Many of our clients collect sensitive data, particularly those with eCommerce websites. They have a responsibility to keep that data safe.
To keep your website secure, you need layers of security in place to help defend against any online attacks.
Secure data transfer
HyperText Transfer Protocol Secure (HTTPS) enables users to safely browse your website. It encrypts data as it travels between the user’s computer and your website making it useless to hackers if they intercept it. Without HTTPS, websites transferring data (such as passwords and personal information) can be accessed by criminals.
To create a HTTPS connection, a web server requires an SSL Certificate that you will need to purchase from a certified authority and install on the server. The certificate is normally valid for a year and needs to be renewed annually.
You can tell if a website has an SSL certificate installed by checking that the URL starts https:// and there is a green padlock or tick. These are both signs that the data will be encrypted.
Keep your passwords safe
Passwords are necessary to prevent unauthorised access to your computer, email, website and other accounts. If your password falls into the wrong hands it could affect more people than just you.
If you have access to personal data, especially sensitive data, it could be stolen and used for identity theft or blackmail. You could potentially incur penalties under the Data Protection Act if you have not taken appropriate steps to ensure security.
You must keep your passwords safe.
Choose passwords that:
- are memorable to only you
- are over 12 characters long (these are harder for hackers and computer programs to crack)
- combine different words (either random or quirky phrases)
- include one or more special characters (for instance, capital letters, an exclamation mark or numbers)
- are unique, i.e. choose a different password for each account you own. Use a password manager to help you remember all your different passwords – it means you only have to remember one master password.
Web security updates
You may not consider security updates a priority, but they are crucial for keeping your website secure. Just as you’d be unwise not to fix a broken window at home, failing to keep your web security updated makes you easy prey for criminals.
Security updates fix vulnerabilities in systems, preventing your website from being exploited by hackers. Security updates ‘patch’ up these vulnerabilities keeping your systems secure.
- Monitor your security updates by checking your content management system (CMS) dashboard. Most content management systems, such as WordPress, display the updates ready for download. If your CMS doesn’t, or you are unsure, contact your hosting provider.
- Check if your website is backed-up as part of your hosting package. This means that you will have a recent version of your website to go back to should your website get hacked.
- If your website is more than 5 years old, speak to your hosting provider to ensure that you are receiving the necessary updates and your CMS is still fully supported. It may mean migrating to a newer CMS to ensure your website remains secure.
If your site handles personal or sensitive data, and you have not taken appropriate security measures, then you could be prosecuted under the UK Data Protection Act.
If you are unable to keep on top of your web security, it is worth finding a company to manage your security for you.
Regularly review code
Code should be reviewed regularly – even the smallest of mistakes can become a large problem over time.
Errors could include anything from typos to unused (dead) code.
If reviewing older systems, dead code could be the result of hacks. Finding these before they can cause any harm can give you a chance to fix any problems before anything malicious occurs.
Code reviews allow specialists or developers with good experience to review particular aspects of code, such as compliance with security standards. This is especially important if security is a key part of the project.