Website Security Considerations

Website Security Considerations

Running and maintaining a jewellery website where the price of some of our gold chains exceeds
$20,000 means that security is one of the very most important considerations. This article deals with the security related to the hosting of a web site, detecting and preventing fraud will be covered in a future article.

Securing The Web Server

There are a number of things that can be done to limit the chance of having your website hacked. (As long as a computer is connected to the Internet it can be vulnerable to hack attempts, so we are talking risk minimisation not absolute guarantees of imperviousness.)

Passwords

Having complex passwords of a reasonable length is the first-most consideration. Use at least 12 characters containing some of each from the following groups: upper-case letters, lower-case letters, numbers and symbols. An example of a strong password would be similar to this – *hY55″gTh09,Jj – it contains characters from each of the groups mentioned and it will not be found in a dictionary. On older systems rename the administrator account to another name like hy66d6yuskl. The chance of this combination of username and password being discovered is next to zero. (but not impossible)

Many password attacks use brute force by trying thousands of passwords one after the other, often from common words that could be found in a dictionary and they may add numbers to the beginning or the end of the word. An example of a really bad password is – password123 – don’t expect this to keep anyone out of your web server!

Virtual Private Server (VPS) v’s Shared Hosting

Shared Hosting

A shared host is where multiple web sites are run on the same server and share a common IP address.

If one of those sites is compromised, the other sites may also be vulnerable to attack. Furthermore, if one of those sites is a gambling, pornography, hacking, pirated software or other low quality site, Google may penalise YOUR web site in their SERP’s because you share a common IP address.

If one of the other sites sharing your server becomes infected with malware, Google may also penalise your own site.

If one of the other sites is acquiring lots of low quality spammy incoming links, Google may also penalise your site.

On a shared server there may be many programs running that you don’t need. Each additional program has the potential to be susceptible to security vulnerabilities that a hacker may exploit.

Private Hosting

A VPS gives you a unique IP address and a computer running a web server that you are not sharing with other web sites.

Having a VPS will prevent the problems that can occur when using a shared hosting arrangement.

Typically they are also able to deliver web pages much more quickly than a shared host that has another 50 or 100 other websites in addition to your own.

It does cost more to use private hosting but the benefits are immense, consider:

How much is your reputation worth?

If you run an e-commerce store and Google dumps you from their search results how much could you lose in sales?

On a VPS, you control what software is installed. This means you only run software that YOU need, unlike on a shared server. Much more secure.

Managing the server and uploading new pages to your website (via FTP) are some of the tasks you will perform reasonably frequently.

On a VPS, you can restrict access to the management console and FTP (file transfer) by IP address. If you have a static IP address in your office, you can allow FTP/console access to your web server from that IP address and ONLY that IP address.

Anyone connected from a different IP address will be allowed to browse your web site (you want this!) but be blocked from accessing the web server for any other purpose.

FallBack Plans

In the event that you find your server has been compromised, it is vitally important to have a recovery plan in place.

You (or your host) should be making regular backups of your web site. (Best you both keep copies)

If the content on your web site changes often, backup more frequently.

If you are going to make major changes to your content, do a backup first and another one after the changes have been uploaded.

If you have a database (on an e-commerce store for example) you should back it up at least once a day. Leave a copy on the web server and download a copy to your office computer as well.

Having current backups is critical should your web site be hacked.

It is also very important to have historical backups – you may not know your web site has been compromised for some time and if your only available backup was done yesterday, then that backup may be of no use to you.

Website Security Considerations