7 tricks to reinforce the security of your web solutions based on my paintful experience
The security of your website is crucial because it protects your data and avoids you putting your customers' information at risk.
If you have once in your life experienced hacking, you will surely agree with me that it is one of the painful and frustrating experiences. It is painful because of the amount of time and money that you probably invested in your project. Or because you may have to start all over again. In any case, it is not a situation that we wish to someone.
I learnt the hard way
In 2015, a couple of months after I started hosting websites on my webserver, I got hacked. It all started with my site loading indefinitely. And then, a blank page with a message like "This website is hacked; please contact the email firstname.lastname@example.org." By the time I started saying to myself, "What the hell is happening." While panicking and rushing to find a solution, my page turns into a red screen with the message "Deceptive site ahead." Today, I speak about it freely by; for almost a year, I was mad at myself for my ignorance.
It can happen to anyone
Today, I believe that it may happen to anyone. It is one thing to know, and it is another to implement. Even with all the skills of the world, you may not have control over all the aspects of solutions. That is the reason why we all need to stay alert and always make sure to apply best practices during the development process. Below are the seven tricks that I learnt since those times and I also have that in mind whenever I build a solution.
Trick no 0 - Security is my priority number one.
It is a good thing to rush and put in place a solution. But whenever you face a baptism from hackers, you will start all over. Some people may not even recover. Just imagine second spending all your savings on a project. You hire developers, and you spend sleepless nights on it. And then suddenly, a crazy fellow destroys everything in a twinkle of the eye. Unless you have enough energy or money to start, I don't think it is worth taking the risk. These are the seven tricks that I want to share with you today.
- Use the Captcha to protect your forms against spams
- Use an SSL certificate to encrypt communication
- Enforce the type of password that users are inputting into your website.
- Improve the security of the server.
- Scan your Code regularly and make the necessary update
- Automate if possible security scan of your website.
- Filter any data sent through the forms to the server
Security plays a vital role in any online activity. Whether you have a blog, a corporate website or an eCommerce platform, you should secure your website. It is essential to protect your website to avoid losing your data or putting your customers' information at risk. Today, I am going to give you a few tips that will help you to improve the security of your website. To enhance the security of your website, apply those tricks on your website.
1- Use the Captcha to protect your forms against spams
A captcha will protect your website against spams. One of the most popular captchas is Google Captcha. You can go on the Google platform, and get the one that is suitable for you. For instance, reCAPTCHA v3 protects your website from spam and unpaid abuse. Based on a scalable risk analysis engine, it prevents automated software from damaging your site while allowing your identified users to surf with ease. To enable reCaptcha v3 to work on your web site, this is how to proceed:
- When a page load or during an action, call grecaptcha.execute
- You should send the token to your back-end with the request to verify
I should note that you can execute reCaptcha for an unlimited time with different actions on the same page. If you are using a CMS such as Magento, WordPress or PrestaShop, you can get an extension that will help you to add the Google Captcha on your site. You may also go a built-in captcha depending on the platform you are using.
2- Use an SSL certificate to encrypt communication
It will encrypt communication between your users and your server and that will add an extra security layer on your website. Besides that, it helps to encrypt connections to protect sensitive information provided by customers while authenticating the identity of any organization.
Here are the steps to follow to install SSL certificates on your server:
- Generate a Certificate Signing Request (CSR), containing public key and server information,
- Request the SSL certificate from a secure source on the Internet according to your specific needs.
- Install the SSL certificate after receiving it by email or via the Client dashboard.
- Associate the SSL with your website.
If you want to get an SSL at an affordable price, you can try this link. The starting price is 16.5$
3- Enforce the type of password that users are inputting into your website.
Instead of allowing your users to enter any password, you can define something a little bit more secure. As such, you are making sure to your website against password guessing. You can, for example, use patterns or ask users to enter specific types of characters. If possible, you can further reinforce security with two-factor authentication. Two-Factor authentication will require users to enter his/her password and validated with a code sent to the phone.
In the case of users having access to your server, you can make use of a secured authentification such as the SSH keys.
The steps to configure SSH key authentication are as follows:
- You must place the public key on the server in a unique directory.
- When a user connects to the server, the server will ask him to prove possession of the associated private key.
- The SSH client will use the private key to respond in a way that demonstrates the ownership of the private key. The server will then let the client connect without a password.
4 - improve the security of the server.
You have some features on your servers, such as the IP blockers or some tools that can protect your website against brute attack force. These are some server security measures that you can apply :
- In the case of the IP blocker, you will be able to stop any attack after a certain number of attempts.
- Some servers also provide the option to force users to change their password after some time.
- You can force users to change and use different passwords if they already use it once.
- You may also restrict access to the server only to authorized users using the IP addresses.
5 - Scan your Code regularly and update your website
Scanning your code periodically and getting the alert in case of any potential attack will help you to always been on the safe side. We can never be 100% in control of our solutions. And by using some automated tools, you can quickly act before something alarming happen. One of the software that you can use to scan your website regularly is Sitelock. Sitelock automatically scans to identifying vulnerabilities and known malicious code and automatically remove them from your website. If you are using some CMS like Magento, registering your site for a security scan can help. In that way, you will know what aspect of your website needs extra protection.
To install your SiteLock Security Seal:
- You should register and Access to your SiteLock dashboard.
- After, you should follow the instructions in the wizard to complete your verification.
- Once you complete the registration, you will be able to access the code you need for your site.
6. Automate if possible security scan of your website.
Many automated solutions can enable you to scan your website every week. Some of them are free, and for some, you need to pay. If you are using Magento, and you are interested in knowing how to improve Magento security, please read this article. "How to improve the security of your Magento open-source Website."
Resources to secure your website.
If you need help you improve the security of your website; contact us today.
7- Filter any data sent through the forms to the server
Another gate for hackers is the forms on your website. Many spammers or hackers will automate the scanning of your website in search of registration forms. And whenever they find one, they will try sending any information from there. If a registration form to send an email to web administrators, in such cases, you could receive a lot of spam emails. They may also send a script that may harm your site.
There are many ways to protect web solutions against attacks, but in my opinion, taking security as a priority is essential. If you dealing with customers' information you won't want to put at risk other people's data.