The online world changes constantly, and so do website security standards. How can you stay in the loop and fulfill the latest requirements? What should you consider when it comes to updating your website? Why systematically upgrade it at all? Here are a few tips from ESET Global Web Development Manager Martin Cambal that will help you stay on top of things and keep your online business presence sharp.
Check the current state of your website
Have you ever heard of the website Security Headers? This platform comes in handy if you want to check whether your page meets both basic and advanced security standards. “It provides your website with a school-like rating, grading it from A to F, and gives you recommendations on how to boost your website’s security. This tool might be useful for every web development team,” explains Cambal.
Build a safe microservice infrastructure
When building your website, think of one of the essential principles of infrastructural safety: build multiple independent systems rather than one “super system.” “For instance, when you sell goods on the internet, put your e-shop on one domain, and the shopping cart on another one, like shop.domain.com. Also, your invoicing system should be built on a separate domain and protected from public access,” Cambal says.
There are some immediate benefits to this approach – among others, it is harder to hack several independent microsystems than one monolithic system. Further, you can configure stricter security standards for the shopping cart, where people use their credit cards, and less strict policies for the e-shop, where you also want users to share your page on social media. “Once you decide to rebuild your website, you don’t need to do it all at one time. I’d recommend rebuilding systems step-by-step, based on your business priorities,” adds Cambal.
What’s a monolithic website system? A microservice infrastructure?
A monolithic website shelters all content and functions under a single domain, including, for example, invoicing, the e-shop and the shopping cart. It does not allow you to update the subdomains separately; everything has to be changed on the main domain as well. Also, if the website gets attacked, the whole system, its functions, and all content might collapse. Therefore, it's better to build a microservice infrastructure with three or domains and microsites, in which one admin system does not have access to the other. Also, when a homepage is attacked and/or paralyzed, the e-shop can keep on functioning on its own domain and users can still access it directly, for example via a direct shopping cart link from your email campaign.
Monolithic websites may also be a challenge employee-wise: “If your monolithic system has been developed using one kind of technology, then all future web development must be done with that same kind of technology. If your business grows, you will need to find and hire more specialists for that particular technology, which can be very challenging,” explains Cambal.
“Nevertheless, when using microservices and diverse technologies, you can avoid problems with human resources. In the labor market, it is easier to find a small number of specialists who focus on multiple technologies rather than a huge number of professionals who specialize in one sort of technology.”
Believe in the magic of regular, not once-in-a-blue-moon, updates
There’s another good thing about regular updates. When performed once a month, not once in five years, they don’t impact or really slow down business continuity. “Some development teams tend to delay upgrades, and when they finally decide to boost the website, it takes them several months, which might negatively affect the whole business by (over)loading the IT team’s capacities fully,” says Cambal.
Also, if your website uses some obsolete programming language, the provider could suddenly stop offering a particular platform. As a result, you won’t be able to find partners that still work with certain languages. “The product will cease to exist, and you as a website owner will be abruptly pushed to find a quick replacement, without having enough time to analyze your potential choices,” Cambal says
Rely on the principle of least privilege
When it comes to app updates, see them as a chance to redefine access rules. “All apps should only be authorized to take actions they really need to perform. If an app is allowed to do too much and a hacker breaks into it, they might perform any action, such as deleting all users,” says Cambal.
Create a list of IP addresses that can access the login page
Open-source systems usually have their admin sections on the same URL address as the homepage. Usually, this subpage is easy to guess, or it may be publicly known, such as /wp-admin for WordPress sites. “Attackers know this. The only thing that stops them from logging in to your CMS is not knowing your username and a password,” explains Cambal.
That’s where another tactic comes in: the attacker might conduct a phishing campaign to get all the necessary admin information. “The system administrator might receive an email with a link to a fake website that asks them to fill in their login. But instead of letting them access the website’s back end, they land in the hands of a cybercriminal. In this way, the door to your page is left open.” Therefore, it is always a good idea to secure your sensitive URLs and prevent disclosing them to the general public. The easiest way to accomplish this is to whitelist just the necessary IP addresses.
Consider the workforce on the market
Keeping your website fresh and running smoothly pays off from another perspective, too. The demand for IT experts is high, so the professionals will probably choose a job that lets them work with the latest technologies. As Cambal says, “If the website isn’t in the best shape, they would rather choose a more attractive project that doesn’t include dealing with problems that occurred due to previous negligence.”
Search engines prefer well-secured and regularly updated websites
High-quality and safe content – that is what search engines like. Therefore, one of the most basic updates is providing your website with HTTPS (Hypertext Transfer Protocol Secure). “Nowadays, you can use the services of Let’s Encrypt, a non-profit certification authority, to issue a valid certificate for free. The argument that SSL certificates are not affordable is no longer valid,” notes Cambal.
All in all, projects – including websites – are only sustainable when they are regularly upgraded. Even if the development team changes, the new experts should not find it difficult to work with the inherited systems and apps. It’s never too late to start taking updates seriously.