How to Keep Security in Mind When Building a Site from the Ground Up

Security for building a website is somewhat like constructing your own brick and frame house;  it works so much better and more robustly if you’ve been implementing it from the very beginning.

For starters, you will know exactly how everything has been put together and be able to construct it in a way that keeps your site and its underlying data as secure as possible. Furthermore, by integrating security from the ground up, you can add many more customized protective features that might be harder to implement later on.

safe-secure-lockThe bottom line is that digital security is more important than ever thanks to an internet full of viral, human and criminal threats to your website’s assets. Because of this, digital security is paramount and you owe it to yourself and your company to implement it as fully as possible. The alternative is to risk being hacked at any random time and seeing everything you’ve built destroyed.

Keep these essential facts in mind as you go over the site protection tips we cover below.

Choose the Right Hosting

The fundamental underlying platform behind your site is its hosting and server databases. The servers are kept by your hosting provider and they are where your entire site structure and all accompanying information are kept.

Thus, you’ll obviously want to secure them as strongly as possible as a fundamental first step in protected design.

For one thing, this means hiring a hosting provider that has a stellar reputation for security, protective options and dedicating high quality IT attention to their clients’ needs. Check around and review all the options of different services. Some basics that you should really look for include: dedicated hosting, regular LAMP updates (updates for core hosting applications Linux Apache, MySQL and PHP) and regular monitoring of your servers from multiple locations.

Make sure the hosting provider you choose is open and transparent about all their security features or lack thereof.

Build your Site in a Closed Environment

Hackers love to explore holes in weakly designed or partially unfinished code; thus, a website that’s still under construction can present a major invitation for various kinds of intrusions. In order to prevent this, make sure that your actual site development work before fully buttoned up completion is done as much as possible over a closed localized hosting environment. You can create one of your own through localhost that you’ve created on your computer or closed virtual machine through localized server software packages like WAMP or MAMP, which are free to download and fairly easy to use.

The local server environments created in MAMP and WAMP (both are the same essential program, with the first being for Mac and the second for Windows) allow for complete site development and testing without needing to connect with the open web.

Set up SSL for your Site Servers

SSL, or Secured Socket Layer, is essentially a means by which all the information transmitted between your site and other sites, users, VPNs, Local Area Networks and servers is maintained in encrypted, protected form. Doing this prevents thieves and intruders from dipping into your site’s online communications and using them for their own benefit. In short, enabling SSL is a vital step towards strong site development security.

Luckily, enabling SSL is usually very, very simple and requires only that you go into your own control panel (cpanel) that is a part of your domain hosting package and enable the SSL feature either manually through one of the server options that might be displayed there or by asking customer support to do it for your site and servers.

Configure your Web Servers for Maximum Security

Aside from setting up SSL on your servers, which are the core of your websites online presence, you can also configure them for maximum security in several other slightly more complicated ways that can nonetheless be easily implemented if you snoop around or simply speak to the IT support available from your hosting provider.

For one thing, configure your servers so that they are resistant to DOS attack. These are essentially floods of information requests fired at your site to the point of distracting it from being able to do its normal user related duties. Stopping DOS attacks is pretty easy and your sites hosting can almost certainly be set to block them reliably with a few minor configuration changes in how many information requests are allowed from a single outside source before it’s cut off.

Secondly, configure your hosting so that all of the passwords you use to access it or any internally installed CMS software (such as WordPress, for your website) is changed from its default settings to something more personalized of your own design. These changed passwords, such as those you create for your MySQL databases, hosting account itself, FTP and CMS administrative access should all be made into long phrases or character strings that contain both letters and numbers (with the letters being a mix of upper and lower case use).

Create Reporting and Evidence Protocols for Actual Hacks

This should be a well understood and regularly followed procedure for anyone who manages your site (employees, you, hired administrators). In essence, have protocols in place for documenting all evidence of intrusions or hacks; this can include saving and quarantining compromised files, odd scripts, executable files and anything else that was suspicious or part of your intrusion.

The whole lot of information collected through these good documentation procedures can be extremely useful when it comes to using digital forensics and services that provide them for the sake of identifying how you were hacked or by whom.

Set Up a Data Backup Procedure

This is one of the most crucial long term security steps you can take to protect your pages from catastrophic intrusion damage and the accompanying downtime of recovering everything through digital forensic recovery.

By setting up either an automated or manual backup system for all of your site data contained in your servers, you can at least be sure that, if a sever hack does occur, you have everything stored elsewhere for quick and easy uploading to a new server or your old host once it’s been repaired. This will minimize your downtimes during an actual hack and give you the peace of mind that comes with secure copies of important site content.

Avoid Installing too Many third Party Plugins and Site Addons

As a final basic security tips, let’s quickly cover post-construction additions to your site.

Your server scripts may be highly secure and well designed, but if they’re loaded down with less reliable third party software that wither you or someone else have installed to “improve” your site’s user experience, then those servers are much more open for hack attacks.

Avoid installing anything more than the necessary extra software on your site servers and if you have no choice than but to do so, then at least make sure any such software is kept religiously updated so that it’s latest, most secure version is working on your site servers.