Hey, guys! Many of us know what website security is, why it is important and what are the steps in making a secure website, right from the beginning. Yet, there still are some of us who aren’t fully aware of the potential risks of this vast network, called the Internet. This article is to help those of us who would like to know what it means to create a secure website. Even if you do have a secure website, going through this should only reinforce what you have already done or maybe, if we are lucky, should highlight something that you can do to better secure your website.
What is website security?
What really does ‘website security’ mean? Today, most of the things we do, rely on the internet, in some way or the other, like transportation (booking cabs via apps, booking air tickets), communication (Facebook, WhatsApp), shopping (Amazon, eBay) entertainment, (NetFlix, iTunes), etc. All of these use the internet to exchange sensitive customer data, like name, address, credit card information and so on. For customers to feel safe and to willingly submit such sensitive information, there need to be protective layers of security, that ensure customer safety, privacy and security on the internet. So, in a nutshell, any infrastructure that helps to protect and secure customer information that is implemented on a website is ‘website security’.
Why is website security so important?
So, why is web security so important? All businesses, whether big or small are vulnerable to security risks. These risks manifest in many ways, for example, a malware infecting a website that steals valuable customer information like credit card details or login credentials, name and email etc. Your website is your identity on the web. Your prospective and existing customers will get to know you or communicate with you through your website. In essence, your website is the first point of contact with your prospects.
I personally believe website security is very important as it is a means to build trust with my prospects and existing customers. The more secure your website is, the more trustworthy your site becomes. This will directly impact (increase) more site visits, conversion of visitors to customers and eventually customer referrals. A blog article written by Jessica Ann is on the interview between iPage and Neill Feather, President of sitelock, talks in detail about the importance of website security.
So, that’s about website security and its importance, rather briefly. This article mainly focuses on steps to create your website with security in mind. So, let’s go over the 10 steps to create a secure website.
Step 1 – Select a domain registrar
The first step to starting a new website is registering your domain with a renowned domain registrar. You’re probably thinking, “Yep, that sounds like the logical first step, but why with a renowned domain registrar. Aren’t those companies more expensive than the rest?” Well yes, they are. They will be more expensive than others, but again, isn’t expensive a relative term? These companies charge us more only because they have spent a lot to make sure customers’ sensitive data is kept very safe and have many safeguards against problems like domain name hijacking.
It is always a good idea to read reviews on the popular domain registrars, just to see what other people think of the service being provided. Additionally, it will definitely help to know beforehand, how their support services are. You should also be aware of what security measures are in place, implementation of any authorization and authentication measures, etc. These will especially be useful if someone tries to alter your registration information or DNS configurations.
Step 2 – Choose a web host
Okay, once you have made up your mind about your choice of registrar, it is time to choose your web host. Let me start off by telling you what a web host is. A web host is where your website data has its physical presence, online. It is any company that hosts your website. Imagine a birthday party at a house; all the guests are your ‘data’ and the person hosting the party & the house in which the party is hosted are together the ‘web host’. Does it make sense?
While choosing a web host, you need to make sure that the hosting environment is safe and secure. Again, let’s take the example of the birthday party at the house. The guests will only visit if they feel the house is safe from intruders and that there are enough security measures against intrusion, like a fence around porch with a gate that can be locked, a front door that can be locked from the inside, solid walls that can’t be broken easily and so on… you get the idea, right?
Similarly, a web host needs to have the infrastructure, to prevent the data residing in his servers from being modified in any way by unauthorized people. Among other things, they should:
- Offer you the option of encrypting the path between your internet browser and their web server, called SSL.
- Offer you a means to securely access and manage files when you are accessing or managing them remotely (which is what you will be doing all the time). This is called SFTP or SSH File Transfer Protocol. Even though FTP is secure, SFTP is even more so. Server maintenance is another key service that is necessity.
- Regularly maintain and update its servers. This will help increase the security and safety of your website data.
- Offer you backup as another key service. Most web hosts provide a tool for data backup.
Along with this, most web hosts offer more security features that have to do with emails as well. A web host using cPanel as a control panel has added security features.
There are a number of popular web hosts like InMotion Hosting, BlueHost, HostGator among others. Once again, doing a good amount of research on the most popular ones and comparing them should help you select the right web host.
