The short answer is, “Yes.”
If someone is willing to put in enough time and effort, almost every website can be hacked. But, with a little work, you can eliminate the most common ways a hacker gains control of a website – causing them to move on to easier targets.
If your website is only a few pages of information about your company, you probably don’t have much to worry about.
However, if users can create accounts, place orders, check on order statuses, etc., you need to ensure the account and order data is secure from hackers.
Here are a few things you can look for that might mean you have security holes in your website. These are far from complete tests. But, they are simple indicators you can check on your own, before bringing in a security expert.
If your website has a “Forgot Password” function that emails the user their password, there are at least two security problems. A secure “Forgot Password” feature would email a special link that expires in a few hours.
When you visit your website, you might see the URL in the top of your browser that looks like “http://YourCompany.com/EditClient.aspx?clientID=123” or “http://YourCompany.com/ChangeOrder/456”. If you can change the “123” or “456” to a different value and edit the information for the other client or order, you probably have the security problem known as “Broken Access Control”.
Do you store credit card numbers in your database? If so, that makes your website a tempting target.
Have you ever seen an error if someone enters an apostrophe in their name, like “O’Hara”? That might mean you have a “SQL Injection” problem.
If something goes wrong on your website, do you see a screen full of technical information, or a short error message? If it’s the technical information, that can give hackers information about your website that will help them break in to it.
Can website users have simple passwords, like “password” or “Password1”? Hackers have lists of the most popular passwords and can use them to log in as your users.
When you visit your website, does it start with “http://”, or “https://”? Installing an SSL Certificate for your website (the “https” version) will encrypt the you’re your website sends and receives, making it more secure.
There are many more ways a website might be vulnerable to hackers.
If you’re concerned about your website’s security, hire someone to perform a “penetration test”. This is a form of ethical hacking, where an expert helps you find (and fix) vulnerabilities before unethical hackers attack your website.
If you have a custom-written website, you may want someone to do a security code audit – look at the code behind your website and see if it has anything that makes your website vulnerable to hackers.
To publish this article in your organization’s newsletter, contact me here.