1. Security
As internet usage increased over the past decade, so have the instances of cybercrime. The FBI’s Internet Crime Complaint Center reported that $3.5 billion was lost to cybercrime globally in 2019 alone. As a result, users now understandably expect websites to take security seriously if they’re going to hand over their personal information.
According to GlobalSign research, 48% of visitors check for security indicators on a website before giving any personal information, while just 2% said they never pay attention to security. It’s clear that if you want to gain your user’s confidence, you’ll need to be secure. Here’s how:
Page Encryption and HTTPS
HyperText Transfer Protocol, or HTTP, has long been the primary system for transferring information between a website and its user. However, HTTP has also been found to be highly insecure, easily enabling hackers to steal your user’s data. HyperText Transfer Protocol Secure (HTTPS) keeps this information safe from interference by encrypting your page in a sea of symbols impenetrable to hackers.
HTTPS doesn’t work alone. It needs a TLS, or Transport Layer Security certificate (formerly an SSL certificate). The TLS certificate performs the actual encrypting and serves as the encryption key shared solely with the user. Here’s how it works:
- The user types in your secure web address
- The user’s browser asks for your site’s TLS certificate
- Your site complies and sends over a decryption code
- Once the user’s browser accepts, encrypted data is sent to the user
The most common type of TLS certificate is the extended validation certificate, which provides details such as the site’s ownership and geographic location. There’s also the domain validated certificate, which keeps identity and location secret, and the organization validated certificate, which includes additional details.
Making the move to HTTPS can be a complicated process if you plan to go it alone. You’ll first want to reach out to your hosting company to see if they offer an easy HTTPS option (or find a hosting company that does). For example, Kinsta and WPX Hosting both offer one-click options for migrating to HTTPS that take less than a minute to complete.
If your provider doesn’t offer these options, we would recommend consulting a professional if you lack the technical expertise to pull off such a complex task.
But if you want to push forward, you can visit a site like Let’s Encrypt or SSL2Buy, which will help you obtain a TLS certificate. This guide from Kinsta also provides step-by-step directions for a complete HTTP to HTTPS migration.
Once a TLS certificate is installed, the process runs on its own with no additional effort on your part. With HTTPS in place, you’ll not only get added security, but you’ll also get a boost in your search rankings, as HTTPS has become a top priority for Google.
Mixed Content
Mixed content occurs when both HTTP and HTTPS code is loaded to display on the same page, creating both secure and insecure elements of your page. Most modern browsers will block this content or display a warning when encountering mixed content — a red flag for users. To prevent mixed content from occurring, review your site’s code to make sure all elements and redirects are loaded with HTTPS only.
Flash Vs. HTML5
Flash was once the standard for web animation, but it’s time and usefulness are fast running out, with Adobe, Google Chrome, and Firefox announcing they will no longer support Flash.
The death knell for Flash began with the publication of Steve Jobs’ “Thoughts On Flash,” where he criticized Flash’s incompatibility with Apple’s iOS. YouTube’s switch from Flash to HTML5 all but finished the job. Flash animation burdens users to download the latest update and runs slowly by today’s standards. But perhaps the biggest problem with Flash is that it operates as an image, so text within a video won’t be picked up by Google’s search engines.
In contrast, HTML5 performs the same functions as Flash with faster speeds and universal browser compatibility. HTML5 also allows you to incorporate text, images, and interactive buttons to your videos, a feature unavailable in Flash. Do yourself a favor and ditch Flash in favor of HTML5. Nothing says an outdated website more than the presence of Flash animation.
Similarly, you’ll want to avoid other types of outdated technology used on your site. Outdated technology often fails to update current security measures and could easily serve as an easy entryway for hackers.
Proactive Security Policy
You don’t want to wait until something goes wrong until you start taking security seriously. A security breach has the potential to ruin your reputation, lose customers, and cost you money. You can develop a proactive security policy first by training your staff to abide by secure best practices, such as avoiding suspicious links and keeping passwords long, varied, and difficult to guess.
In terms of the backend, there are a few options to ensure your security goes above and beyond what most sites offer. Attackers often target the X-Powered-By header by disabling the header and launching attacks against the vulnerable website or app.
X-Frame options can help protect against clickjacking, the practice of hackers inserting false iframes that lead unwitting users off your page. Inserting an X-Frame option in your header prevents your web from rendering certain elements of a web, such as iframes.
You can learn more about X-Frame-option HTTP Headers and how they protect your site with this comprehensive guide from Mozilla.
Programs such as Helmet provide a one-stop-shop for appropriate HTTP headers that protect web applications. There’s also the HTTP Headers plug-in available for WordPress sites, which is explained fully in this guide from InMotion Hosting.
2. Privacy
When a user visits a website, a packet of information is sent from the website to be stored on their computer. These packets of information are known as cookies and can be used to help business owners keep track of the user’s behavior on the site. For example, if a user places an item in their shopping cart, cookies enable the item to stay in the cart, even if the user clicks off the page. Cookies can also be used to keep a record of a user’s most recent visit or to record login information, making it so users don’t need to remember their password every time they visit the site. While cookies are used as a catch-all term, there are different types of cookies that perform different tasks and pose varying levels of security risks.
