Estimated reading time:
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”Sun Tzu, The Art of War
Website defense is much like age-old military tactics in that you must prepare for both known and unknown threats. We reference Sun Tzu’s 5th century BC literature because though seemingly dated, many of its universal principles apply to today’s website security best practices. Even the most tech-forward companies are at risk of security breaches and inadvertent threats that may impact a website’s overall functionality.
Be aware of common threats to security and functionality
As a developer, your goal is to be as optimal as possible with the least effort. This means building or maintaining a website that has clearly defined goals, requires minimal upkeep, is safeguarded against site errors, and employs strategically implemented functionalities – whether coded or by way of existing programs. The art of website security begins with preparedness.
Yes, internal threats do exist. And no, they aren’t always intentionally malicious. Internal security threats result from a culmination of things, but they’re often a consequence of non-tech-savvy users having high-level permissions on the back end of a website. For example, a user with unnecessary access to settings or plugins may install, activate or deactivate a plugin that should remain untouched, or worse, interfere with a function that has additional code associated with it, thus triggering broken content or a site error (i.e., 404 Site Error, 500 Internal Server Error).
On the other hand, internal peers may request website edits that are not optimal or best practice, requiring the designer or developer to stand their ground and convince others to follow their lead. While this may be unavoidable, you can fortify your website to limit any potential risk.
So, how can you protect your website?
Know thyself and choose your allies
Before building a new website, define your goals. What purpose will it serve? What do you or your client want to achieve with it? Can you reach these goals yourself, or do you need to outsource support? Answering these questions will allow you to create a website roadmap consisting of developmental milestones and opportunities to evaluate and identify potential weaknesses that you can get ahead of. This will prepare you to expect the unexpected and know when to retreat. Be realistic. Be proactive. Don’t be stubborn.
In addition to the standard optimization techniques, developers should also understand their capabilities and know when to use existing tools rather than build new ones. Don’t reinvent the wheel – if something does the job, and does it well, use it.
Ogury’s web developers enjoy online tools such as PageSpeed Insights, GTMetrix and WebPageTest to diagnose problems and analyze potential areas of improvement.
Beware of hidden enemies, technically speaking
While it’s impossible to make your website 100% secure, you can make it less vulnerable. The mission here is to narrow your enemy’s attack line and be wary of hidden, accidental enemies (both humans and non-humans). Let’s take a look at how you can employ your first line of defense.
- Plugins: Did you know that most successful attacks on WordPress websites come through plugins? This is because they are each a potential security breach, particularly with version updates. The more you weigh down your website with plugins, the more likely you are to run into a problem. Be selective in those you choose to implement, and don’t overuse them.
- Backups: Create a backup of your website regularly so you have something to fall back on should something break on the live version of your website. For example, if a plugin malfunctions and interferes with your website structure, you can quickly restore your most recent version until you resolve the problem.
- Strong passwords: We have all been guilty of being “hackable.” Think simple passwords like name + birth year = ‘Nikola1983.’ Complex passwords are one of the more obvious lines of defense in the war on websites as they are harder to crack. If you cannot come up with password combinations that are complicated yet memorable, use a password generator. This will spit out something like ‘g8(yvMJRN29-E:ed’ and will likely need to be stored in a secure location.
- Staging environments: With the exception of content updates, never develop directly on production servers, or what’s “live” and can be seen by website visitors. Build and test on a development server before pushing updates online.
- Users: The fewer people with access to the back end of a website, the fewer opportunities for problems. Assign user permissions with care, considering their need, intent and skill (can they fix their own mistake?).
- Hosting: Spend more on dedicated hosting or a cloud server to improve page speed and overall performance.
Exercise your authority
The phrase “too many cooks in the kitchen” is not unfamiliar to developers. There tend to be many individuals and teams who want to enforce their own ideas, solutions and deadlines in a new or ongoing website build. Marketers may request certain marketing tools be installed on your website that may create internal security risks or slow down page load. Designers may create beautiful mock-ups that aren’t easy to code, impractical or simply too clunky for ideal site performance. And clients may want their projects completed quickly and cheaply, which most developers know to be unrealistic.
As a developer, you must stand your ground while offering real solutions. Know your limitations, and don’t shy away from seeking more premium solutions when available. If you’re pressed to employ antiquated practices, back up your claims with metrics that support your experience and argument.
At Ogury, we encourage marketers and designers alike to share ideas for innovation and improvement to our website. Whether you work on your company’s assets or for a client, go the extra mile by adding functionalities, animations or integrations. A final tip would be to keep an eye on your competition for inspiration on new implementations or routes you’ve yet to take. Websites should evolve so be prepared to adapt.