2. Choose wisely
- Many web applications are notorious for having vulnerabilities. Does it have a good security record? What’s the number of vulnerabilities it’s had in the last year and how fast were patches available? Securityfocus and Secunia are great resources to find out this information.
- What kind of permission system does my web application have? Can I set up access control lists or do I only have a single login? What happens if I need to give access to other staff members? Can I limit their access? These are some good questions you should be asking yourself – not all web applications are created equal in this area.

3. Keep your web applications up to date
- Unfortunately web applications are rarely “set and forget”. A web application can have a vulnerability from the time it was installed to the time that your web site is actually launched! Make sure that in your working agreement with your web development company that it includes a section for web site security upgrades and maintenance.
- If your domain doesn’t have a security related email address then start one (). Use this email address to subscribe to security related mailing lists concerning any web applications you run on your site.

4. Don’t be a target
- Don’t store credit card information. Most third party payment processors can handle most or all of the credit card transaction. This will put your customer’s mind at ease and there is no financial gain for a hacker to target you.
- Insist that version information is removed from your web pages. Content management systems are notorious for listing version information in the header or footer. Unfortunately this information gets parsed and stored by search engines. Malicious users can then write automated scripts to search that information to find your site.

5. Protect your logins
- Use a password manager. This will allow you to use very strong (non guessable) passwords. Keepass Password Safe is a great open source password manager for windows, OSX, and Linux
- Make sure that your administrative login pages are protected with a SSL certificate. Expensive SSL certificates are a thing of the past. 256 bit certificates can be purchased for as little as twenty dollars a year.
- If you’re office or home has a dedicated IP address then your server admin can limit login access to that specific IP address or corporate subnet.
- Don’t login to your web site from an un-trusted computer. You have no idea what kind of malicious programs are installed on that computer (key loggers, etc). Also make sure that your own computer is up-to-date and has a virus scanner installed.

I have never seen such a comprehensive list of features in a validation plug-in before!

• HTML validator
• An accessibility validator
• A spelling validator
• A broken links validator
• The ability to take screenshots with different browsers to see what your web pages really look like (27 different browsers supported!).

It also has the ability to upload local pages to the total validator service (great if the web site isn’t actually live yet).

Note: They also offer standalone versions for windows and OSX and a “pro” version that can spider through and validate an entire site. The Firefox extension works well on Linux!