If you’re designing a website for yourself or a client, you’re going to need to check several boxes before launching it into the world. Some of those boxes are the fun ones–coming up with the color scheme, determining the page layout, and choosing creative graphics. But there’s one checkbox that, for many of us, is a bit of a downer: website security (cue sad trombone).
Website security isn’t the sexiest topic out there, but it’s critical knowledge for anyone serious about web design. Securing your website is like getting insurance on a house or car. It’s not exactly thrilling, but it’s well worth it to prevent a valuable asset from getting broken into or damaged.
In this article, we’ll go over the nuts and bolts of website security, including the types of threats you should know and the steps you need to take to secure a website.
Your comprehensive guide to website security
What is website security, exactly?
Types of web security threats you should know
How can I secure my own website?
What is website security?
In simple terms, website security is the practice of protecting your website from online attacks. These attacks include unauthorized access, modification, disruption, or destruction of your site.
The people behind these attacks are known as hackers. Typically, their goal is to use your site as a vehicle to access online data like contact information, personal details and passwords, and credit card information.
From a business perspective, this not only compromises the integrity of your brand, but it also puts customers and clients at risk. Take it from the well-known trading app Robinhood–just last November, their customer support system was hacked to expose the email addresses, names, and phone numbers of 7 million users.
Types of web security threats you should know
Hackers have a lot of tools in their toolkit, so it’s helpful to have a broad understanding of the different types so that you can better protect your website. Here are some of the most common types of attacks.
Cross-site scripting (XSS): This type of attack exploits the trust that a user has in a particular site. It begins when a hacker sends malicious code through a website to unsuspecting users. This tricks the user’s browser into accepting the code, allowing the hacker to access the user’s cookies, session tokens, and any sensitive personal information they’d shared with the site.
SQL injection: The attacker injects a specific type of code (called SQL code) into a website to exploit a security vulnerability. This allows them to spoof identify, access and tamper with existing data, destroy the data altogether, and become administrators of the database server.
Cross-site request forgery (CSRF): This type of attack involves sending a request to the user that appears to come from the website–like asking them to change their email address or password or click a button on a form. The innocent user might carry out the action unintentionally, allowing the attacker to infiltrate the site. The lesson? While trust is great for relationships, it shouldn’t be given out freely when it comes to websites.
Denial of service (DoS): This attack shuts down a network so that it’s inaccessible to its users. It does this by flooding the website with traffic or sending it information that triggers a crash. The result is that legitimate users, such as employees or account holders, no longer have access to the site. This typically doesn’t involve the theft of data, but it does cause customers to lose trust in a business and can be expensive for the business to recover.
File inclusion: You’re probably familiar with websites that allow you to upload files to a server. As it turns out, that convenience comes with a price: vulnerability to file inclusion attacks. If a website isn’t properly secured, attackers can exploit user files as an avenue for infiltrating the site. This gives them access to user data and provides them with a way to run their own code.
Clickjacking: The attacker conceals hyperlinks beneath legitimate clickable content. When a user clicks seemingly innocuous content (such as a Submit button on a website), they are unwittingly routed to a dodgy URL. This technique can be used to capture sensitive user data, such as login credentials.
Directory traversal: This HTTP attack allows hackers to access restricted directories and execute malicious commands. As a result, attackers gain access to sensitive parts of the web server file system.
Command injection: A malicious user exploits a vulnerable application and executes arbitrary system commands on the host’s operating system. The commands can then be executed with the privileges of the hijacked application.
Phishing: Scammers contact users pretending to be part of the business. They use the company’s name and branding to send emails to clients or account holders in the hope of obtaining personal information, such as passwords and credit card details.
The main purpose for going over these types of threats is to understand the different ways in which your website could be vulnerable. If you’re feeling daunted by this list, remember that you don’t need to become a full-blown cyber security expert.
Instead, try to have a general understanding so that you know how to identify risks, whether they take the form of suspicious file uploads or phishing scams. That way, you’ll be better equipped to protect your site (more on that later).
Why website security matters
Getting your website hacked isn’t just a rare stroke of bad luck, like getting hit by lightning. Attacks have become increasingly common over the years. In fact, cyber crime rose by 600% during the COVID-19 pandemic, in large part due to an uptick in phishing scams.
Why should you care about these rising numbers? When it comes to your website, an attack is one of the worst things that can happen for SEO. A compromised site may crash as a result of a hack, or may be suspended if a threat is detected. Suspicious activity can cause a host to suspend your site or Google to place you on an SEO blacklist. This means that Google, web browsers, and anti-virus software will mark your website as not secure to visit, resulting in a huge decrease in traffic.
Even more dire is the ripple effect a hacked website can have on your business overall. The time, effort, and resources a company must pour into resolving a cyber attack is a huge loss of investment. Every minute, $2.9 million is lost to cyber crime, with top businesses losing $25 per minute. Not only is there the actual theft of money and information, but there’s also the cost of getting company systems up and running again.
Part of these costs is also due to a potential loss of customers and business partners. A recent study by Centrify found that 65% of users impacted by a data breach lose trust in a company as a result. And clients and account holders may find themselves facing more pressing issues, like having their personal data–such as their login details and financial information–exposed to hackers.