Session Cookies
Session cookies are used to track a user’s behavior only when they actively navigate the website. Once they leave the site, the session cookie disappears. As a result, these cookies pose a lower security risk than more long-term cookies. Typically, session cookies are used to power e-commerce shopping carts and to control webpage elements during a user’s multi-page visit.
Persistent Cookies
Persistent cookies are more long-term cookies that are tagged with an expiration date. These cookies are stored on a user’s browser even after they exit the site and are reused whenever the user returns to the site. These cookies can be used to track user’s online behavior beyond the site that issued the cookie, as long as it includes a resource issued by the original site. For example, clicking on an ad will enable the original cookie to track the user when they visit the ad’s site. This is the method that Google and Facebook use to create comprehensive logs of user behavior. Another example of a persistent cookie is the remember me option on most sites. The cookie enables the website to remember the user’s login information every time they visit the site.
First-Party vs. Third-Party Cookies
First-party cookies are those created by the site the user visits. This includes session and persistent cookies such as remembering user login information. In contrast, third-party cookies are those added by a domain from outside the site, such as an ad. The most common use of third-party cookies is tracking users who click on advertisements and associate them with the referring website. While third-party cookies are an omnipresent part of the modern internet and necessary to a degree, they also pose the highest security risk.
Cookie Consent Platform
Because cookies contain personal information, some users can be uncomfortable with their behavior being tracked online. As a result, rules and regulations were established over the past few years in order to be more transparent about the use of cookies. The largest of these regulations is the General Data Protection Regulation (GDPR), a regulation in EU law that addresses the transfer of personal data outside EU areas. There are also Federal Trade Commission (FTC) requirements for third-party cookies and privacy policy requirements for several countries, including the United States, the UK, Australia, and the EU. Basically, to stay in compliance you must abide by the following guidelines:
- If you are targeting EU consumers, you must give them acknowledgment that your site uses cookies.
- If you allow paid advertisements or affiliate links on your site, you must disclose this information.
- If you track user activity or collect user data, you must provide a comprehensive privacy policy explaining how the data is gathered and used.
There are a few tools available to set up cookie consent platforms, such as Cookiefirst and Osano, which is open source. Tools like these ensure that you stay on the right side of the law regarding your cookie usage inside and outside the US. You can also use services such as Rocket Lawyer to create free customized privacy policies for your site.
3. Data Collection
According to a Pew Research poll, 79% of Americans said they were concerned about how their personal data is collected. And with high-profile data breaches like Equifax causing further concern, it’s extra important that you take your user’s data collection seriously.
Data Security
You’re responsible for protecting the passwords entered by your user. The best way to prevent hackers from accessing these passwords is to make sure your login pages are secured with HTTPS. Hackers can extract a password from non-secure HTTP pages, leaving your user’s information free to steal. Make sure all login forms are on HTTPS, especially those asking for any Personal Identifiable Information (PII) from your users.
Making the move to HTTPS can be a complicated process if you plan to go it alone. You’ll first want to reach out to your hosting company to see if they offer an easy HTTPS option (or find a hosting company that does). For example, Kinsta and WPX Hosting both offer one-click options for migrating to HTTPS that take less than a minute to complete.
If your provider doesn’t offer these options, we would recommend consulting a professional if you lack the technical expertise to pull off such a complex task.
But if you want to push forward, you can visit a site like Let’s Encrypt or SSL2Buy, which will help you obtain a TLS certificate. This guide from Kinsta also provides step-by-step directions for a complete HTTP to HTTPS migration.
Once a TLS certificate is installed, the process runs on its own with no additional effort on your part. With HTTPS in place, you’ll not only get added security, but you’ll also get a boost in your search rankings, as HTTPS has become a top priority for Google.
2-Step Authentication
If you want to go the extra mile, your site could also require 2-step authentication, which involves the user receiving a text message or email containing a code. The user then enters the code, along with their password, before they can access the site.
You’ll need to evaluate whether this extra step is worth the effort on both you and the user’s end. But 2-step authentication can be effective, especially when users are providing important PII such as Social Security numbers.
Best Practices
- Allow pasting for input boxes, such as passwords — pasting makes web forms work well with password managers and reduces password overload.
- Explain how and why you collect data.
- Require individuals to give consent for their information to be collected and used.
- Explain consent in clear, unambiguous language.
- Explain to your users that they have the right to withdraw consent.
- Inform users which companies their data will be shared with, if any.
- Ensure all personally identifiable information is encrypted and not located within your database.
- Update your antivirus software, firewall, and malware protection.
- Create an emergency plan in the case of a data breach.
4. External Dependencies
When developers create new websites and apps, they regularly blend new code with pre-existing code using third-party libraries, known as external dependencies. Using third-party libraries can be a quick and easy way for developers to build websites and apps without the time-consuming task of creating new code. But you should be aware that using third-party libraries means giving up some degree of control, which could come with some security risks. There’s no guarantee that a third-party application regularly updates its security measures and there’s often no way to tell, especially if the library is not open-source. But that doesn’t mean you shouldn’t use third-party libraries at all.
Best Practices
- Use popular third-party libraries that have a large supporting community. These libraries tend to make regular updates and communicate with their community. You’ll also have fellow users to ask questions or express concerns.
- Use open-source libraries that provide access to the source code so you can identify any issues with quality or security loopholes.
- Make sure your chosen third-party libraries contain the correct licenses and specifications for whatever you intend to use the library for.