Securing Your Website
This article was originally written for ArrowQuick Solutions, a technology consultancy for small businesses.
A safe website experience is especially important for sites that conduct transactions (e-commerce) or collect sensitive information, but security should be considered for smaller, simple sites as well.
I touched on the secure sockets layer (SSL) briefly in my article Starting an E-commerce Website. SSL encrypts traffic between the visitor and the web server, so that credit card numbers, passwords, and other sensitive information is protected from prying eyes. You may have noticed the “http:” prefix in your browser’s address bar changing to “https:” when you go to a secure webpage. More likely, you have noticed a padlock icon, which also indicates if a webpage is encrypted or not.
In order to use SSL on your site, you need to buy an SSL certificate from a certificate authority and install it on the web server. Certificate authorities are companies that sell digital certificates. They are trusted by the browser makers because they verify your identity and ownership of your website, thereby establishing a “chain of trust” from you to your website visitors.
Certificates are tied to a specific host name, or set of host names, such as “example.com”. If you just have one site, then you could buy a certificate that includes, for example, both “example.com” and “www.example.com”. If you have another site, then you would need to buy another certificate to secure that domain. (If you buy a multi-domain certificate, then you could add multiple sites to a single certificate.)
Almost all SSL certificates come with a site seal. By including a bit of code on your website, you can show visitors a badge that confirms that the site is encrypted. Visitors can usually click on it to get details about the certificate.
These seals don’t actually secure anything themselves; they only provide a reassurance to visitors that the site is encrypted. However, if you’re in a business where security is very important (banks, e-commerce, high-risk transactions), then this could make a big difference in convincing customers to do business with you.
There are also a number of companies that offer active verification services, from website security scanning to customer privacy to business verification. If you pass their tests, you can place their seal on your website. Again, the idea is that customers will view it as a seal of approval from a trusted authority. The quality between companies can vary wildly, so be sure to do your research on effectiveness and reputation.
An SSL certificate only encrypts traffic between your customer and the web server; a security hole on the server or in the workplace could still leave your customers open to attack.
There are some basic steps you should take:
- Make sure the software running your website is up-to-date.
- Be sure that you are using hard-to-guess passwords.
- Always encrypt sensitive information stored in files or databases on your server.
- Restrict access to only the employees that need the information.
- The computers at your business location should also be protected with anti-virus and anti-spyware programs.
Is Your Website Secure?
In this article I’ve just touched on how to begin securing your website; computer security is an industry in itself, and should be an ongoing practice of your business. We recommend you hire professionals to perform regular audits and fix any problems — might I recommend some experts that I know of? :)