Before you throw your arms up in despair, keep in mind that taking the right steps greatly reduces your risk. Organizations that were threat victims in 2021 feel that 94% of the attacks could have been prevented, according to a report from Cyber Security Cloud.
Ten ways to secure your website right now
So, what exactly are the steps you need to take? As a designer, here’s how you can check if your website is protected and take action to make it even more secure.
1. Install SLL
For an extra layer of security, combine your HTTPS with an SSL certificate (SSL stands for Secure Sockets Layer, which is the standard technology for safeguarding any sensitive data that gets passed through a site). This alone won’t prevent attacks or malware distribution, but it does add a layer of encryption to keep your website–and your users’ data–safe.
SSL is especially critical for eCommerce websites, since it encrypts sensitive user information like names, addresses, and credit card numbers.
2. Choose a trusted web host
Not all web hosts are created equal. A good hosting provider should play an active role in looking after your site’s security, so do your research before deciding on a web development platform.
When you choose a host for your website, make sure it’s a brand you trust. EditorX is a one option, with built-in hosting and enterprise-grade security.
3. Use strong passwords
A password is the gatekeeper of your personal information. Having passwords that you change regularly and that are difficult to crack is one of the quickest, easiest ways to thwart the hackers.
When creating a website login, make sure to avoid hackable passwords Sure, super secure passwords are hard to remember, but 123456 or qwerty just won’t cut it. Instead, create a strong password by following these tips:
Use a combination of 3 unrelated words (avoid using your name or other identifying phrases).
Use a randomly generated sequence of characters.
Include a mix of uppercase and lowercase letters, numbers, and special characters.
Aim for long passwords.
Put those rogue sticky notes aside and use a password manager instead. Tools like 1password are great for keeping track of passwords so you won’t need to reuse them.
4. Use HTTPS
You know that “https://” that comes at the beginning of a URL? Making sure your website has that is crucial. Without it, a hacker can intercept the page content and use it to gather personal information from your visitors.
Using the HTTPS protocol tells visitors that they’re interacting with the right server and that nothing can alter or intercept the site. Google rewards websites with HTTPS protocol, so it’s also great for SEO.
5. Use antivirus software
Antivirus software helps prevent hackers from infiltrating your computer and injecting malicious code into your website. Make sure you have it on all your devices, especially the ones you’re using to log into site in question. There’s lots of reputable antivirus software available, including:
Most options offer both free and paid plans, so do your research to see which option best fits your needs.
6. Maintain an up-to-date site
Cyber attacks work by exploiting the most vulnerable parts of a website. “Hackers will always be searching for ways to capitalize on software vulnerabilities,” explains Krys Lambiase, senior product marketing manager at Endurance International Group (EIG). And Cyber attacks are often automated, he adds. “Criminals use bots to scan websites that are vulnerable. So, if you’re not staying up to date on the latest software versions, it will be easy for hackers to identify your website before you can do anything about it.”
In other words, the more up-to-date your software is, the less vulnerable it will be to threats. If you’re using a software like WordPress, you’ll need to manually run updates on both the core software and plugins. If you’re using a website builder like Editor X, on the other hand, software updates will happen automatically.
7. Keep an eye out for suspicious activity
Channel Sherlock Holmes and stay on guard for clues that indicate suspicious activity. Here’s how to keep an eye out for potential threats:
Don’t click on links in emails that may be suspicious, whether or not you know the sender.
Stay especially alert when using public or open internet connections
Log out of the site or shut down your device if you’re away from your desk in a shared space
Don’t share sensitive information freely (more on that below)
Make sure that your colleagues, clients, and anyone else with administrative access to your site is on the same page when it comes to being cautious and alert.
8. Minimize file uploads
Remember our discussion of file inclusion attacks? Many websites allow users to upload files, such as uploading an image of a product in a review. While this is a fairly common practice, it is a potential avenue for viruses and malware.
With that in mind, try to limit file uploads as much as possible or restrict them altogether. If you find that the ability to upload files is an important feature of the site, you can reduce the risk of attacks by using a secure file upload system, such as Filestack or Transloadit.
9. Manually accept website comments
In general, website comments are a good thing, since they’re a great way to measure engagement, interact with your site visitors, and build a community of users. That said, you don’t want just any comments on your site. Spammy comments, whether they’re from a fake account, bot, or troll, are bad for your SEO–and potentially harmful to your visitors. This is especially true if those comments include links, some of which could contain viruses.
To avoid these types of comments, change your website settings so that you need to manually approve all comments. This allows you to get review comments and delete spam before it appears on your site.
10. Limit user access
95% of cyber attacks are the result of human error. Even if the human in question doesn’t have malicious intent, they could easily make a mistake (such as clicking a suspicious link) that grants an attacker access to your site.
To mitigate this risk, restrict the number of people who have backend access to your site. Don’t just hand out login details to anyone who asks–even if they’re an employee. This is especially true if you’re hiring someone outside your company, such as a freelance designer or consultant.
Instead, make sure that you only grant administrative permissions to verified professionals who you trust. They should be fully trained in how to manage security threats, and should be given the minimum level of access required for completing the task.
