Security in Web Design Can’t be an Afterthought

Understanding the security threats that make frequent headline news involves a lot of wrestling with acronyms – it’s easy to prefer ignorance when confronted with terms like DDoS attacks, SQL injections, and XSS – but the increasing availability of hacking tools even on a for-hire basis means that protecting websites and devices is a concern for everybody, regardless of how large or small their business is or how tech-savvy they are.

Hosting and CMS

So, what’s the best way to create a bulletproof website? Every new build begins with two important questions – “which CMS is best for the job?” and “who will host the website?” The answer to both can help lay the groundwork for a secure online presence without much effort from the user. Note that a web design agency may have their own preference for hosting and CMS but the below considerations still apply.

In the case of the first question, opting for a CMS like WordPress means that a website will always have two-factor authentication, a type of login procedure that requires an additional hardware device (like a mobile phone), and a team of experts working to close security holes in the platform. Similarly, popular business CMS such as Umbraco and Magnolia often schedule “penetration tests” or simulated attacks to reveal vulnerabilities.

The second consideration, hosting, can be a quite a personal decision – there are “green” hosts, for example – but a good host still has a particular set of security features. Look for a back-up policy, server firewalls, dedicated tech support, and failsafes against malicious code. The importance of a good host can be summed up in the fact that all websites on their books are at risk if their neighbors are compromised.

WAFs and Updates

Even with the website hosted and built, security remains an everyday concern. For that reason, many owners entrust the task of fending off internet nasties to specialist software like web application firewalls (WAFs). WAFs can provide a prudent decision for retail websites in particular; some solutions, like Incapsula’s, help brands comply with PCI DSS, a type of security standard designed to combat credit card fraud.


In brief, WAFs provide a cloud-based “barrier” against our favorite acronyms – DDoS attacks, XSS, and SQL injections, otherwise known as Distributed Denial of Service attacks, cross-site scripting, and Scripted Query Language injections. While the former is the “celebrity” of the three, largely due to the Mirai botnet, SQL injection is an old trick that won’t go away, the cause of a great deal of embarrassment for UK brand TalkTalk and Vtech a few years ago.

The concept of maintenance is an important one in running a website – keep all software up-to-date (certain pieces of malware can sneak in through vulnerabilities in unpatched software; those frequent update requests from Java are designed to protect the user) and let firewalls, anti-virus, and anti-malware software run regularly, both for the purposes of scanning and updating themselves. Delete the accounts of old or AWOL administrators too.

Don’t be Lazy

Finally, it’s impossible to underestimate the significance of human laziness in successful cyberattacks. For example, password cracking software isn’t particularly clever; it’s just smart enough to know that there are some websites out there secured with a username and password combination like “admin” and “password”. Consequently, weak credentials are more of an invitation than a deterrent as far as criminals are concerned.

Similarly, two-factor authentication can be a pain, especially for users who clear their cookies often or move between devices a lot. It’s not something anybody wants to regret using in hindsight though, so make sure it’s enabled wherever the option exists. From the perspective of logging in, two-factor authentication means that a website is almost impervious to fraudulent activity – as long as the supporting device isn’t lost or stolen.

In summary, website security is more of an ongoing commitment than a quick fix but it doesn’t have to be an all-consuming job, as tools like WAFs demonstrate.

Exit mobile version