Step 3 – Choose a CMS
Next up, is choosing a CMS or a Content Management System. Before you ask me, let me tell you what CMS is. A Content Management System is where you will be managing the data of your website, its look & feel, what content goes in it, etc. Imagine the materials used to build an aircraft. There’s aluminum, plastic, titanium, rubber and many more materials. All of these materials have their own purpose for an aircraft, like the tires are made of rubber, the body out of Aluminium and so on. By the same logic, a CMS allows you to manage what content goes where and how each page looks and behaves. You might want the homepage to not have much written content except for your logo and a punch line. You might want your ‘About’ page to have several sections; your contact page to have a contact form, etc.
Reading through this, you may be thinking, “Okay, great! I know what a CMS is, but how do I choose one keeping security in mind?” You know what? That’s a great question! Like, your domain registrar and web host, there are a few popular ones like WordPress, Joomla, and Drupal. All of these are open source, that means their source code is freely available online. Since it is open source, meaning the platform is shared, their vulnerability increases as hackers try and find loopholes in the code that they can exploit. This is an inherent problem in the open-source CMS platforms. These problems can be accentuated by users who use weak login credentials. Besides, all this, the integrity and security of plugins also plays a key role. This is covered in step 7 in more detail.
Now that you know what problems can arise out of using a CMS, let’s move onto ways of securing oneself against attacks, or at the very least minimizing the probability and the potential fallout from these attacks.
- Since these platforms are open source, the CMS companies release security updates of their framework to ‘patch’ loopholes. These security updates are very critical. It is absolutely mandatory to have your CMS platform completely up-to-date, to considerably lessen the security risks.
- Your username and password should be very secure. It is certainly not advisable to have an easy-to-guess password. For tips on what passwords to not use, you can read through the compilation of ‘The Top 500 Worst Passwords of All Time’. It will definitely be worth your while to read through the list. At the end, they have another short post about a password checker, where they’ve given a link to an application called, ‘The Password Meter’. This tells you the strength of your password. I’d say this is a pretty handy tool to use.
- Use a plugin for two-factor authentication (2FA) for more security. Google has a plugin for WordPress (I’m not aware if they have one for Joomla and Drupal, you will need to check that out) to enable the Google Authenticator App to work with your WordPress account. Many of you will be aware of the Google Authenticator App after using it with your Gmail or Dropbox account (many more applications offer Google 2FA support).
- Backup! Backup! Backup! It is absolutely critical to have regular backups and by regular, I mean at the very minimum, once a week. Install a good plugin to backup your website data, database etc. If something does happen to your website (I sincerely hope it never does), at least you will have a full backup to restore your site from. The data loss (if any) will be bare minimum, at most a week’s data, if not more.
- Install .htaccess. Step 4 talks about what .htaccess is and how it helps.
- Also install a security plugin like WordFence or Sucuri. Step 5 of this guide talks about what these are.
These are a few ways of securing your CMS. So far so good! At this point, you will be able to create pages, upload your site on the internet, begin promotions and basically convert those visitors to happy customers. Now, let us look at the few active security measures to implement on your website. That will help in further increasing the security of your website.
Step 4 – Add .htaccess
Let me dive right into what .htaccess is. It stands for Hypertext Access and is a configuration file. It is for web servers that operate the Apache Web Server software. As the name suggests, it helps control the access level for the directory it resides in. You can use to control access to specific folders or to the entire website by placing it in the correct directory.
With .htaccess, you can have visitors redirected to another link. Let’s assume that you have moved links, in that case, you can have the old link redirect to the new one. Password protection for your website is another feature that .htaccess offers. Other security features include allowing/denying access to visitors based on IP address, preventing access to your PHP files, customize error pages, prevent directory listings etc. There is a full-fledged guide on what .htaccess is and how to use it effectively. To learn more about this, you can visit the online htaccess guide. There is another comprehensive guide on .htaccess, which you can go through if you’re new to using .htaccess. With this, we are actually taking steps to actively protect your website from security threats. Read on to learn more about security plugins.
