As a business owner in the corporate sector or the MSME sector, you should ensure web security of your website or it may be hacked causing you business loss as well as loss of prestige. But a lot of us are just happy with having a website which would pass as “functional” at best and “ineffective” at worst.
Are you making one or more of the following mistakes? Well it is time to take corrective measures.
Mistake #1: Not regularly updating the various software used by your site.
Is your website built with CMS software like Joomla, WordPress, Drupal, etc? You should know that older versions are quite prone to hacking attacks. Make it a point to update them regularly. Some software come with auto-update features and you can be better off by activating this option. If there is no such feature, you will have to update the software manually.
Mistake #2: Using simple, easy-to-guess passwords.
If you have been using simple and straightforward passwords for most of your accounts, change them as soon as possible. Your passwords need to be long (say 8-20 characters) and should contain capital and small letters, digits and special characters.
How can you make the passwords more complex and unguessable? It is a good idea to borrow words from Hindi, Punjabi or other languages which cannot be commonly found in an English dictionary. Mix them up with at least a couple of special characters.
Mistake #3: Not reviewing the list of active users periodically.
Are you constantly monitoring or reviewing the list of users with access to the admin system? Sometimes, accounts are left active even after a user has quit. That makes the admin system open to abuse. Deactivate the dormant accounts as soon as possible.
Setting a policy for frequent change of passwords is a good practice but don’t make it too frequent as it has the downside risk of irritating users.
Mistake #4: Not validating data on the forms on both sides.
Are you validating the data on the forms in the site on the client side (browser) as well as the server side (form processing script)? If not, your site can be hacked and people can get send spam through your site as well as hack it to use in abusing other sites.
You need to validate or sanitize the data on the client side but it is also important to repeat the process in the server side before you process the submitted data. A hacker would try to disable or bypass the validation checks at the client side, so doing it again at the server side is very important.
You also need to check the form data for scripts, executable codes, MYSQL injections and other junk before these are processed and saved to the database. If not, you are inviting trouble because a hacker would try to slip in these codes to infiltrate your database. Stop echoing the submitted data on the thank you page before sanitizing it first.
Mistake #5: Not checking the uploaded files for extensions and mime-types.
Sometimes you will need to have a provision in your website to allow uploading of files like CV in a job application form. But have you considered checking the uploaded files for extensions and mime-types before accepting them? If not, I must warn you that it can be a source of much trouble. Rename the uploaded file by giving it a suitable name. This will minimize the chances of pernicious attacks like phishing or data theft.
Mistake #6: Revealing too much information about the server and software versions.
You can configure your server software and CMS software to reveal minimum information about the versions and server paths. Have you implemented these settings or have you been revealing too much information? You should configure your server operating system to return generic error messages to the users.
Mistake #7: Not backing up your site with version control.
Are you backing up the updated versions of your website regularly? This may be seemingly insignificant but is a very important exercise. Always maintain records of the current versions or any changes or updates that you may make to it. In case, your website suffers a hacking attack, the version backups will come in handy.
If some files have been corrupted, you may replace these files by restoring the files from your backup. The same approach may also be useful in case of DB poisoning wherein, junk data is intentionally mixed with your useful data to render them meaningless.
Mistake #8: Not securing CMS sites with suitable plug-ins.
Your website could be exposed to brute force attacks wherein hackers use scripts to try 1000s of generic passwords to gain access. For WordPress sites, security plug-ins like Wordfence, Sucuri, etc are available which add a powerful security layer.
Mistake #9: Not using a secured account to make updates.
Are you using root access on your server to do trivial work on your websites? Then you may be compromising the security of your website in a big way. Stop using the root level account and create a limited access account to do all the work. You may still need to use root access for high level system work, but only when it is an absolute necessity.
Mistake #10: Making system level changes and updates on your website or server using public wi-fi.
Never use public wi-fi in hotels, airports or a coffee shop by a boulevard for doing system level work on your website or server. I think you already know the security threats this practice can pose to your website. Why compromise the security of your site by taking undue risks? If you have to use public wi-fi in case of an emergency, change the password of your website at the earliest presented opportunity.
Mistake #11: Leaving old, unused files on the server.
Are you leaving old, unused files on your server? May be you have updated the website with a new design and the old files are lying in an ‘old-site’ folder. Remove them all immediately. Since these files may have security issues that your development team will not fix, it is harmful to have these lying around.
Mistake #12: Still not using https?
Are you still not using the SSL security certificate to make the site available only through HTTPS protocol? It is a good strategy to use https as it not only improves the search engine ranking but also bolsters the security slightly by encrypting the communication between the user and the server.
Ask your website hosting agency today itself to add a security certificate in the server. However, this won’t make your site completely fortified.
Mistake #13: Not using a hash key.
Is your website dynamic or is your server based on a parameter like p=something? Try to edit the URL in the location bar and see what happens when you send a different value for this parameter. If another page or data can be viewed just by changing the parameter, add a hash key to the URL. This would reinforce the security considerably.
If you are making any of the above mistakes, it’s time for you to take a step back and think. Make these changes and earn additional peace of mind.
If these tips sound too technical and you need help for checking and implementing these, we would be more than happy to help. To begin with, you can ask us to audit your site. We would audit your site based on more than a hundred parameters and give you a feedback report containing solid, actionable ideas.
These tips, once implemented, will improve your search engine ranking, improve the traffic to your site and also improve the profitability of your digital adverts.