Privacy & Security

Is This Website Safe? How to Check a Website’s Security: Part 2

Many website owners want to provide their users with a secure browsing experience but aren’t sure where to start. For those who are concerned that website security could be a lot of work, we’ve listed out some simple steps that can help you easily secure a website.

1. Use a Password Manager

Use a password manager such as 1Password or Dashlane to help you manage your website logins and passwords. These password managers also provide you with suggestions for strong passwords that are easily customizable. A strong password can improve your website security, and with your logins stored away in a password vault, your passwords are less likely to be stolen. Remember to change your passwords regularly. 

2. Encrypt with a Website Security Certificate

Securing a website with an SSL certificate is extremely important. SSL encrypts and secures communications between the server your website is hosted on and the users browsing the website. Without it, all traffic is sent in plain text. This means that anyone can view the data being exchanged. SSL encrypts that data that is being transmitted between the website and the viewers. Fortunately, technology moves quickly and SSL is now fast, cheap, and easy for a website to be secured with SSL. It used to be expensive, costing hundreds each year, and difficult to get an SSL certificate, but this has all changed.  Let’s Encrypt provides a free and automated way to obtain and maintain an SSL certificate for your website. With Let’s Encrypt there is no reason why a website should not have one.

3. Update Apps

Some of the most popular CMS and E-commerce systems such as WordPress, Magnolia, Magento, and WooCommerce are widely attacked due to their popularity. It is important to make sure to keep systems updated with all vulnerability patches and fixes as soon as they become available. Most widely used systems have great support processes for automating fixes. Keep in mind, very custom installations might be more difficult to update but it is important to do so for your customers. It should also be a part of regular system checks to review your systems configuration to ensure its as secure as it can be.

4. Install Security Plugins

Just as keeping the core CMS or E-commerce system up to date on patches and releases it’s important to secure the site using secure plugins. WordPress and other systems have plugins provided to help control spam, content in comments, login attempts, IP blocking, and help with DDOS prevention. Take a look at your framework of choice’s most popular plugins to determine if some make sense for your website.

5. Install reliable plugins

Since we are looking into plugins to help secure our CMS or E-commerce solution, we should mention the need to install plugins from a reliable source. Vetting a plugin before it is installed is critical. An insecure plugin could contain malicious code which we want to stay away from. Be sure to research the plugin before installing and really consider the risk against the benefits of a plugin. Another key item to check with plugins is to identify what consumer data they might be tracking . Make sure their practices are ethical and follow your privacy policy.

6. Sanitize User Input

Similar to installing reliable plugins, if you write your own plugins, HTML, or code, be sure to sanitize any user input you render inside the HTML. Not doing this can allow abusive users to wreak havoc on your other users using XSS and other attack vectors. One of many articles on the subject can be found here, but specifics are beyond the scope of this article.

7. Lockdown Email

Be cautious not to fall prey to email phishing schemes. Using an encrypted email provider can reduce your risk of being phished. Email providers like Protonmail encrypt emails sent back and forth between their users, but they also have security steps in place when emailing other services like Gmail. 

Always be careful when clicking on any links in an email. Some providers require an extra step before loading remote content or clicking on an external link to prevent any accidental clicking. There are apps that can also help protect against spam. With MySudo, if a hacker sends you a phishing email it can’t be traced back to your phone number, regular email address, or any of your personal information.

The responsibility of a website’s security ultimately falls on the website owner. Whether you’re a web developer or a new business owner, these simple steps provide a layer of security for you, your business and more importantly, your users. 

View Part 1 of this article here.

By Nick Cloward and Mackenzie Kerr


Additional Resources:

  1. https://www.us-cert.gov/publications/securing-your-web-browser
  2. https://www.dhs.gov/topic/cybersecurity 
  3. https://www.staysmartonline.gov.au/protect-yourself/do-things-safely/browsing-web-safely
  4. https://www.propublica.org/article/privacy-tools-how-to-safely-browse-the-web