Step 5 – Install a security plugin
So far, except for .htaccess, we have mainly discussed how to make sure the services we opt for, help us in securing our website. However, with .htaccess and security plugins, it is like protecting your email account with more than just a password. We are now increasing the layers of security, just like the layers of an onion. Each security feature adds one or several more layers of security and helps to further reduce the risk of your website being hacked.
Plugins like WordFence or Succuri (popular ones) are total security plugins. They have a website firewall and along with that, they have other security features like blocking features, login security, security scanning of your website and much more. A plugin like this definitely increases your website’s security to a significant degree. Beyond the security features, WordFence also boasts of monitoring features, which among other things monitors your website traffic in real-time. If you would like to learn about this plugin in more detail, you can visit the Wordfence website. I have written another article that talks about the 6 awesome all in one security plugins for WordPress. Feel free to head over there.
Alrighty! Next up is backing up your website. This one is as important, if not more, as keeping a strong password to secure your website. Well, read on…
Step 6 – Add a backup plugin for backing up your website on a regular basis
Once again I’m going to say what I said earlier, “Backup! Backup! Backup!”. Let’s imagine this particular scenario for a minute. You have a roaring business, money is flowing in and you couldn’t be happier. Although, it’s been over a month since you backed up your website and you don’t pay much attention to it, ‘coz really, nothing has gone wrong, yet. You go to sleep and wake up the next day, expecting another awesome day of business. In the morning, to your utter horror, you find out that your website isn’t there anymore! It has been deleted! You don’t know what happened between the time you went to sleep and woke up, but obviously, something not really conducive to your business.
Anyway, you go ahead and restore your data from your old backup and find out that you have updated, tweaked, added, deleted and changed your website many many times in that one month and while you have restored your website, it is an old version that you were never happy with. This is where a regular backup comes to your rescue. It is essential you backup your website at least once every week. This is non-negotiable, really.
There are a few ways you can backup your data.
- You can manually backup your website data, if you know what to do and if you are certain you are doing the right thing and are confident about it. There are several tutorials online, that would teach you how to do it right. I, personally, wouldn’t go in for this backup method, unless, circumstances force me to.
- Online backup solutions are also a good option. The people who designed WordPress have come out with a software called VaultPress. This is an automated solution, though I am not aware if this is for other platforms as well. However, there should be other such solutions for platforms like Joomla or Drupal. You are just a simple Google search away from finding the answer.
- Backup plugins are a good solution as well. There are quite a few plugins available. UpdraftPlus, Backup Buddy are a couple of the popular ones. You can schedule automatic backups in them and they will backup your website data according to the schedule you set. If disaster strikes, you will have your latest version to restore to, hopefully not losing much or any content in the process.
I know what you’re probably thinking at this point, “Rohit, I remember you telling me that the web host backs up data. Why do I need to do it as well?” Well, here’s your answer. Web hosts may or may not backup data. It certainly isn’t your web host’s responsibility to make their backups available to you. This is in your best interest that you fend for yourself here. That way, you wouldn’t be relying on anyone else to make sure your website is safe. Also, if something happens to your website, you need to respond to it very quickly. Relying on your web host, may not be the fastest solution and it certainly isn’t the best. Most importantly, you have peace of mind, that your website is definitely secure. Remember, we spoke about security being like the layers of an onion? Well, this is an added layer to the already many existing layers.
How do you feel so far? Great, right?! Yep, me too! Let us move on and talk about security of plugins and themes.
Step 7 – Integrity and security of plugins and themes
Many of us either have or will have shortlisted several plugins. Most websites have at least 3 plugins installed to provide various features. Plugins are third party software to solve a specific purpose for us, like for backing up our website data or for security. Besides plugins, we will also be using themes for our website. Everyone wants their website to look a certain way, they have envisioned what and how the look and feel of their website should be. Most of us will go in for ready themes and probably not want to create our own (for not wanting to simply get caught with a task of that magnitude, or we simply don’t have the know-how to develop themes). All these are foreign elements in our open-source CMS, and as we discussed, open source codes have their own share of problems.
