Intuitiv Digital on Twitter Intuitiv Digital on Facebook Intuitiv Digital on LinkedIn Contact Us

Website security guide

It matters more than ever before. The more work web designers and developers do to stay ahead of scammers, hackers, and other digital criminals, the harder the scammers and hackers work to catch up. As the owner of a business website, you need to make sure everything is as safe and secure as it possibly can be, and keep it that way 7/24/365.

Fail and you can end up angering your customers, maybe sharing secure data you should keep safe under Data Protection Legislation, perhaps even letting criminals access people’s bank details, personal details, and other sensitive information. Hackers can change information, vandalise your site, destroy content,  and even upload malware designed to quietly wreck your business without you noticing until it’s too late.

As a highly experienced B2B website design agency, Intuitiv has loads of experience in website design and security. Read on to understand the risks, learn how to check your website security, and improve the overall security of your online presence. 

Why Website Security is Essential

It’s an international thing. Wherever you are in the world, people are probably trying very hard to hack your website using bots designed for the job. The more vulnerable it is, the more you’re at risk, and a hack can mean disaster. Hackers and other cyber-criminals use clever software to automatically detect websites with vulnerabilities to exploit. You might not even realise your site is vulnerable until it’s too late. Hacker software can carry out thousands of login attempts in no time, ultimately finding a way past obvious or weak passwords and usernames. And the threats faced by online business are always on the increase despite the good guys working extremely hard to keep up. Think about the old children’s game Whack-a-Mole, where every time you hit a mole another one pops up. Not good.

Cyber threats and attacks can access and steal vital data like customer bank account numbers and your employees’ personal details. Studies show all someone needs is six pieces of personal information to identify someone accurately, which makes every item of personal or financial data precious. 

Criminals can hijack website traffic on the way to your site and send it elsewhere, or send masses of dodgy traffic to your website. They can spam other websites via yours, crash the site altogether so it isn’t usable, or slow it down so much that your visitors click away in exasperation. Once you’ve lost someone that way – and therefore lost their trust – you’re unlikely to get them back.  

Hacks can cause websites to be dropped from the Google search results altogether, or stuck in a sandbox situation, in limbo until you can prove things have been fixed. They can use your computer’s resources to mine crypto currencies and use your machines as zombie computers when your employees aren’t at their desks. You might be sending out millions of spam emails without knowing a thing about it. 

Hackers can add malicious code to your files and steal user passwords, email addresses and credit card details. They can suck up email addresses to sell to spammers, install viruses and malicious software, and distribute malware. It’s easy for them to create links back to dodgy websites from yours, which will ultimately affect your site’s search visibility as well as damage your brand. They can fill your site with  unwanted content or delete your content altogether. They might lock you out of your own website by changing your password or shut it down altogether, then charge a massive ransom.   

You can see how website security is essential for every aspect of protecting a business, its customers and its reputation. The fines for UK data breaches are frightening. Take Interserve, which was fined £4.4M by the UK Information Commissioner’s Office following an employee data breach revealing workers’ bank details, national insurance numbers, and health information.

How to Check Website Security

You need to get to grips with cyber security. This is where professional cybersecurity services can be very beneficial in assessing a website’s security, especially when you’re not an expert and don’t know what to look for. Once you know for sure you’re clean, secure, and safe, you can do what’s needed to keep your site that way. It might mean spending money, it’ll definitely take time, but it’s worth every effort and every penny. So prepare to monitor and update your security programme frequently, either yourself or with help from a professional.

To give you a good understanding of the kind of things you’ll want to think about, here are some fundamental website security checks. This is your bare basics.

Routinely scan the site for vulnerabilities

Website security scanning software detects vulnerabilities and malware. Some tools are freely available online, others involve a one-off payment or a subscription. A website vulnerability scanning tool is automated software designed to search for security vulnerabilities in web services, servers, proxy servers and web application servers. Also called vulnerability scanners, they check for problems like SQL code injections into your database, XSS or cross-site scripting, command injections, cross-site request forgeries  or CSRF, and distributed denial of service or DDoS attacks.

