Security Audits and You!

On the web today, there are more attack vectors than ever before. Keeping your site secure is incredibly important, doubly so if your site accepts credit card payments. Hackers these days aren’t just taking sites down or stealing data, now you must also deal with ransomware, hijacked domain names, and hidden cryptocurrency miners, just to name a few new threats. At Hop Studios, we take your site’s security very seriously, and as part of that, one of the services we offer is a full-site security audit.

This audit covers the basics like cycling sensitive passwords and ensuring that your site is secured with an SSL certificate, as well as more complex topics, such as ensuring that third-party plug-ins on your site can be trusted, and keeping your site compliant with up-to-date Payment Card Industry Data Security Standards (PCI DSS).

Here are a few security tips that we share quite often, some of which you can likely address yourself, and others that we would be delighted to take on for you!

Back up your data

This is a big one, so of course it’s first in the list. If you’re not backing up your site files and databases, you could find yourself in real trouble! Regular site backups are critical, and not only to restore from in case of a site failure. Backups can also save you from ransomware attacks, which is when hackers lock you out of your own site and hold it hostage.

We implore all of our clients to have a reliable and tested backup system in place. The best backups are always offsite, or at least on a different server!

Keep your passwords secure!

Regularly changing the password to sensitive services is critical to your site security. We recommend going one step further and using a password manager such as 1Password or LastPass to generate passwords for you. Generated passwords more secure, and PCI DSS requires that you not only change your password every 90 days but also prevents you from using any of the last four passwords you’ve used. Generated passwords ensure this happens.

Add a CAPTCHA to all user submitted forms

A climber's hands secure a safety knot
Safety first! photo by Free To Use Sounds on Unsplash

Even if you’re not familiar with the word CAPTCHA, you’ve no doubt seen one of those forms that require you to type in a certain word or click on all the pictures of ducks before you can hit the submit button. That box is a CAPTCHA, and it’s designed to stop automated form submissions. Hackers use programs to submit to your forms over and over again, sometimes hundreds of times per minute, in an attempt to gain access to your system or collect valid email addresses.

Aside from blocking automated hacking attempts (and as a bonus benefit) CAPTCHAs block out a majority of email spam, which means they also help protect you from nefarious phishing attempts. And honestly, the less spam of any kind the better in our opinion.

6.3 Incorporate information security throughout the software development life cycle

On the more technical side, it’s important to ensure that your processes comply with PCI DSS section 6.3 requirements. That long section title up there is pulled directly from PCI DSS and essentially means that security measures should be addressed all throughout the development process. Developers should be trained to know what to do to maintain healthy levels of security, and the code itself should be audited and tested to meet PCI requirements. Typically code auditing is done through automated scans, though at times it is required to investigate some modules manually. This section of the PCI requirements covers a broad range of material and is often overlooked!

Properly secure your site with SSL

You may already be aware that in Chrome, Edge, and most others browsers, an unsecured site will show either a grey box or a “Not Secure” warning next to the URL in the browser. What you may not have noticed is that in the current Chrome, this grey warning will change to a bright red warning if text is entered into ANY input field on the site. This applies not only to forms with personal information such as credit cards, but also to simple search boxes as well. Even if your site does not collect any personal information, you still risk alarming visitors if your site is not properly secured.

Insecure Chrome browser
Insecure Chrome browser

A properly installed SSL certificate is more than just a lock icon next to the website address bar. It’s actually promising three things to your users.

  1. All of the data sent by this site is encrypted. This makes it much less likely that any third-party is able to intercept and steal any data sent to the user.
  2. Data from this site cannot be modified during the transfer. This means that if a malicious person does somehow intercept the data, it cannot be changed to appear differently than you intend.
  3. Your site truly belongs to you, and is not a clone or imposter site. Clicking the lock icon will display the company name that the domain is registered under. This is an extra assurance that users are visiting your real site, and not a fake site set up to look like yours.
Michael Kant's avatar
Michael Kant

Mike is a developer at Hop Studios, working on all the best parts of the internet. Hop Studios has been working in and on Expression Engine for (practically) decades, producing amazing websites and…

Comments 0

Be the first to comment!