Pin Me

Security Guide - Website Security 101

written by: Steve McFarlane•edited by: Michele McDonough•updated: 5/6/2010

This article will highlight steps that administrators can take to improve the website security of the operations that they oversee.

  • slide 1 of 3

    Keeping Your Website Secure

    No domain, website or network is absolutely immune to attacks, even if it is not connected to the Internet. The good news is that most attackers will be deterred by strong security measures and are less likely to spend the extra time to hack a secure website, especially when there are easier targets. Nevertheless, site administrators must to do all they can to improve their website’s security.

    Hackers pose a significant security risk to any website or e-commerce activity. At the very least, a hack will cause some services to go offline and in a worst-case scenario, the hacker will make off with your customer’s credit card numbers and sensitive data. Not only can a hack be expensive, but it can also be very embarrassing. Ensure that you do all you can to protect yourself against attacks, and unauthorized network accesses by using the following measures.

  • slide 2 of 3

    Use a Firewall on Your Web Servers - A firewall is your first line of defense against an attack. A firewall is simply software or hardware that keeps a firestorm of problems from propagating throughout the network. The firewall should be placed at all access points to the network, to improve your web server security. Installing a firewall won’t make your website hacker proof, but at least it’s a good starting point.

    Website Security 

    Enforce Strong Security Policy - Rules are of little value if they are not enforced. Don’t just ask users and administrators to use strong passwords, configure the requirement as part of your security policy. And run regular audits to ensure that the rules are being followed. As a matter of fact, it is while doing audits that evidence of a hack is uncovered, in a large number of cases.

    Turn off Unused Web Services - Not only will your servers run faster, by having less to do, but turning off unused services will reduce the number of ways that your website can be compromised. Consider turning off FTP and remote control services and remove shells and interpreters (i.e. Perl) you don't need. If there are any unnecessary directories, delete those also.

    Apply Patches and Software Updates - To stay ahead of new security threats, you must apply the software updates and patches that are provided by your software and hardware vendor. These updates will ensure that hackers won’t be able to exploit certain known vulnerabilities in your equipment.

    Backup Your Data - Having backups ensures that you can recover your data should the worst happen. However, backups are of no use if they are not current. Ensure that you routinely backup your files and keep copies in a secure location, preferably offsite to protect them against theft or a fire on your premises.

    It is OK to have a backup of the daily, or even weekly transaction records on your server. Keeping a copy there will allow you to quickly retrieve important data if the need arises. But just in case there is a complete failure of your server or your file storage system, you need to have copies stored offsite.

    Limit Resource Access Rights - Regardless of whether certain users are perceived to be a threat, they shouldn’t have access to information they don’t need to do their work. Not even the manager should have access to everything, if he doesn’t need it to do his job. This limits the exposure your website will have, if the security of one account is compromised, or a user messes up some critical data. Be sure to delete inactive or dismissed employees as quickly as possible.

    Access rights can also be maintained by isolating any mission-critical data or resource from the rest of the network, including any external network such as the Internet or an extranet. While this might not be practical in some instances, it is one of the most effective ways to protect a network or website against hackers, viruses and malware. These resources can be isolated by using a subnet, or by having a secondary server in another location.

    Physically Secure Your Equipment - In addition to the risk of having your equipment stolen, leaving your network equipment and servers physically unsecured exposes your entire network to security breaches. You may have applied the latest patches and implemented the latest security measures, but if your equipment is not locked away, your efforts at securing your network may have already been compromised. You must keep the doors to your sever room and equipment rack closed.

    Most of the equipment that you work with will come with reset buttons to bypass security measures, just in case the password is lost. If someone can gain physical access to your equipment they can reconfigure your equipment to suit their purpose. Consider a case where the network administrator has configured two routers to handle separate domains or subnets for security reasons. If someone has access to the routers they can use an Ethernet cable to connect the routers and bypass your security measures, especially if there are no other safeguard configured in your network architecture.

  • slide 3 of 3


    One major concern of any e-commerce business is website security. In generally, it is the objective of every site administrator to ensure that only authorized persons can access network resources quickly and without a hassle, while at the same time ensuring that hackers are kept at bay. To ensure website security, site administrators must put strong security policy is in place, keep all equipment up-to-date and set the appropriate access rights. These measures may not be sufficient to ward of the most determined attackers, but strong security measures might just be enough to keep certain security threats away from your web servers.