Google has announced that non-HTTPS (Hyper Text Transfer Protocol Secure) websites will have a security warning in all future editions of its Chrome web browser. In other words, HTTP websites will be labeled as “not secure.”
In an age of high-profile data breaches, ransomware and seemingly endless security threats, what do you suppose a “not secure” label says about the trustworthiness of your organization? It won’t do much to instill confidence among visitors, especially those discovering your website for the first time.
HTTPS uses authentication and encryption to securely transfer data between a web browser and a website. With an HTTPS connection, it is much harder for a hacker to intercept data going to or from your website.
Here are some additional steps you can take to improve website security.
Basic Website Security Tips
- Back Up Your Data. Are you backing up your website frequently enough to prevent significant business disruption? Have you tested your backup service and the process for recovering data? Every business website owner must have their backup house in order.
- Control Access to All Website Assets. This applies especially to the files and folders that contain the data required to make your website work. Review access permissions periodically and update permissions whenever a person leaves your company.
- Secure Your Forms. Forms can become a source of spam and malware if not protected. You should also validate form data to prevent your website from being infected with malicious code.
- Keep User-Facing Error Messages Simple. Maintain detailed logs of errors, but provide users with generic error messages that don’t give away too much information.
WordPress-Specific Website Security
- Use the Latest Version of WordPress. Just like any other software, you increase security risks when you use outdated versions.
- Change Default Settings. Hackers know the default login credentials for WordPress, so change all default settings and use complex passwords. You can also change the login URL, adding another layer of protection.
- Strengthen Security on the Login Page. Add two-factor authentication to the login page, and use a lockdown feature to block users after a certain number of failed login attempts.
- Protect the wp-admin Directory. This is the lifeblood of your WordPress website. Require users to enter a second set of credentials to access this critical area. If you also disallow file editing, an unauthorized user who accesses your WordPress dashboard would be unable to alter any file.
- Choose and Use Third-Party Plugins and Themes Carefully. Only use plugins and themes from trusted sites. Check how many times they’ve been downloaded and read user reviews and. Once installed, keep plugins and themes up-to-date.
Web Application Security
- Understand Web Application Threats. Threats such as SQL injection, cross-site scripting and remote code execution exploit web application vulnerabilities and enable a hacker to plant unauthorized code into your website and database. This can affect the user experience, expose sensitive data, and redirect users to malicious sites.
- Deploy a Web Application Firewall. A web application firewall allows you to monitor communication between web applications and the user’s browser for suspicious traffic. This will protect your website against the above-mentioned threats. Not all web application firewalls have the same capabilities and features, so evaluate these tools carefully.
- Use SFTP. Secure file transfer protocol (SFTP) is the more secure version of FTP for uploading files to your website.
- Use Content Security Policy (CSP). CSP identifies the domains a browser should recognize as valid sources of executable scripts when on your website, which will help to prevent cross-site scripting attacks.
We’ve hit some high-level security tips, but this is just the tip of the iceberg when it comes to improving website security. Let SSD assess the current state of your website from a security perspective and implement the necessary fixes to protect your network and your brand.