In a day and age where we spend so much time online, website security has never been more important. According to SophosLabs, more than 30,000 websites are infected with some type of malware every day. Cybercriminals do not discriminate – they will target small or large websites if they can get what they desire. Monetary gain, hacktivism, bragging rights, malware hosting, crypto mining, and entertainment are just a few of the many reasons your website might be targeted by a cybercriminal.
Website security is something people tend to overlook, even in 2020. It is important to note, you will never be 100% safe because code and software are written by humans and inherently come with flaws. However, you can do your due diligence to ensure you are as secure as possible. Review the list below to see three things you should be aware of when it comes to website security.
1. HTTPS > HTTP
HTTP stands for Hyper Text Transfer Protocol and it is the protocol used for viewing web pages on the internet. Let’s say you want to go to NHL.com – here is the process that goes on in the background:
- A client (your web browser) begins by making an HTTP request to a web server
- A web server receives that request
- The web server runs an application
- This is usually in the form of a 200 OK success status which is when you get to NHL.com with no issues
- You might have seen a 404 error before when surfing the web – this is another status code, but it is for a page that cannot be found
All the data sent back and forth with HTTP is sent in plain text over the public internet. Normally this is okay if you are doing things like checking hockey standings or watching YouTube videos. However, what if sensitive data was being exchanged? Visiting a website with HTTP and entering information such as usernames, passwords, addresses, credit card information, etc. poses a serious issue because it is easy for a cybercriminal to intercept that data from the public internet and make sense of it immediately.
HTTPS is the Secure version of HTTP and is essentially HTTP that utilizes encryption. Any information exchanged between the client and server is passed through a function that is unreadable to human eyes. This makes it so if a cybercriminal intercepts data, they will receive a meaningless scrambled value – for example, “3fc79dd6a81” instead of “hello”.
But how would you know if the website you are on uses HTTP or HTTPS? Most browsers nowadays include a lock icon in the address bar to denote you are on HTTPS. If you are on a website using HTTP, you will typically see a caution icon. Try typing an “s” after “http” in the address bar to see if the website you are visiting has a secure version you can browse on.
How can you ensure your website uses HTTPS? You can purchase a Transport Layer Security (TLS) or Secure Socket Layers (SSL) certificate from a reputable website and activate/install it on your site (Note: TLS is the successor to SSL). A TLS/SSL certificate helps authenticate the server and lets your computer know it is a trustworthy source.
Once your computer acknowledges the server is not a threat, a session can begin and encrypted data can start to be exchanged. If you are an eCommerce business or have a login for your website, then getting a TLS/SSL certificate is nonnegotiable. Give your users the same level of security that you would expect from the websites you frequent.
2. Create secure passwords for website logins and other associated accounts
Creating secure passwords is an easy precaution you can take to help prevent cybercriminals from gaining access to your website login or other credentials associated with your website that you might need to protect. First off, be sure to never use a password more than once – always create new passwords so if a cybercriminal does get one of your passwords it isolates the amount of damage they can do. This practice is known as risk mitigation and is a strategy where you decrease the impact or probability of a threat.
You might be wondering, “But how can cybercriminals crack my password?”. There are several ways this can be accomplished but an extremely common method is to perform a brute force attack. A brute force attack is when an attacker uses trial and error to attempt all possible combinations of a password to gain access to an account. Probably the most popular type of brute force attack is a dictionary attack.
A dictionary attack is a kind of brute force attack where the attacker attempts to use a list of words (typically from a dictionary) to try and guess your password. Thousands of words are loaded into a list that gets put through a program which checks each combination one at a time to see if it matches your password.
In order to help prevent cybercriminals from gaining access to your account through either of these ways, make your password stronger by practicing the following:
- Avoid personally identifiable information as part of your password. Things like your name, your birthday, your pet’s name, etc. can easily be stolen through social engineering.
- Create passwords that are at least 8 characters long. Truthfully, the longer you can make your password the better – don’t just stop at eight. Try typing in any number of random characters and see just how powerful adding a few extra characters is for protecting against brute force attacks.
- Avoid common words. Words such as “password”, “monkey”, “princess”, “dragon”, etc. are extremely common and stand no chance against a dictionary attack. Try using abnormal words that you might not see in a dictionary. In addition, if you combine non-dictionary words in more than one language it will make your password that much stronger.
- Mix in special characters, numbers, and capital/lower case letters. This increases the number of items a cybercriminal would need to check for if running an attack on your password. Compare the 31.5 minutes it would take to crack “wisconsin” vs the 609 years & 11 months it would take to crack “w1Sc0Ns1N;” in a password strength website.
Most websites validate having at least 8 characters and including one special character. However, it is recommended that you go above these basic requirements so that you increase your security. Something as simple as adding a few extra characters will go a long way in protecting your website’s information and credentials.
3. Make sure to update your tools/plugins/website platforms/scripts
Errors written into software open potential vulnerabilities that allow cybercriminals to exploit it. One of the reasons updates roll out is to patch or fix these bugs. Making sure everything is up to date is a simple way you can ensure you reduce the number of avenues cybercriminals can take to gain access to things you do not want them to.
Most tools and programs will notify you when updates are available for download. Be sure to read what the update includes and if you see “bug patches” then it is a good idea to proceed with the update. Cybercriminals can exploit known vulnerabilities to gain access and cause havoc. Check out this website to search for certain programs you use, such as WordPress, and examine the known exploits. Do not allow your tools/plugins/website platforms/scripts to be breached because you haven’t been on top of your updates.
Security for your website and the assets it is associated with is vital. Keeping these three simple concepts in mind will benefit you immensely in the long run. While having to remember complex passwords and constantly updating programs can be a nuisance, it is nothing compared to the headache you could endure if vulnerabilities are exploited – especially if they could have easily been prevented.