Google finds “about 9,500 new malicious websites every day.” (Source: Google’s Blog) . If Google detects that your site has been infected with malware, they may display a warning to people before sending them to your site, and let’s face it, few visitors proceed past such warnings. Site security can have a direct impact on your search engine success.
Example search result where Google has detected malware on a website:
If your site has already been hacked, Google has useful resources to help fix the issue and regain your reputation. View Google’s Help Center About Malware .
Prevent Your Site from Being Hacked
Your website security should be planned out well before your developer writes his or her first line of code. The following list is a good starting point when developing your website security plan.
Strongly Consider SSL
If your site collects any data, requires any sort of log in, or deals with payment processing you should strongly consider having an SSL certificate. Without an SSL certificate (as well as other precautions), a hacker can potentially hijack information as it’s transferred over a network. According to Symantec, “If any information relating to the user is sent to the website over a non-encrypted connection then a hacker can easily take that info and use it to their advantage.” ( Source: Symantec )
According to Google, “When collecting certain personal and financial information, AdWords requires the use of SSL connections on your web page.” ( Source: Google )
If users are visiting your site on a public network, which happens all the time, hackers could inject their own code into what appears to be your page. This is known as a “man-in-the middle attack”. If your entire site is on SSL, a potential hacker would be thwarted and couldn’t exploit this weakness.
Read More about “Always On” SSL on the Online Trust Alliance website:
http://otalliance.org/resources/AOSSL/OTA_Always-On-SSL-White-Paper.pdf
SSL certificates have already been adopted by many websites. A few examples include:
- University of Notre Dame
- National Education Association
- New York Times
- Comcast
- Pitney Bowes
- Last Pass
- Yahoo Email – 2014
- Facebook – July 2013
- Outlook.com – 2012
- Twitter – August 2011
- GMail – First Default SSL Email Provider – 2010
One important note, if you opt to move to a secure site, be completely sure you do so with a clear SEO strategy in place, so you don’t inadvertently make changes that disrupt current rankings or cause duplicate content.
Your Server Deserves a Bouncer
Think of your server as an exclusive club, complete with its own bouncer. Too often, people give out too much access to users. Even though employees can potentially be trusted, there is always the possibility that their computers could be compromised, either from a virus, or even a physical robbery. Here are a few guidelines for your physical server security:
- Keep a close eye on users who have access to your servers and your database.
- If you keep track of them with a document, keep the list secure and private, and preferably off the network. Don’t keep passwords on this list.
- Keeping all of your users and their passwords listed on one document can be a security risk.
- Change all passwords frequently, however inconvenient it may be.
- Some businesses have kept the same passwords for vital components of their business for years! When is the last time you changed yours?
- Disable users that have left your organization.
- Only give users the specific access that they need.
- Be overly protective about giving the admin role for any business process to users.
- Enforce a complex password policy.
- If your application accepts “password1234”, then people will use it.
One way to manage passwords is with a secure service, like Last Pass .
Password Storage Best Practices
Even people with full database access should not be able to read your users’ passwords in plain text. Your developer should salt and hash passwords. Salting is a process that adds random data to hashed passwords, which makes it nearly impossible to crack. Without hashing and salting, if your database is ever compromised, the hacker will have immediate access to all of your users’ passwords.
Plain Text Example:
Username: example@email.com
Password: password1234
Salted and Hashed Example:
Username: example@email.com
Password: 9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1
Think about this from a personal point of view. Consider how many accounts you have created online. Have you used the same password for any of them? If any of those databases have ever been compromised, the hacker (or employee) will have your email address and password to try on other websites, but only if the password was stored in plain text.
Wouldn’t you feel safer knowing the next site you register for encrypts your password with cutting edge technology? Eventually, people won’t sign up for a site unless that company can guarantee strong security.
Read more on about salting and hashing passwords on the official PHP website.
http://www.php.net/manual/en/faq.passwords.php
PCI Compliance
If your business accepts credit cards, chances are your site must be PCI compliant. Some of the required strategies to becoming PCI compliant are also good suggestions for anyone who wants to have a more secure online environment, even if you never intend to accept credit cards directly on your website.
- You should ensure that any e-commerce payment programs are tested to prevent SQL injections.
- Encrypt user data, as you should expect people to be transmitting over public networks.
- Do NOT store CVV or CVC codes on your servers.
- Do NOT store sensitive data in any of your systems in clear text.
Read the Better Business Bureau’s Data Security Checklist:
http://www.bbb.org/data-security/
Database Best Practices
There is a very strong chance that your website utilizes databases for content delivery. And although the database is never seen by the end user, there should be time and energy invested into making sure it is designed well and is as secure as possible.
- Prevent SQL Injections by using stored procedures.
- Avoid SELECT * queries.
- Use LIMIT when appropriate.
- Sanitize user input as much as possible.
- Limit places where they can enter text freely; build a menu to select options.
- Writing more specific queries means a more secure database.
- Consider masking the name of sensitive data in your database.
- Do you have to call the field name SocialSecurityNumber?
- Use the appropriate data types for your field names.
Site Security Is Becoming Increasingly Important
However daunting it may seem, site security plays an important role in your online efforts. As more of your business moves online, your site security strategies need to improve to keep valuable information safe from would-be hackers.
