7 Ways to Enhance Your Business Website’s Security

By Ian Heinig / 22 May 2018

91% of small businesses plan to improve their website. Use these quick tips to protect your sensitive information and avoid a costly data breach.

As a business, you’re responsible for your data and the data of your customers. You wouldn’t leave the front door unlocked. Why overlook the security of your website? 

Imagine if all the contact, credit card, and server information on your site were compromised. What happens next?

In the best-case scenario, you would incur the cost of data retrieval, reduced productivity, and loss of customer trust. The worst-case scenario involves criminal and financial penalties, plus a crippling blow to your business.

A recent survey finds that 91% of small business plan to upgrade their website in some way. Given the potential risks associated with a data breach, website security could be the right investment for you. 

Here are 7 ways to enhance the security of your website:

  1. Strengthen your passwords
  2. Update your software regularly
  3. Install plugins to enhance security
  4. Protect against SQL injections
  5. Combat XSS attacks with CSP
  6. Guard data transfers with HTTPS
  7. Test with website security tools

1. Strengthen Your Passwords

What’s the most commonly used password? A shocking 17% of users rely on “123456” to secure their private data

Most used passwords in 2017
Source

Weak passwords like this give hackers easy access to your data. An easy way to enhance website security is to fortify your passwords.

Below are some best practices to enhance the security of your passwords: :

  • Make the password longer than nine characters
  • Combine special characters, letters, and numbers
  • Use both capital and lower-case letters
  • Avoid easy-to-guess keywords such as birthdays, or the names of your pets or children

It’s important to check that anyone with access to your website has a secure password. Instituting requirements for passwords will push users to create more complex sequences. 

Applications like Dashlane and LastPass can help you generate a strong password.

2. Update Your Software Regularly

Keeping web platforms, server operating systems, and scripts current is a key defense against hackers. 

Open-source software from third parties – like a CMS (content management system such as WordPress) or a blog forum – is readily available online. Hackers can look through these scripts for security loopholes to exploit and gain access to websites

Updating software as soon as an upgrade is released will immunize you to exploitable security holes. This will mitigate the risk of a forced entry in just a few minutes. Plus, it will fix any bugs in the scripts. 

Tools like Gemnasium can help you stay up to date with all your software.

3. Install Plugins to Enhance Security

A plugin is a software group that can be added to a website to increase its functionality. The right security plugins will help to prevent most hacking attempts. 

For example, WordPress offers a plethora of security plugins. The inherent weaknesses of the WordPress platform can only be covered with tools such as Bulletproof Security and WordFence Security.

Whatever CMS or web platform you use, search for the best plugins to prevent security breaches. 

Also, remember to update your plugins regularly. If left outdated, these open-source scripts can provide hackers with easy access to your website.

4. Protect Against SQL Injections

SQL injections occur when malicious code is inserted through a query from. This is a threat to websites that use web forms and URL parameters which allow outside users to supply information. 

If these parameters are too widely defined, a data breach is possible. An SQL injection can force the website to perform an unwanted command and lay bare all your sensitive data.

What is SQL injection
Source

The simple solution is to use parameterized queries. 

This will establish rigid parameters for what web language can be used to access which database information. Limiting the terms that can be used to access your website will minimize SQL hacking attempts.

5. Combat XSS Attacks with CSP

Cross-site scripting (XSS) attacks happen when malicious JavaScript code is added to a web page. Visitors exposed to this code will then infect all other pages they browse on your site. 

You can combat the spread of malicious code on with a Content Security Policy (CSP). 

This tool will let you specify which web domains a browser may consider as valid sources for an executable script. With CSP active, the browser will simply disregard any infectious script that’s been planted by a hacker. 

You can use CSP on your site by adding the proper HTTP header to your webpage. 

This will provide a series of directives that informs the browser which domains are acceptable, and details any exceptions. Here’s a guide to creating a CSP for your website.

You should also protect your site from XSS attacks by using a process similar to parameterized queries for SQL. Ensure that any code which allows for user input is hyper-explicit. This will prevent hackers from slipping any into your system.

6. Guard Data Transfers with HTTPS 

The only way to protect the transfer of sensitive data is with HTTPS – or hypertext transfer protocol secure. This is a secure version of the (http://) data submission protocol used by websites. 

HTTPS checks for a private server passkey to ensure that users are routed to the correct server. It encrypts all data sent to and from your website, including passwords, credit card, and social security numbers. 

You can recognize when HTTPS is in effect by looking for the green https:// and the lock icon in your browser bar, as seen below.

HTTPS symbol
Source

This signals to visitors that their sensitive information is secure. For web stores and sites with a member login, this is a key piece of protection. 

To activate HTTPS on your website, you’ll first need to learn how to install an SSL certificate. This low-cost process is pivotal to making your site more secure and trustworthy.

7. Test with Website Security Tools

Total website security will require routine assessment and maintenance. Once you’ve followed the above steps, it’s time to test your website security. 

Numerous free and commercial and free tools exist to help. Known as penetration or vulnerability testers, these software solutions imitate the scripts hackers use to attack and compromise websites. 

Consider the following tools to secure your website:

  • SecurityHeaders: This free tool will report which headers (such as CSP and HSTS) are enabled for domain security and if they’re configured properly.
  • ZedAttackProxy (ZAP): Free to use, this tool offers a full suite of functionalities, include authentication support, automatic scanners, and dynamic SSL certificates.
  • Xenotix XSS: This free tool offers a wide variety of XSS attack examples that can quickly identify any vulnerabilities in a browser.
  • Netsparker: Use the free trial version to test for XSS attack and SQL injection vulnerabilities.

While these tools may reveal a plethora of issues, focus on the most critical aspects of web security. Each issue will come with an explanation and a resolution. 

Many of the low-risk issues can be overlooked, but it’s always good to develop a comprehensive sense of your website’s security.

Securing Your Website

Embarrassing, debilitating, and expensive. These words are commonly associated with website insecurity and data breaches.

To protect your data and that of your customers, address these critical aspects of web security. 

A handful of simple procedures is a small price to pay for the confidence and integrity of your online information.

owner

Related Articles