Alright, let me just say something before I continue. If you search on here on TechZim for ‘security’, you’ll discover that a lot has be written about this topic over the years but it seems like we need to listen to the shona saying: dzokororo inesimba (repeating something to someone will help them get why it is important). Another thing I’ve noticed is that individuals who are in-charge of website or system security do raise this matter to the decision makers but somehow they don’t listen until it’s too late. So is it that the Information Security community isn’t making the general public aware of the importance of security or are business owners just too reluctant to spend their money there? Anyways let’s try this one more time.
You need to get that SSL certificate
The language which is used to transfer information on the Internet (HyperText Transfer Protocol) is not secure in its natural form. This makes it easy for anyone to capture any sensitive information like credit card numbers, usernames and password when you’re sending them over the Internet for login purposes or e-commerce shopping. An SSL certificate secures that protocol.
When someone requests your website and it has an SSL certificate, the browser or server which made the request will receive the certificate from your website which will start an encrypted session that secure sensitive information between the two if the requesting browser trusts your SSL certificate. This will ensure that the user is always talking to the website they expect instead of a fake one which aims to grab their information and then use it to gain access to the real website. SSL certificates can be bought at different price points and offer different levels of security but even the cheapest is better than not having one.
Ehm, take a look at your passwords
Nowadays, no-one has an excuse to use weak passwords online. Back in the day, if you wanted to create a cryptic password like I7wiGUXA$0*Np9f8, you’d have to write it down somewhere either on paper or in a word document then have to remember where you stored it each time you wanted to log in. Now we have password managers that take care of all of that and make sure that you use secure passwords for your accounts.
I personally used to be one of those people who used the same password for literally every single site or sometimes change one letter to make myself feel better. And I even thought that it didn’t make sense to put all my eggs in one basket and hope that no-one will get to that basket but it is better to do that than use the same password everywhere. So for all accounts that have administrative privileges on your websites, make sure the passwords are strong.
Do you trust what your website is getting as inputs?
Before you accept any information from anyone through your website, make sure you trust it. You can do this by validating that the entered information matches what you want both on the browser and on your servers. This will safe guard your website against hackers who might send you malicious code via your forms so that it will do something you won’t like once it’s reached your database (SQL injection).
Another thing to consider is file uploads. If you’re allowing your website users to upload files, make sure that you check that they are uploading what you want. An extra measure you can take is to rename the file so that they cannot execute it in-case it wasn’t just a image but a program.
Keep your software updated and know what it’s doing
These days, website have become more advanced. You can now add extra programs (plugins) to enhance the functionality of your website. So before you go on a trip to add every plugin known to man, make sure you know what the plugin is doing and whether you need it. Otherwise you might end up installing a plugin which will harm you.
A fundamental thing in Information Security is to keep all the software on the latest version. This ensures that if a previous version of a software you were using had a vulnerability, you’ll have the latest version which in most cases would have fixed security issue for you. So it’s always good to keep everything updated. Another thing you can do is to install software that will actually help your website stay safe, for example, Wordfence a plugin for WordPress websites which routinely scans your website for issues, provides a firewall and also blocks threats in real-time.
Backup like your life depends on it
If you don’t do all the above, at least do this. Backup your website data frequently. Now the backup will be useless if it’s not secure as the hacker can just get to it also so make sure that you place it in a safe place. You can even go as far as also putting the backup on an external hard drive as a fallback plan in-case your primary backup is compromised. After all, the most secure device is one that is not connected to the Internet.