We all know how valuable a website is to the success of a modern business. But when a website isn’t secure, it becomes a massive risk. And when a website gets hacked, it becomes a massive expense, possibly destroying a business. So then the question becomes: how do I create a website that can’t be hacked? The gospel truth is that an entirely unhackable website is not possible, simply because hackers (like web security) are constantly evolving. This isn’t to say that it’s hopeless or pointless, merely to point out that having a secure website means keeping on top of your software. Think about: banks from 100 years ago were often held up as being exceptionally secure (for obvious reasons). However, any bank that hasn’t updated in the last century is about as well protected as a sieve is watertight. So this brings us to our first step to creating a website that can’t be hacked: Step 1: Keep Up to Date You need to keep your website, software and/or CMS as up to date as possible. It seems like a no brainer, but this is by far one of the most common problems for hacked websites. As stated earlier, hackers are constantly evolving – so you need to as well. Again, this seems like a big ‘duh’ but there’s a reason most programmers will state this as the number one best way to keep your business secure. If you’re using off-the-shelf software, you have to keep an eye on what updates were released, and you have to make sure your systems is updated immediately. If your business is operating on a custom built website platform, ask your development partner about an Annual Maintenance Contract, or some sort of deal for updating to the latest and greatest when it’s needed. But keeping up to date means that you need keep yourself updated; this means you need to find a good source to keep abreast of any changes in the world of web security. This is true whether or not you have a custom built website; however, with a website that doesn’t receive automatic updates, it is absolutely vital that you yourself ensure the security of your business. Even just giving your developer a quick call to see if updates are needed can prevent massive financial loss. Step 2: Web Application Firewalls (WAF) A WAF isn’t in the news as much as something like a Man-in-the-Middle or a Phishing attack, but it is possibly one of the best security tools for the price point. A WAF, widely available as an extension or plugin all over the web and most have a pretty fair price based on a subscription model (it’s well worth it!). A WAF sits between the wide world of the internet and your website. It intercepts and reads ALL data that is transmitted to your website, thoroughly vetting everything that comes near your website. By analyzing the data to such a degree, a WAF essentially stops all hackers dead in their tracks – plus it stops other forms of malware (like spam). Additionally, almost all WAFs are on the cloud, which means improved security and easy updating/maintenance. Step 3: Security Applications Other web apps (beyond a WAF) for improved security are out there and many are free. Just as a quick note, we don’t recommend solely relying on free tools. While these are generally pretty decent, a WAF is far more secure and reliable. That being said, there are some great tools out there to help prevent common hacking tools, such as an SQL Injection or an XSS attack. Some tools come loaded with a CMS Platform (like a Magento or Joomla) that can help you analyze your website for weaknesses. Don’t be afraid to use this – both before launch and as an ongoing security measure. Not using a platform? No problem – just drop us a line and we can take a look at your website for any security issues. Step 4: Limit Internal Access Another very common way to get hacked is by not being careful about admin or user access to the website. This can be easily rectified in a variety of ways: ♦ Enforce strict password control for both admins and users. This means making sure that passwords are strong (there are tools to help people know just how strong their password is) and consider two-step verification when a user or admin accesses your site from a new device. Also, admin passwords need to be changed frequently (every 90 days is ideal for the average company); Also, all passwords should be immediately encrypted and stored with some sort of hashing tool – reach out to our expert developers to learn more. ♦ Usernames can also represent a security weakness: never use your actual name or other identifying information. And please, please never let people use the same thing for a username and password. That’s the kinda thing an idiot would have on his luggage! ♦ You have to tightly control logins as well. Make sure you set a limit on how many attempts can be made within a certain time frame. In fact, if your business holds exceptionally sensitive information, you may want to consider locking the account until further proof of identity can be provided (not just for a limited time). ♦ Password resets are a common trick used hackers, so must be approached with caution. For businesses that need standard security, using a password reset link (sent via email) is generally best practices. Never, never send either a password or any login information. Most people have an email account that will be substantially less secure than your website and this can be used to gain access to your website. Whether you are looking to build the Fort Knox of websites, or you need to beef up the security on your extant website, SDI can help! Give us a call at 408.805.0495/408.621.8481 – or click to contact us!