Protecting your website and customer information

Dave - Jun 03, 2017

Recently, the news has been full of stories of security issues on many leading web sites and organisations. This can be a major problem to any brand that relies even in part on online sales or online lead generation. Any disruption to online trading can result in loss of revenue, damaging your brands reputation or even worse financial implications should any data get compromised whilst in your possession.

Here at Koded, online security is something that we take very seriously and continuously work with our clients and server companies to revisit and improve our processes and how the sites are run to make sure that everything that is being produced is as secure as possible.

Below are 7 tips to make sure your site is as secure as possible:

1. Make sure your website is running through an SSL certificate

This is a topic we discussed in a previous post, however an SSL certificate is important for the security of your website as it restricts what data can be accessed and how the data is being transferred when it is hitting your server. If you haven’t read it yet, why not have a look at the post relating to this here.

2. Work with your server company to make sure all security updates are in place

If you dont have an in-depth technical knowledge of how servers work and wouldnt feel comfortable doing these updates yourself, partner up with your server company to work on making sure that all server patches and softward updates are being run to make sure that everything is up to date to stop any vulnerabilities.

3. Keep your magento webstore up to date with regards to patches and updates

When working with any Open Source CMS system, there are regular updates and security patches being released. These are essential to get uploaded to your site to help protect and prevent any ongoing security issues. We love working with Magento here at Koded, and are regularly checking back on the Magento site as well as through incoming emails making sure that we are up to date with all patches that need to be installed.

4. Make sure all admin urls are moved away from default url paths

When installing any out of the box CMS system, it is more than likely your site will default to a standard URL, whether it be /admin for Magento or /wp-admin for WordPress, these urls are nice and easy to remember, however they are also very easy for the hackers to try and target. Using your magento configuration files this is a simple change to move away from this URL and to change to something more unique to your business.

5. Deny all access from external sources for version control directories.

Along with point 2, this is another one to work with your hosting partner with. Inside the server configuration files, you are able to lock down what files can be targeted from external sources. We use SVN on all of our work here, for many different reasons, we will look into this on a different topic, but these files are then targetable from external sources and should be stored responsibly and made sure to be as locked down as possible

6. Regularly revisit all installed extensions and plugins

3rd party extensions are great for adding extra functionality to our websites, and on the whole are great to be used on our sites, however, when installing extensions you should be careful of over using 3rd party extensions as these are adding extra code that has been built from somewhere else. These extensions should be regularly reviewed and updated if out of date or removed if they are no longer relevant. We are also strong believers of only using 3rd party modules from sources we have used previously rather than anything that can be found via a simple google search. For Magento always use extensions from the Magento Marketplace.

7. Remove all non relevant or temporary logins to the admin areas.

In all CMS systems we will need to create a large number of logins for different people who work in the business or even temporary staff that could need access for different things. When these accounts are no longer required these should be removed as soon as possible to stop extra logins from external sources. Also when creating new accounts, all passwords should be set up as secure passwords, using randomly generated passwords.

This is just a brief overview of some simple tasks to look over to try and maintain the security on the site. If you would like to discuss anything above or to talk to us about how we can help oversee your website security, please contact us here at Koded to see how we can help.