The Case for Security
"How Secure is My Website?"
This is a question you may be asking if your website is getting older, or perhaps if you are evaluating your options to build a new website.
Building an interactive website is much more common today than it was even a decade ago. Most customers expect functionality when they visit your site. Functions include
- a contact form
- placing an online order
- signing in to their online banking experience.
One of our goals with LRS Antilles is to not only provide a secure platform to build a website but to provide the technical expertise and resources to make sure these experiences are safe and secure for your customers.
You Need Website Security Before You Launch, Not Plugged In After
Building a secure website is something that requires a ground-up approach.
All too often, we hear about issues with security that are directly related to "bolting on security" to keep things going.
Older websites are especially vulnerable. There are many things to consider, especially if you are working with an older website.
One very popular platform available today is WordPress. While WordPress is great for individuals creating a quick, brochure-style site, expanding these sites often require plugins.
For example, if you want a contact form, you might grab a free one online from an unknown developer. Later, you install a photo gallery, or perhaps a full online store from different developers from different companies.
Plugins can be a dangerous practice,
and here’s why
Often it's unknown who originally developed these plugins and if they are still being properly managed and maintained. Some may not be designed to work with the version of WordPress you are using. Old plugins often exist for years without updates and companies become reliant on their functionality and cannot switch or upgrade them.
One of the important fundamentals of website security is understanding what approach to take and how to start out right from the beginning.
At LRS Web Solutions, website security is one of our most important tasks. This means when we develop a solution for a customer, it's already based on a platform that has been built by us, tested on a regular basis and scanned by a third-party company to search for any new vulnerabilities each time we provide a new release of our content management system.
This progressive approach is fundamental to having a secure website and maintaining a trusting relationship with our clients.
Website Privacy + Website Security
When we talk about security, it's also common to intermix this conversation with privacy. While the two topics are both extensive on their own, they come hand in hand.
Many business owners know that privacy laws are getting stricter. If you store information about your customers, even if it’s just a contact form with their name and e-mail, that data should be encrypted in both transit and encrypted at rest.
Get the SSL Certificate
In the past, it was common to see only the checkout page of an online store be protected by SSL (the little lock in your browser's address bar). Today, however, business owners should make sure that every page is protected by an SSL certificate. (And as a consumer, if you don't see the lock on your browser, visit a different site.)
All information your customers are providing to you should always be encrypted for today's standards. SSL encryption is available on all modern web servers. Purchasing a certificate is now free from many providers, or is a reasonably low cost, which has the benefit of providing insurance in the event a data breach occurs.
Certificates themselves are an important part of the equation. Transmitting data securely is the job of making the communication secure. The certificate itself verifies who you "the website owner" is. When your customers send information to you, they need to know you are who you say you are.
Security + Convenience
Security and convenience are often considered to be at odds with one another. To be more secure, something will always be less convenient. While this certainly holds true, a well-thought-out web site can go a long way toward blending these two rivals. Here are some ways we do this at LRS Web Solutions.
Are You Who You Say You Are?
One method of greatly increasing security is to implement multi-factor authentication. If you've ever been required to enter a code sent to your phone when logging in to a website, you’ve experienced multi-factor authentication.
Multi-factor authentication, often referred to as a second-factor (passwords being the first), means that you are proving to the website that you are who you say you are. This is critical because as the operator of a website, you don't want to provide confidential information to a hacker. Hackers often take advantage of the fact that many people will use the same password on multiple websites.
There are publicly available databases that show a list of websites that have been hacked, who the users are and what their passwords are. If your customer is using the same password they used on another site that has been compromised, you need a way to help mitigate that issue. Multi-factor works because you can sign in as a user based on more than one factor (the password + a code sent to a cell phone).
A third, and commonly growing, factor is using biometrics, such as scanning a fingerprint or using a FaceID app on a cell phone.
With more options available, users are finding it less cumbersome, for instance, to look at their phone, than to sign in with a code. As technology continues to progress and becomes widely available across devices and on websites, website developers like us are always exploring the latest options for both increased security and convenience for platforms like LRS Antilles.
