How to keep your website secure
December 26, 2007
1. Say NO to shared hosting if doing E-commerce
With shared web hosting, permissions are set up to restrict users from your directories and files. However, this is a relatively low level of security compared to that of managed dedicated servers where you and only you have access to your machine and can severely restrict access to your server from the outside world. Also with dedicated hosting, you are not affected by other sites on the same server. In shared hosting environments, other site processes, scripts or activities can cause problems on the server that could affect anyone else on the same machine.
2. Choose wisely
- Many web applications are notorious for having vulnerabilities. Does it have a good security record? What’s the number of vulnerabilities it’s had in the last year and how fast were patches available? Securityfocus and Secunia are great resources to find out this information.
- What kind of permission system does my web application have? Can I set up access control lists or do I only have a single login? What happens if I need to give access to other staff members? Can I limit their access? These are some good questions you should be asking yourself - not all web applications are created equal in this area.
3. Keep your web applications up to date
- Unfortunately web applications are rarely “set and forget”. A web application can have a vulnerability from the time it was installed to the time that your web site is actually launched! Make sure that in your working agreement with your web development company that it includes a section for web site security upgrades and maintenance.
- If your domain doesn’t have a security related email address then start one (). Use this email address to subscribe to security related mailing lists concerning any web applications you run on your site.
4. Don’t be a target
- Don’t store credit card information. Most third party payment processors can handle most or all of the credit card transaction. This will put your customer’s mind at ease and there is no financial gain for a hacker to target you.
- Insist that version information is removed from your web pages. Content management systems are notorious for listing version information in the header or footer. Unfortunately this information gets parsed and stored by search engines. Malicious users can then write automated scripts to search that information to find your site.
5. Protect your logins
- Use a password manager. This will allow you to use very strong (non guessable) passwords. Keepass Password Safe is a great open source password manager for windows, OSX, and Linux
- Make sure that your administrative login pages are protected with a SSL certificate. Expensive SSL certificates are a thing of the past. 256 bit certificates can be purchased for as little as twenty dollars a year.
- If you’re office or home has a dedicated IP address then your server admin can limit login access to that specific IP address or corporate subnet.
- Don’t login to your web site from an un-trusted computer. You have no idea what kind of malicious programs are installed on that computer (key loggers, etc). Also make sure that your own computer is up-to-date and has a virus scanner installed.