Website Security Best Practices

What it is

The appropriate set of “Best practices” depends on the type of website being protected. One set of practices does not fit all. The precautions for a website offering public information is clearly going to require less attention than does a site that contains sensitive user and financial information. Once confidential information has been taken, no amount of effort can bring it back. This section has two sections. The first section, Basic Steps, applies to all websites and the second section, Advanced Steps, includes some of the considerations relevant to sites whose breaching would result in irreversible damage.

Designing for Security

Website security is rarely a topic of conversation during a web design process, yet it should be. Security is difficult to retrofit after a site has been created. With public websites, hacking attacks can range from being merely embarrassing to being a source of malware infections for website visitors. The need for security is far higher when personal and/or financial information is involved. Once a person’s personal information has been taken, it’s never coming back. In many cases, if money is stolen, it too may never be restored. Being aware of what a website collects and stores should be a fundamental part of the website design process. Adding security to a website after it has been designed tends not to be effective.

Basic Steps

1. Keep your site simple. What a website doesn’t have cannot be exploited. Most informational sites can be turned into static pages. “Static” just means the page is always the same. Commercial sites require the services of a CMS (Content Management System) to dynamically build pages. Because the CMS is a primary avenue of attack, not having one represents a significant improvement in security.
2. Update software. Most breaches are based on vulnerabilities already patched. Hackers take advantage of systems that have not been updated for months, if not for years.
3. Have a backup. The most effective way to repair a hacked site is to restore a recent backup of the site. 
4. Use strong passwords. A common method for breaking into a website is to login as the administrator. Use a strong password and two factor verification, if available. Some systems will also block login attempts from foreign countries or from IP addresses not placed on the website’s access list.

Advanced Steps

1. Use encryption. Websites with any non-public information should always be protected by an encrypted connection (HTTPS). The trend is for all websites to have encryption and digital certificates, but while it is still optional for informational sites, it should not be considered optional for sites that have any form of private information.
2. Use a traffic filtering service. A typical firewall works by blocking access to unauthorized traffic, but a website must be reachable. Website firewall services filter traffic, rather than block it. This service entails the traffic going through a system that looks at all the packets of data. If it sees a pattern inside a packet or a pattern of packets representative of an attack, the service does not pass the traffic to the website. This is a very simplistic description of such services, and not all services are the same, but high value sites should have some sort of traffic filtering.
3. Separation of data and website interface. Storing sensitive data on a second and isolated server can help protect the data in the case of the website being compromised. An attacker is forced to defeat two systems, not one.
4. Anonymize and separate user data. Collect only the information the site needs. If you don’t need a person’s birthdate or government ID number, don’t ask for it. If you just want to know if the user is a child, youth or adult, ask that or for the year of birth. When a report does not need to use the person’s full information, anonymize and abstract. Keep the most sensitive information in a separate database protected with more stringent access controls.
5. Get advice. A site with private information is always more difficult to secure and the ramifications of a breach are far more serious than they are for informational websites. Get expert advice on structuring the website for security. And then ask another expert to test the security of the site.
6. Use external credit processors. When it comes to sensitive information processing, such as for credit card purchases, it’s best to use an established provider.

Cautions

It’s impossible have absolute security. Even if the technology was perfect – and it never is – people are not perfect. They make mistakes and can be tricked into granting access to attackers. Generally, however, an attacker is scanning large numbers of websites for possible attack. If the above steps are followed, it is probable that the attacker will focus on a less well protected site.