Online Forms: A Unique Security Challenge
Online forms are a common way to collect information from your users. often you expect to receive information for a specific purpose, like an inquiry about a quote, or a simple contact us submission.
Forms present specific challenges to security, because forms can be a target for malicious users or hackers to send out spam to potentially millions of users using your resources if your form is coded incorrectly.
An incorrectly coded form can create many problems on your website and could even lead to suspension of your web hosting, or Google de-listing you. Even worse, if your IP address gets blacklisted, it could become much more difficult to send emails out to your customers because of a problem on your website.
Step 1: Code Your Form Correctly
The most important first line of defense in creating a secure form is to make sure it is coded properly. Have a professional developer review the forms on your website to determine if the underlying technologies are still being supported and if the coding of the form itself is secure.
Step 2: Use Captcha
Once that has been done, there are additional measures to help ensure forms do not get exploited. A very common feature is called a captcha ("Completely Automated Public Turing test to tell Computers and Humans Apart"). Invented by Alan Touring in the 1950s, it was a way to determine if a computer could think.
Today, we make use of this very concept to help distinguish if an actual human is filling out your form, or if someone has written an automated script that is trying to exploit your form or automate it to send spam to you through your own website.
These tests, luckily, have gotten more streamlined thanks to Google. Now, users either don't have to do anything at all if they are also signed into Google, or they may only need to check a box before clicking submit.
If you ever had to solve a complex puzzle to submit a form, you have seen how a captcha works, but it's time to upgrade. Those types of captchas are no longer necessary. Adding a modern captcha now makes it, at most, only a minor inconvenience for a user to fill out a form but causes a great deal of programming work for someone trying to hack your form. Our approach with LRS Antilles Form Builder has been to implement Google's Re-Captcha as an option for all forms built on Antilles.
Website Security: Combination of Solutions
Website security requires ongoing maintenance and updates. We’ve already mentioned avoiding plug-ins, using SSL, and multi-factor authentication. As technology advances, there are even more solutions that work together to keep your site running:
- Web Hosting: You very likely pay for a web hosting provider that is running a web server. If you have what's called "shared hosting" then you may be leasing space on this webserver alongside several other websites. Dedicated servers means you may have the whole server to yourself. Either way, this server needs to be kept up to date with the latest security updates and patches. Just like your home PC or Mac, web servers are usually running Windows or Linux and need to be patched to ensure no vulnerabilities are left open. A website cannot be fully secure unless the underlying technologies are also secure. We at LRS Web Solutions discuss with our clients when addressing their hosting needs.
- Firewall: a firewall is an important piece of hardware that sits between your web server and the Internet. When someone goes to your website, they need to pass through the firewall to access the content you make available. A firewall helps to make sure traffic can only get to the website and nothing else, like e-mail, file sharing, or other services on your web server.
- Packet Inspection: The firewall can also optionally do packet inspection. This means it is looking at the traffic coming into your web server and blocking it if it appears to be someone trying to do something malicious.
- Data Backup: In addition to having a properly managed, securely-coded website, we recommend talking you’re your provider about backing up your data. We built LRS Antilles so that the coding of the website is separate from the content. While this has great benefits when upgrading your site or changing your design, it also helps with security and peace of mind. Our database backups are performed nightly so in the event of an emergency, we can restore data quickly. Off-site encrypted backups also provide protection in the event of a fire, flood or another emergency.
Our Recommendations for Website Security
Once your visitor connects to your website, they should be able to access content securely. In Antilles, we recommend an SSL certificate for the entire website and employ both password protection and multi-factor authentication to help secure different areas of the site. We also manage and monitor our Antilles modules for any security vulnerabilities.
Clients who have the LRS website maintenance package will get security updates as they become available. That proactive approach mitigates security issues with your site typically before they ever become an issue.
With the right combination of technology, resources, and knowledge, you can have a well-managed secure website that will serve your business well. Having a good infrastructure in place, a dependable website platform, and on-call support is something we take very seriously in protecting our customers and would be happy to help evaluate your website security needs.
Ask us about our website maintenance package.