Website security is essential
It is just common sense. In any serious business venture, you make sure that your business is secure, you lock the door when you leave, padlock the gates and take measures to keep your customer information, and company data safe and confidential. It is vital to take the security of your website just as seriously as you take the security of your bank accounts and customer lists. It might sound somewhat dramatic, but website security is truly ignored at your own peril, and failure to implement security measures risks not only impacts your website, but also your company’s reputation and customer confidence level.
But, your website is more than just a window for customers, it is also a window for hackers, spam bots, and other dangers such as credit card fraud. Keeping your website secure requires a pro-active and comprehensive strategy, which should be documented in policies and procedures and reviewed periodically.
Start out smart
During development of your site, you want to ensure that initial website security best practices are followed. This includes making sure that the developer is adhering to correct file structure, configurations and permissions are set per the manufacturer or publisher’s recommendations and best practices for the server environment. For WordPress, the Codex has an excellent article outlining the recommended steps for securing WordPress, if you are using another CMS, most have tutorials or articles to help you with their requirements and suggestions. Taking these steps should not be skipped or skimped, no matter what software you are running and the list should be checked off before your site goes live, on first installation, after updates, and periodically thereafter. If you are a “do yourself type”, and do not know about server settings, now would be a good time to fill out a support ticket or consult your developer before you make any changes yourself.
Keep your computers, tablets and phones updated
Outside of the server, Website Security starts with the computer and work spaces used to access the site. Update your computers often! No matter what operating systems, software or hardware you are running, keep them and the related drivers on your computer updated – all of them. Most providers have automatic update features that work beautifully to this end. I cannot stress this enough. Keeping common internet tools, libraries and essential programs updated such as Windows, Java, Adobe, is the first line of defense in web-site security for those who have a website.
It should go without saying that you also need to update internet browsers such as FireFox, Internet Explorer, and any plugins or add-ons you might be running, along with both an anti-virus program and firewalls, but I am saying it anyway, just in case it slips your mind. If you are running website from your own server, use firewalls, spam guards, and other server security software, and perform regular scans and maintenance.
If the manufacturer or open source project, is offering a patch for the software or update to libraries, it means that there is something that needed to be fixed, added or removed from the program to secure it and or fix bugs, and until you run the updates, you are more vulnerable to attacks.
Have a written Website Security Policy and Plan
The measures that you will need to take to protect your organization’s website vary from very simple to technical. Whether you will be doing it yourself or hiring someone to do it, it is helpful to have a written plan in place for frequent checks and maintenance of your website. Writing down and keeping logs of your security checks and updates ensures that you can prove security measures are performed and followed by yourself, or present or future employees, and for cases of liability issues, you can also prove due diligence. Having a written plan is also required for PCI compliance by credit card carriers, and lack of compliance can result in extra charges to your merchant account, or account suspension.
Create a website security check list to be checked off monthly, weekly or even daily.
After installation, perform frequent, regular maintenance checks and security reviews.
- Check, CMS, HTML, modules/apps/plug-ins and other software on your site to make sure you are running the latest editions
- Check for security vulnerability alerts on any software that you are running
- Make sure that you are running the latest software and security patches on your site, your computer and work stations that are used to access the site.
- Run firewall and Anti-virus updates as needed.
- Require complex passwords, and periodically force a password change.
- Clear Caches and monitor for any new files on your server that do not belong there.
- Perform periodic scans for malware on your site
- Run daily back ups and store them on a data stick
Are you planning on taking credit cards on your site?
One of the gravest dangers that face eCommerce and other business owners who take internet credit card orders, is credit-card fraud. Protect your website and business by using one form or another of fraud protection tools and services that are offered, and save yourself some headaches and loss.
Securing or storing credit card information must follow strict guidelines, or you can face fines and other charges from your card processors, as well as increased liabilities for damages. It is in your best interest to make sure that your practices and policies are in compliance with your credit card service providers and PCI requirements for your business and service level for storing credit card information. Review your compliance requirements and policies periodically to ensure you are still in compliance with the current standards and requirements.
- Post privacy and security policies for employees and customers to read and acknowledge.
- Avoid downloading free screen savers, icon sets, smilies and any type of shareware to your computers and discourage employees from doing the same.
- Use and require complex passwords. Force password changes for admins and other sensitive accounts periodically.
- Use SSL (Secure Socket Layer Encryption) for sensitive forms and customer accounts.
- Avoid accessing sensitive areas (Admin, CPanel, FTP) on public networks or hotspots.