If you’re a business owner or manager who is concerned about website security and you’re not sure where to start, here are some website security basics for you.
NOTE: This is NOT a comprehensive website security guide. These are just some typical questions with quick answers.
Q. What are the most common website security threats?
There are a lot of possible ways to attack websites, and there aren’t any reliable statistics about the most likely origin of a threat. Still, there are some fairly common website security threats that are important to talk about:
- A disgruntled employee. Many businesses use the same password for a lot of their accounts, including access to the company website. This makes it easy for a terminated employee to steal information or sabotage a website.
- Malicious emails and websites. The risk here is that someone who works at your company opens an email they shouldn’t or goes to a website that infects their computer. These infections can compromise the company website if passwords are stored on the computer.
- Automated hacking attempts. There are thousands of “bots” that constantly crawl the web looking for vulnerable websites. There are a lot of possible types of attacks here, but the important thing to understand is that they’re largely automated.
Q. What can we do to mitigate the most common threats?
Aside from working with an experienced website developer, there are some smart things every business can do to protect themselves.
- Use individual passwords for each staffer. This ensures that if the employee’s password is stolen somehow (by a malicious email or malware infection) the damage can be limited. This also helps make sure that an employee’s access to your website, email system, and other accounts can be limited should they quit or get fired.
- Don’t open email attachments unless you know the sender AND you know what they’ve sent. Email attachments are one of the biggest risks ecommerce companies face. A person pretending to be a customer will send something that looks like it needs to be opened. If you don’t know the sender, don’t open it.
- Don’t click on links in emails unless you know the sender. Just like attachments, it’s risky to open a link in a strange email.
- Do not to go to “bad” websites on work computers. This should be common sense, but using work computers to look at websites that are known for malware infections (usually, these are porn and gambling sites) is risky.
- Use CloudFlare Pro. Cloudflare is a system that sits between your company’s website and your users. CloudFlare will help improve the performance of your site, but it will also add security features to protect your site. This includes blocking bots, challenging’ suspicious users, and more. For $20 a month, it’s a heck of a system. However, even the free version of CloudFlare can help protect your site.
- Keep your website software up to date. If your ecommerce site is built on an open-source platform like Magento, PrestaShop, or WooCommerce, there are security updates released every few weeks that need to be installed. There are also plugin/module updates that need to be made periodically for security reasons. Staying up to date on all of these updates takes time, but it’s better than the alternative.
Q. What does “SSL Encryption” mean, and why is it important?
SSL encryption is a method for protecting the personal information of website users. If someone purchases a product from your site, SSL encryption ensures that the buyer’s credit card info isn’t stolen.
SSL encryption requires you to install a certificate on your website, and that certificate has to be signed by a 3rd party to verify the certificate is legitimate. Purchasing a basic SSL certificate is cheap and easy, and installing the SSL certificate is usually something your website hosting company or developer will need to do for you. Just about every website needs SSL, so if your site doesn’t currently have it and you’re selling parts online, you need it ASAP.
Q. How do I know if my website is secure?
The word “secure” is defined differently by different people. Some people view security as an absolute – if there is any possible vulnerability, some IT pros will say a website has security issues. By that strict definition, almost every website is insecure. This rigorous definition of security is then used to sell website owners excessive or unnecessary services.
In our opinion here at Spork, the question “Is my website secure?” needs some context. Here are questions you need to answer to determine if your site is secure or not:
- What is on your website that people will want to steal? If your website is nothing more than an online brochure (which defines our website, for example), your security risk is low. Few will have an interest in hacking your site unless they think there is something valuable inside. Likewise, your risk is pretty low if you’re not collecting consumer data on your site.
- Would anyone want to infect, deface, or vandalize your website? If you have a very high profile website, your security risk is high. Vandalizing a popular or significant website is a way for a hacker to draw attention to themselves or a cause. Likewise, infecting a high-traffic site with malware is a great way to infect lots of computers.
- Is your website’s data encrypted? If a hacker steals your customer password database, for example, is that data stored in plain text or in an encrypted or hashed format?
- Are you following best practices? Is your site backed up regularly? Updated regularly? Do you use good passwords? Are there restrictions on IP addresses that can access certain parts of your site? These are all good questions to ask your developer or hosting provider.
- What’s the worst case scenario? If someone were to gain full access to your site, could they obtain customer’s credit card numbers? Could hackers get your customer’s password? Or would hackers only get the customer’s their name, address, phone, email, and order history? If your site is storing credit card numbers, for example, you have a very high-security risk.
Finding the answers to these questions will help you identify your risks. If you don’t have answers to these questions, it’s a good idea to speak with an experienced website developer.
Q. What questions can I ask my web developer about my website’s security?
In addition to some of the questions outlined above, these are some smart questions to ask too:
- Is our site vulnerable to cross-site scripting attacks? Abbreviated as XSS, this is an incredibly common method of hacking websites. If your website has a place where visitors can enter text (like a contact form, for example), your site could be vulnerable.
- Is our site vulnerable to SQL injection attacks? This is another vulnerability that is easily blocked. If your website uses a SQL database, it could be vulnerable…so ask your developer. By the way, SQL is pronounced as “sequel”…so when someone says “sequel injection” this is what they’re talking about.
- Is our server running the latest version of Apache that our site is compatible with? Most open source ecommerce systems run on a server that uses Apache (an operating system). Older versions of Apache have security problems.
If you ask these questions and you don’t get satisfactory answers, find a developer who’s more experienced to do a security review. There are a lot of inexperienced developers churning out Magento and WooCommerce websites that have no idea about website security.
Q. Any other website security tips?
- Use good passwords and keep them secret. They should be eight characters (or more), they should have both letters and numbers, and some of the letters should be capitalized.
- Manage access. When you hire employees or when you work with contractors, issue them their own passwords instead of sharing your own. When you fire them, revoke their access.
- Watch what you click on. Don’t download anything you’re not 100% confident in, and don’t open any email attachments from anyone you don’t know.
- Make sure your computer’s antivirus software is up to date. Opinions differ about which antivirus software to install on your personal computer. If you have a Windows PC, the built-in Windows antivirus is supposed to be pretty good…but whatever you use, be sure it’s updated.
- Get help if you don’t know. Ignorance is expensive, especially as far as website security is concerned. While no one can make a website 100% secure, a handful of precautions can eliminate 99.9% of your risk. If you don’t know what to do – or if your current developer doesn’t know what to do – it’s time to reach out to an expert.
At Spork, we’ve been developing and marketing websites for more than a decade. If you’re an auto parts or accessories online retailer, and you’re wondering about website security, contact us. We’ll be glad to provide a free consultation if you’re looking for some basic help, and we can help you with more detailed requests too.
Featured image on blog page ©Gajus