I’m sure many of you might be thinking – why would I need to add security to my web site? Well, unfortunately, the bad guys are out there, and they would love to either reek havoc on your site by modifying what is displayed or cause it to load viruses to your existing or potential customer’s computers, or to collect information stored in your web site’s database like customer addresses, names and credit card numbers. This article covers several safeguards that are easy to implement in order to help keep the bad guys from doing bad things either to or with your web site.
Don’t grant anything but READ access to visitors of your web site.
Unless you have a really good reason for visitors to your site (not site administrators) to create or update files on your site, make sure that they have READ-only access. The general visitor’s account on your site would be the Anonymous user. Granting any other permission to the Anonymous user leaves your site wide open to mischief by anyone out there on the Internet.
Make sure that login forms limit the number of login attempts, and require a strong password.
One method of attack that the bad guys employ is called a “brute-force” attack. This method of attack tries random login credentials to gain access to your site’s sensitive information. Setting the maximum number of login attempts to a low number (like 3-5) and minimum password complexity of 8 characters with at least 1 number, one upper case letter and 1 lower case letter will make it near impossible for a hacker to gain access to your site via a “brute-force” attack. I generally set the time that I disable logins after too many failed login attempts to 5 minutes.
Encrypt the data in your web site’s database if it contains sensitive information.
Information about your customers can be very valuable to a hacker, and sometimes, despite every safeguard that you might employ, your database could be hacked. Encrypting the data in your database helps to ensure that if your database is compromised, the data that is presented to the hacker will be unusable. There are several ways that you can encrypt data that is or will be stored in your web site’s database, which involve different server technologies and encryption techniques, but all of them generally use a special encryption method (called an encryption algorithm) and an encryption key, which is used to lock or unlock the encrypted data. You will probably need to ask your web designer or developer as to whether sensitive data is encrypted or not.
Encrypt information going to and from your web site, if any of that information might be sensitive.
If your web site is collecting personally identifiable information about your customers via a form, or displaying sensitive information about those customers on a web page, even if it is in a password-protected section of your web site, you will want to encrypt that information when it is en-route from the visitor’s computer to your web site, and vice-versa. Believe it or not, it is actually rather inexpensive to do this. All that you need to do is to obtain an SSL Certificate from a company like Verisign, GeoTrust, Comodo or Thawte, and have the certificate installed on your web server. I recommend getting a certificate that requires organizational validation (in other words, it will display your company’s name when a person looks for information about the SSL certificate), as it helps to build trust between the person who visits your site and your company.