Table of Contents
Web developers create hundreds of websites and often their security problems are associated with the same issues as basic computer security: outdated or unpatched software, weak password management, widgets with malicious scripts and so on.
But sometimes these issues are not superficial. Sometimes they go a bit deeper than that. You know the web hosting server is updated, the CMS (WordPress, Drupal, Joomla, Magento, etc.) is also running the latest version, yet, your new web creation still gets infected.
Well, it shouldn’t be a surprise because ultimately, vulnerability is present in every internet project. Every web developer has assets to protect, and in the web design world it’s the website assets (dashboard, site availability, data privacy, etc.) you are concerned about.
After identifying assets, the next step is to identify possible risks. Some risks are associated with the enumerated website assets: client data and password compromised (credit card breach is an example), sites and admin login pages brought down due to distributed-denial of service attacks, transactions diverted to a third party server, or web design defacement (business reputation gets damaged).
An un-secure web design can also result in abuse of functionality. This happens when a hacker uses the website’s own features to consume or defraud access to control mechanisms, which prevents normal user activity and permits an attacker to bypass the intended flow of application and server access. The sensitive content of the website can then be accessed without any proper verification.
Here you go
Security measures for web developers
The following are best practices web developers could take while creating their business to safeguard their client’s as well as their own business credentials, and reputation:
Passwords
It is crucial to implement strong passwords to the server and website administration login area, as well as insisting that clients adopt good password practices to ensure the security of their admin accounts. Enforcing requirements with a minimum of 8 characters and a necessity of lowercase and uppercase letters will help protect hacks in the long run.
You also have the option to install security widgets on your website. If you are looking for protection that is free, antivirus.com has a good list of free tools/widgets. Such security-based widgets and tools can also help manage website login IDs and passwords in a secure location, so you or the client only has one secured password to remember.
Error pages
Be mindful with how much information is displayed on error pages. For example, if there is a login page on your website you should be careful about the content displayed on the error page when there are failed login attempts.
A good idea is to use generic messages such as ‘access denied: incorrect password or username)’ as to prevent access even if the user gets half of the query right. If an error page gives away if one of the fields are correct in a brute force attack than the hacker would have done half of the damage and would only need to exploit the other field.
Cross site scripting (XSS)
This is when a hacker tries to infect a scripting code in the CMS JavaScript for gaining unauthorized access, or another code in another web page to attempt running malware for visitors of the client.
To prevent this from happening, ensure the data is submitted and encoded without any HTML when creating a web form or a web page.
UI/UX Consultant, Photoshop, XD, SketchApp, Product Designer, Website Designer, Mobile App Designer, Expert WordPress Developer. For web/mobile design and wordpress development related projects please contact me at dibakar@themepurpose.com