How do I know if my website is secure?
Website security is an important factor that can often be overlooked. It’s essential for everyone with a website to understand why security is crucial and to be aware of key checks to do.
What is website security?
Have you ever watched an old film only to notice that the scenery in the background is fake? When we create a website, we aim to create a seamless user experience that not only looks great but runs great too; without revealing the true nature of the ugly and complex code behind it.
But what if somebody was actively looking to reveal the true nature of your website? To add a layer of complexity to websites, we often encourage our users to interact with them. We might ask the user to provide personal identifiable information such:
- Their name
- Email address
When we are asking users for such information, it is our legal obligation to ensure that this information is not accessible by any individual or organisation seeking to use that information for their own personal gain.
Why is website security important?
With the nature of websites being in the digital realm, it can be easy for a business to focus on concerns that appear more immediate whilst ignoring a wide variety of website security issues. Imagine walking into a shop, paying for a product/service and the business leaving your card details, and personal information in full view of other customers. Not only can this be catastrophic for the customer, the reputation of the business is at stake for having inadequate measures in place to protect their customers; along with a host of legal ramifications. In addition, it is in the interest of an attacker to ensure that their actions remain undetected to continue profiting from the attack.
Website security checks
When you are performing a website security check, there are multiple things to you need to be aware of to ensure that your website and the data of your customers cannot be accessed by a nefarious individual. Whilst not totally comprehensive, here are some of the things I think about when I am working through my website security checklist.
Where and how is my website hosted?
Your website will be hosted on a computer known as a server. Where is this server stored and who has access to it? Do you know what measures your hosting provider takes to ensure connections to the server are not able to access unauthorised files. Do you share your server with any other companies / websites?
How am I storing data?
The database of your website will be located on the server. Do you need your database to be encrypted? How are passwords stored in the database, are they being hashed or encrypted in a secure manner? Does my database have a secure username and password?
How has the website code been written?
Does the code use ‘prepared statements’ to ensure any data taken from input fields has been sanitised to remove any potential malicious code before it goes into the database? What data is on the ‘back end’ and hidden and what data is stored on the ‘front end’ on the user’s machine? Front end data is publicly accessible!
How is data sent between the user’s machine and the server?
Do you have an SSL certificate? This allows the encryption of data between the user and your server to help prevent anybody intercepting the data as it travels. You should see a little padlock in the URL bar of your browser and the site will be using the https:// protocol as opposed to the less secure and older http://
Are you regularly updating any plugins and CMS that your website uses?
If your website uses a content management system like WordPress or Magento, are you regularly applying updates to it and any related plugins? These updates are often to fix discovered exploits that will make your website vulnerable to attack. I would recommend using SEMVER system to guide you in whether an update might be breaking. If the version change is major, I would ensure to read all patch notes and do a quick search for any issues it may have caused.
The above points are just some things to consider when creating a secure website, however the unfortunate reality is that try as we might; we can never make our sites totally secure. Website security is a constantly evolving field with attackers developing new methods to compromise data and developers being reactive to stop them.
To help combat this, it is good to get into the habit of reviewing the security of your site as part of your weekly routine to check if there are any issues or updates that need applying. Ideally this should be towards the start of the working week to give time to fix any issues that may arise