Needless to say, it is absolutely essential that the plugins and themes that we plan on using or are already using, have been developed by reputed developers. Support is essential for such plugins and themes. Sometimes, they pose compatibility issues, which is when the good support service would be useful. The developers of themes and plugins regularly release updates and security patches, which are very crucial in primarily keeping up the security of the plugins or themes. They are as important as the security updates for your CMS. You should thoroughly research plugins, themes and any third party software that you would like to use on your website. This will help you establish the authenticity of what you would like to use. Researching will also help you understand what problems you are likely to face so that you can be better informed and make the right decision.
Step 8 – Updating CMS core, plugins and themes
Let’s talk about updating your CMS core, plugins and themes. I have mentioned about the importance of installing updates, a couple of times in this article. Well, the truth is, updates are as important a requirement for security as are any of the other aspects mentioned in this article.
Because it is so important, I feel it deserves another mention. Remember, we spoke about the CMS being open source. Similarly, your plugins are open source as well. Referring to what I said earlier, open source is inherently not secure, due to their code being widely available. Not having an updated platform and supporting plugins means that you are using an older version with known security vulnerabilities, which obviously means that your website is more prone to hacking.
Additionally, by installing updates regularly, you will get new features, increased speed & performance, better compatibility, any bug fixes so that your website runs smoothly. The last thing we want is for our website to crash just when someone is placing an order. Installing updates is a fairly simple task. It is as simple as the push of a button. Usually, backup plugins can be configured to take backups of the relevant data just before an update, because if something were to go wrong, you can always switch back to the previous most stable version.
Next up is SSL or Secure Sockets Layer. Remember, I mentioned SSL with web hosts? I would like to touch upon that, just a bit more so that you have a fair idea of what it is and why it is needed.
Step 9 – Secure by SSL
As mentioned above, SSL stands for Secure Sockets Layer. It is a security technology which allows for a secure link between a web browser and a website by encrypting the connection between them. Now, what does that really mean? Imagine you are throwing a tennis ball and your friend is catching it. Just when your friend is about to catch the ball, suddenly, a third friend catches it, intercepting it in mid air. What if, the tennis ball had some secret information? It will have never reached the person it was intended for, right? This can happen with information too. For example, you enter your credit card information in your browser for a particular website and if it is not secured by SSL, anyone can ‘eavesdrop’ on the information being transmitted and steal the same, in this case, your credit card details. Now, that doesn’t sound fun, does it?
Now let us once again, assume the same tennis ball scenario. However, this time, instead of throwing it freely, in air, you throw it inside a tube, which runs the length between you and your friend. Would anyone be able to intercept the ball in mid-air, this time, around? No, because the tube serves as a secure link between you and your friend. This is the purpose of SSL. Once you have the SSL security technology in place, the likelihood of your personal and sensitive information being ‘intercepted’ by anyone, reduce greatly.
SSL will be rather important for your website security if you have an eCommerce website or you accept credit/debit card payments or you require your customers to reveal any sensitive information about themselves over the internet. Being secured by SSL will definitely give your customers and prospects more trust in revealing their sensitive information over the internet to you, simply because of the layers of security that SSL adds beyond what is already there on your website. There is a lot more information on SSL. If you are interested in reading more, I have compiled a few links for you to go through. Feel free to go through them to gain a deeper understanding of how SSL works.
Step 10 – Managing your users
Okay, so thus far we have covered ways of securing your website actively. It involved installing plugins or taking steps and measures in a way to actively secure your website. This step doesn’t help your website per se, but it will help keep your users’ secure.
Whether you have one or multiple users of your service, you need to make sure that they are provided a secure platform to access your service, in case they have some sort of a customer portal. A couple of important things you need to keep in mind, are:
In case your users would like to reset their password, there need to be multiple security features that will prevent unauthorized people from trying to reset the password. Identity verification is rather important.
If someone enters the wrong password and/or username, it will always be safer to be ambiguous regarding the error message. For example, saying, “wrong password/username” will be much better than saying, “wrong password” (if it was the password which was wrongly entered)
Summary for Making a Secure Website
So, once you have a business idea that you would like to work on, you will then making a secure website for your choice of business. In a nutshell, here’s what you got to do for that:
Wow! You’ve now created a considerably secure website. Remember, whatever further steps you take on your website, always have security in mind, when adding, deleting or modifying anything. Exercise caution when it comes to installing third party applications on your website. If something seems too good to be true, it probably is. Hope this article helps you!