Insist on strong passwords for everyone in the business

There are some terribly clever hacking tools for automatically guessing login details. It’s sensible to use a hard-to-guess username as well as a very strong password. Mathematically, the longer and more complicated your login data is, the less chance the software will guess it. It’s a simple but very powerful way to keep mischief makers out.

Use sitewide SSL certificates

You’ll see a little lock icon before the browser bar address  of websites with SSL or secure socket layer certificates in place. SSL certificates help keep online interactions private. They also prove your website is a safe place for people’s private information. An HTTPS web address is the secure form of HTTP, and all HTTPS website traffic is encrypted by SSL. Your host will be able to add it for you if you don’t already have an SSL Certificate. Make sure it’s site-wide.

Use the best security plugin for your CMS

There’s a lot to think about to keep a site secure. Luckily there are trusted security plugins or extensions for most platforms, designed to do the hard work for you, all in one place. Upload it, unpack it, run it, and see what it suggests to improve your website security.  

Do website penetration testing

Penetration testing or pentesting involves gathering information, finding security flaws, then exploiting them to see how easy they are to take advantage of. It’s a question of knowing your enemy. Once you understand any security flaws and know how dangerous they are, you can fix them and avoid making the same mistake again. Professional website penetration testing services can be really handy, using their expertise to delve deep into your site’s vulnerabilities and fix them before you launch. It’s also a wise move to re-test regularly to make sure the site stays secure throughout the changes and updates you’ll be making. 

How to Improve Website Security

Site security isn’t a destination, it’s a journey. Ideally you’ll design the right level of security into the site then keep it secure. It’s sensible to restrict access to the site’s admin area to as few people as possible in the first place. You’ll need to keep checking all the site software, tools and plugins are up to date, and update them as soon as new versions become available.

You’ll want to make sure you’ve bought secure web hosting. Cheap isn’t very cheerful when your site gets compromised, so pay for rock solid hosting. And remember shared hosting can introduce vulnerabilities you’d be wise to avoid.

You’ll want to separate the site’s database from the site file server. Experts recommend separate website file servers and database servers so if one’s hacked, the other remains safe. And you should disable all the unused features in your CMS, for example disabling comments and new user registrations altogether on a WordPress site.

It makes sense to restrict file uploads, only letting trusted people do it. Again, the fewer people the better. Make sure you have a strong firewall like Cloudflare. Use bot detection and blocking software to keep your site’s performance in good shape and cut the risk of DOS exploits. Backing up your site and database frequently means if something goes wrong, you can get it back up and running. And hiding the code version and platform you’re using also helps ward off intruders. If they don’t know you’re on Shopify, or Joomla, or whatever, they can’t target their hacks anywhere near as well.

Keep an eye open for changes to the site content, and also watch your uptime using automated uptime monitoring. Keeping track of all the site updates helps identify unpermitted changes. Outdated and legacy content can give hackers loopholes to exploit, too. The more things you check, the more chance there is of catching exploits before they become disasters.

Last but not least, train your employees in staying secure at work. Untrained employees, whether they have access to your website’s CMS or not, are one of the biggest threats to security when they don’t know how to be secure. Find an online cyber security course or get help from experts, keep the training up as new cyber threats come along, and be scrupulous in taking people who are leaving the company off the system immediately after they leave the building. 

Stay secure for better business  

A secure website supports better business in so many ways. An insecure one can be lethal to your bottom line. Good security means people trust your business. You have a stronger brand and better search visibility. It makes your company more resilient, more future-proof, and safer from data protection disasters. No wonder businesses of all sizes are becoming so much more aware of the need for reliable website security.

Now you know more about how to check your website, you’ll be in a much better position to make great security happen. As a trusted web development Oxford agency, and experts in super-secure Umbraco hosting, we can help you.

Would you like to explore the potential? Call us on 01844 888 777, email us at hello@intuitiv.net, or use our contact form to get in touch.