With the availability of platforms like WordPress, a lot more people are designing their own websites now. Because it’s pretty easy to do. However, for the unwary and the uninitiated, we should point out that unless you’re doing your design and development in an offline staging area and testing ground like a WampServer, that website in design is still vulnerable to any of the security issues that alive, active, full-fledged website faces.
So what can you do? If your new website is live while you’re creating it? I’ll address that situation here, and provide you with a number of security actions and measures you can take to implement the highest level of security possible, despite a website still being in the development stage.
Use a VPN
There is any number of reliable VPNs available on the market today and utilizing one should probably be your first step toward securing your newly evolving website.
A VPN will secure and obscure any data that is traveling back and forth from your website to whatever destination it may go to. For example, if you’ve already installed some plug-ins, communication between the plug-in server and yours is anonymous. Any user information or data that’s available on your website, and anything on your device for that matter, is safe from prying eyes. More importantly, it safe from those who may have malicious intent.
Here’s a shortlist of criteria you should keep in mind when considering a VPN.
- Connection speed.
- Availability and server locations.
- The type of encryption protocol used.
- Is it compatible with multiple devices, both desktop, and mobile?
- Logging and privacy
- Available pricing plans
If you’ve done any sort of research on Virtual Private Networks, you’ll know that there is a limitless number of available. But they all have different features and not all of them offer the same level of security.
Since a VPN will not offer 100 percent blanket protection on your new website, it’s important to consider finding and activating a good security plug-in. The following information is going to be based on the assumption that you’re building your own website on a CMS platform like WordPress. If you’re hand-coding the site from scratch, you will need to look for different options.
There are several top-of-the-line security plug-ins for WordPress, offering a variety of different features. Many are free, but the developers offer Pro packages as well. It will obviously have a wider range of security measures, and help to provide should you face an issue.
Even if your site isn’t fully developed yet, as long as it’s live on the Internet, you should have an SSL security certificate. There are a variety of different ways to obtain a security certificate, both free and paid. And in this case, you’re okay to go with the free option. Let’s Encrypt is one of those free options and is suitable if your website is not an eCommerce website. For those running eCommerce websites, you should consider obtaining extended validation and a higher level of security.
There’s an added bonus to obtaining an SSL certificate and using HTTPS everywhere. You’ll move ahead of the pack in the search engines. Google doesn’t want to lead its users to insecure sites, so sites that have this verification certificate move to the head of the pack.
Avoid File Uploads
Giving users the ability to upload something to your website opens you to an incredible security risk. And this doesn’t mean you’re giving them the go-ahead to upload large files to your site, this could be something as simple as an image for their avatar. Virtually anything that’s uploaded to your website can contain a script that could be executed on your server.
If it is necessary for files to be uploaded to your site, the recommendation is not to allow users to have direct access to any files they upload. When you do this, all uploaded files can be stored in a folder other than the webroot.
Only Allow Strong Passwords
I’m sure you’re already following this advice yourself, but what if the site you’re designing will allow users to comment or maybe even publish posts? Then you need to make sure they follow good password rules as well. They may not like it, but be sure to insist by making it impossible for users to create and use weak passwords. And then you have a job as well. Make sure all passwords are stored as encrypted values.
This most certainly doesn’t cover all the measures you can take to secure a website, but it’s a good start!