Trust is the name of the game when it comes to user engagement.
Your website is a globally accessible, digital representation of your brand. When people visit your website, they are conveying confidence that they can safely interact with your brand.
Naturally, one of the primary concerns involved in building a website is security; and it should be. Whether you’re running an informational marketing site or an e-commerce platform, you are vulnerable to the ever-present and growing dangers of the modern Internet. We take security seriously, and work hard to make sure clients are taken care of. We constantly monitor our sites, receiving reports that keep track of activity from logins to lockouts, outdated plugins, and general site health and traffic information.
Think of your website as a city with walls. If you want people to access the city, you need to setup gates to allow people to enter. Every form field and URL parameter is a gate or a passage into your city, which also presents the possibility for hackers to wreak havoc. In order to prevent a hack, it’s necessary to enforce security protocols that only permit authorized access. The following is a list of protective measures to ensure sites are fully protected from inception to launch, and that backup plans are in place in the unlikely event that a site is compromised.
1. Know Your Host
You’d never want to build your home on sand or mud, similarly you’d never want your website built on poorly designed server infrastructure, and that includes customer support. It’s imperative to know your host company and what they provide. We are always on the lookout for top quality services, which led us to WPEngine. They provide daily backups, security audits, WordPress installation updates, very helpful and readily accessible customer support, database redundancy, and disaster recovery, not to mention fast and efficient service.
2. Platform and Plugin updates
It’s paramount to keep your site updated. If you’re running a CMS such as WordPress, you have to keep the installation updated as well as any third-party plugins. There are security plugins you can install such as Wordfence and WP All-in-One Security. If you have a great host, however, such as WPEngine, you don’t have to worry about having additional security plugins installed.
You know the bar at the top of your browser where you enter the URL (site address), and notice the http before the www? That little prefix is actually the protocol that forms the foundational infrastructure of the entire internet. Most sites now have https, which indicates that the site is secure. It means that any data being transferred through the website between your computer and the server is encrypted. The only way to achieve that status is via an SSL certificate. Any time you’re retrieving customer data, you’ll want to have a certificate installed. In fact, Google has already started to penalize websites that aren’t secure (using only http), which in turn has a negative effect on SEO results.
4. SQL Injection and XSS
How many times have you heard how important it is to have a complex password? If you had a nickel, right? I review several reports each day on sites that are on the receiving end of brute force attack attempts. At least once a week I’ll read a report that a particular site was subject to well over 100 login “attempts” within a span of a few minutes. The origin of these attacks is usually from a hacker releasing a script filled with common password combinations blindly into the wild to attack a range of IP addresses in an attempt to login to the site and inject a malicious script or virus. The more complex a password is, with lower and uppercase letters, and a variety of characters and numbers, the harder it is to crack. If you have trouble remembering passwords, use a cloud-based or local password keeper. LastPass and KeeperSecurity are popular ones at JRD HQ.
6. Access Control
Limiting who has access to your site, both the administrative panel and the server files, is another important pillar in security. Providing different levels of permissions that can limit a user’s ability to do anything on the site, e.g. publish a post or edit content, is a great way to incorporate this method. Here are
- Logins expire after a short period of inactivity.
- Site lockout after 10 failed attempts to login.
- Passwords are changed frequently.
- Instantly lockout invalid usernames.
- Set file permissions to read-only access.
- Login captcha to test that a user isn’t a robot.
Backups are crucial to proper site maintenance. Another reason we love WPEngine is that they automatically perform regular daily backups of their sites, so if anything goes wrong the most recent back up is less than 24 hours old.
Following these steps won’t guarantee 100% failsafe protection against the most sophisticated attack, but they do provide a strong deterrent against most attacks, and will ensure that your site can be effectively restored if needed.