Most WordPress plugins and themes (especially paid for) are updated regularly to close any of the vulnerabilities that are discovered.

What should we do?

Most websites that are compromised are running old versions of plugins and themes, and that’s why it’s important to always make sure that your site is kept up to date. Just like you would updating software on your laptop or phone.

If you are one of our Managed Service customers, we will ensure that any new updates are applied to your website promptly. Helping to minimise the risk of your website being compromised. We’ll also test any new versions of plugins to make sure they’re compatible with your website before we put update them on your live environment.

Firewalls

Our firewalls are Web Application Firewalls. A Web Application Firewall (WAF) monitors, filters and blocks web traffic.

In a WordPress environment, they are useful to have as they can help block attacks on your site stemming from flaws in the application. They can help block SQL injection attacks, cross-site scripting and malicious file inclusion on your website.

There are many providers of WAF’s for WordPress one of which is Wordfence. Usually installed as a plugins they are quick and easy to set up. Most come free with options of a paid upgrade.

Depending on what your website is, we will make recommendations on what type of firewall you need.

Database back-ups

WordPress is a Content Management System or CMS for short. When visiting your website online the browser shows the front of your website. All the content is stored in a database behind the scenes.

From a security standpoint, if a website is compromised it’ll need to be cleaned off any malicious code. This process might mean the deletion of some of your content. Ensuring you have a back-up inlace means that you can automatically restore any missing content putting your site back to how it was before the hack.

Back-ups are also useful for when your editing your site if something goes wrong you can restore the database to a time before it all went wrong!

What should we do?

You should make back-ups of your website frequently (usually your hosting provider will do this, sometimes at an extra cost). A back-up is a copy of your whole site and database at a set point in time. These back-ups are used to restore your website if needed.

We always ensure that your databases are at least backed-up nightly, with a full back-up once a week. Depending on the needs of your website this may be more and if you host with us, we do this free as part of your hosting package.

Hopefully, this latest blog post gives you a bit of an insight (albeit a minimal overview) into the security measures that you need to think about when running a website but if you have any questions get in touch.