"How Secure is My Website?"
This is a question you may be asking if your website is getting older, or perhaps if you are evaluating your options to build a new website.
Building an interactive website is much more common today than it was even a decade ago. Most customers expect functionality when they visit your site. Functions include
One of our goals with LRS Antilles is to not only provide a secure platform to build a website but to provide the technical expertise and resources to make sure these experiences are safe and secure for your customers.
Building a secure website is something that requires a ground-up approach.
All too often, we hear about issues with security that are directly related to "bolting on security" to keep things going.
Older websites are especially vulnerable. There are many things to consider, especially if you are working with an older website.
One very popular platform available today is WordPress. While WordPress is great for individuals creating a quick, brochure-style site, expanding these sites often require plugins.
For example, if you want a contact form, you might grab a free one online from an unknown developer. Later, you install a photo gallery, or perhaps a full online store from different developers from different companies.
Often it's unknown who originally developed these plugins and if they are still being properly managed and maintained. Some may not be designed to work with the version of WordPress you are using. Old plugins often exist for years without updates and companies become reliant on their functionality and cannot switch or upgrade them.
One of the important fundamentals of website security is understanding what approach to take and how to start out right from the beginning.
At LRS Web Solutions, website security is one of our most important tasks. This means when we develop a solution for a customer, it's already based on a platform that has been built by us, tested on a regular basis and scanned by a third-party company to search for any new vulnerabilities each time we provide a new release of our content management system.
This progressive approach is fundamental to having a secure website and maintaining a trusting relationship with our clients.
When we talk about security, it's also common to intermix this conversation with privacy. While the two topics are both extensive on their own, they come hand in hand.
Many business owners know that privacy laws are getting stricter. If you store information about your customers, even if it’s just a contact form with their name and e-mail, that data should be encrypted in both transit and encrypted at rest.
In the past, it was common to see only the checkout page of an online store be protected by SSL (the little lock in your browser's address bar). Today, however, business owners should make sure that every page is protected by an SSL certificate. (And as a consumer, if you don't see the lock on your browser, visit a different site.)
All information your customers are providing to you should always be encrypted for today's standards. SSL encryption is available on all modern web servers. Purchasing a certificate is now free from many providers, or is a reasonably low cost, which has the benefit of providing insurance in the event a data breach occurs.
Certificates themselves are an important part of the equation. Transmitting data securely is the job of making the communication secure. The certificate itself verifies who you "the website owner" is. When your customers send information to you, they need to know you are who you say you are.
Security and convenience are often considered to be at odds with one another. To be more secure, something will always be less convenient. While this certainly holds true, a well-thought-out web site can go a long way toward blending these two rivals. Here are some ways we do this at LRS Web Solutions.
One method of greatly increasing security is to implement multi-factor authentication. If you've ever been required to enter a code sent to your phone when logging in to a website, you’ve experienced multi-factor authentication.
Multi-factor authentication, often referred to as a second-factor (passwords being the first), means that you are proving to the website that you are who you say you are. This is critical because as the operator of a website, you don't want to provide confidential information to a hacker. Hackers often take advantage of the fact that many people will use the same password on multiple websites.
There are publicly available databases that show a list of websites that have been hacked, who the users are and what their passwords are. If your customer is using the same password they used on another site that has been compromised, you need a way to help mitigate that issue. Multi-factor works because you are can sign-in a user based on more than one factor (the password + a code sent to a cell phone).
A third, and commonly growing, factor is using biometrics, such as scanning a fingerprint or using a FaceID app on a cell phone.
With more options available, users are finding it less cumbersome, for instance, to look at their phone, than to sign in with a code. As technology continues to progress and becomes widely available across devices and on websites, website developers like us are always exploring the latest options for both increased security and convenience for platforms like LRS Antilles.
Online forms are a common way to collect information from your users. often you expect to receive information for a specific purpose, like an inquiry about a quote, or a simple contact us submission.
Forms present specific challenges to security, because forms can be a target for malicious users or hackers to send out spam to potentially millions of users using your resources if your form is coded incorrectly.
An incorrectly coded form can create many problems on your website and could even lead to suspension of your web hosting, or Google de-listing you. Even worse, if your IP address gets blacklisted, it could become much more difficult to send emails out to your customers because of a problem on your website.
Step 1: Code Your Form Correctly
The most important first line of defense in creating a secure form is to make sure it is coded properly. Have a professional developer review the forms on your website to determine if the underlying technologies are still being supported and if the coding of the form itself is secure.
Step 2: Use Captcha
Once that has been done, there are additional measures to help ensure forms do not get exploited. A very common feature is called a captcha ("Completely Automated Public Turing test to tell Computers and Humans Apart"). Invented by Alan Touring in the 1950s, it was a way to determine if a computer could think.
Today, we make use of this very concept to help distinguish if an actual human is filling out your form, or if someone has written an automated script that is trying to exploit your form or automate it to send spam to you through your own website.
These tests, luckily, have gotten more streamlined thanks to Google. Now, users either don't have to do anything at all if they are also signed into Google, or they may only need to check a box before clicking submit.
If you ever had to solve a complex puzzle to submit a form, you have seen how a captcha works, but it's time to upgrade. Those types of captchas are no longer necessary. Adding a modern captcha now makes it, at most, only a minor inconvenience for a user to fill out a form but causes a great deal of programming work for someone trying to hack your form. Our approach with LRS Antilles Form Builder has been to implement Google's Re-Captcha as an option for all forms built on Antilles.
Website security requires ongoing maintenance and updates. We’ve already mentioned avoiding plug-ins, using SSL, and multi-factor authentication. As technology advances, there are even more solutions that work together to keep your site running:
Once your visitor connects to your website, they should be able to access content securely. In Antilles, we recommend an SSL certificate for the entire website and employ both password protection and multi-factor authentication to help secure different areas of the site. We also manage and monitor our Antilles modules for any security vulnerabilities.
Clients who have the LRS website maintenance package will get security updates as they become available. That proactive approach mitigates security issues with your site typically before they ever become an issue.
With the right combination of technology, resources, and knowledge, you can have a well-managed secure website that will serve your business well. Having a good infrastructure in place, a dependable website platform, and on-call support is something we take very seriously in protecting our customers and would be happy to help evaluate your website security needs.
Ask us about our website maintenance package.
Keep your web applications secure in an ever-evolving environment teeming with precarious threats. Learn the basics of web application security.
Bill Goldsberry talks about the different places data needs to be protected in a web application.
3 Words: "It Was Horrifying."
Want to stay up-to-date on the latest with LRS Web Solutions? Subscribe to our blog.