Web Security: 5 Tips for Protecting Your Site
Web Security: 5 Tips for Protecting Your Site avatar


Identity theft. Online fraud. Phishing. Spam. If you’ve been following the news lately, these are terms you’re familiar with.

It’s no secret that the Web is all about the sharing of information. If information is power, plugging into the Web is a good thing. Right?

Unfortunately, the Web has proven an effective tool for criminals and people engaged in unethical business practises.

So how can you actively participate online and protect your website from spammers, hackers and other bad actors?

Tip #1: Protect Your E-mail Addresses

Anyone with an e-mail account has had first hand experience with e-mail spam. Spam – not the canned meat variety – is unsolicited “junk” mail that is typically sent in mass mail-outs.

One reason spam is so widespread is that it’s a very inexpensive system to operate. Spammers rely on the use of programs that scour the Web harvesting e-mail addresses. These addresses are compiled into huge mailing lists – without consent.

Once your e-mail address has been added to one of these lists, it’s very likely your address will continue to circulate and wind up on multiple mass mailing lists.

Use your favourite search engine to run a search on your e-mail address. If the search finds sites containing your contact information, the chances are very good that your address is wide open to spam harvesting.

The best defense is to make sure your e-mail address is not out in the open for spam programs to pick up. Unless it’s critical that your e-mail address is made public on those sites, contact them and ask them to replace your e-mail address with your Web address.

The one place where you do want your e-mail addressed published is on your own website. Fortunately, there are techniques available that allow you to provide a fully functional e-mail link that is hidden from e-mail address harvesting programs.

At Black Cap Design, every website we develop includes spam protected e-mail links – a technique that hides your e-mail address from spam harvesting programs.

It’s also a good idea to have at least one “disposable” account you can use when signing up for services you’re not 100% sure about. You can sign up for a free web-mail account with a service like hotmail or gmail. If you start getting spammed at that address, ditch that one and create a new account.

Tip #2: Make Use of Private WHOIS

Identity thieves steal and compile personal information (names, addresses, phone, social security and credit card numbers, usernames and passwords) from people like you and me. They can use that information to divert mail, access personal accounts, make fraudulent payments and apply for new credit – all without our knowledge.

If you are planning to purchase a domain name, consider protecting your personal information with Private WHOIS.

To purchase a domain name, you are required to provide a valid name, address, phone number and e-mail address. Once your domain is registered, that information is in the public domain and is accessible to anyone with an Internet connection.  Note: Good news!  Since June, 2008, the Canadian Internet Registration Authority no longer posts registration details of individuals associated with .ca domains.

In response to privacy concerns, domain registrars are increasingly offering Private WHOIS – an inexpensive service that protects your personal information. We have referred many Black Cap Design clients to Namespro, a domain registrar based in British Columbia, which offers Private WHOIS for a 1-time fee of $6.88. It’s an inexpensive way to protect your personal information.

For more information about registering your domain, visit our blog post: Domain Registration vs Hosting: What’s the Difference?

Tip #3: Purchase an SSL Certificate to Encrypt the Transmission of Information and Guard Against Phishing

Contact forms and questionnaires are a great way to gather useful information from visitors to your site.

When a visitor to your website fills out a contact form or questionnaire and submits it, the contents of that form are visible as it makes its way the server where the the website files are stored – much like the contents of a post card are visible en route to its destination.

One very effective way of securing this information is to encrypt it. This involves purchasing and installing an SSL certificate. With SSL, the message is encrypted as it leaves the visitor’s Web browser. The only key that can decrypt the message resides on the website that generated the form or questionnaire.

You can easily tell if a Web page is encrypted with SSL: the address bar which usually begins with http:// will instead begin with https://. The “s” indicates the page is secured with SSL.

SSL also protects against phishing. Phishing happens when a fake site passes itself off as a trusted, legitimate site. The fake site will collect private information, such as credit card numbers. SSL certificates are intended to verify that a given website is legitimate.

The price for SSL certificates varies significantly: for example you may want to compare GoDaddy with VeriSign. The difference has to do with brand recognition and the level of security. Large e-commerce sites pay a lot for the VeriSign name, but they also get a higher degree of encryption.

To install an SSL certificate you will also require a dedicated IP address. Your Web host will likely charge you a nominal monthly fee for this.

To inquire about setting up SSL on your website, contact us at in**@bl************.com.

Tip #4: Protect Your Site from Code Injection and Brute Force Attacks

If your site provides the ability for visitors to input and submit information, such as a username and password, or comments and messages, it’s important to block hackers and malicious software injection. 

Any input box that allows a visitor to enter and submit data is like a door or window into your house.  Unlike your house, you’re not going to be around to monitor people entering and leaving your website, so it’s necessary to filter what can and can’t be added in those input boxes. 

It’s also a good idea to prevent people or computer programs from repeatedly entering information – a technique known as a Brute Force attack.  Hackers have written programs that systematically enter characters into a password input box until the correct combination is found – at which point, your website security has been breached.  Fortunately there is software available which allows only so many attempts after which the offending visitor is blocked.

It’s a good idea to check with your Web Developer to ensure your site is well protected from hacking, code injection and brute force attacks. 

Tip #5: Add Password Protection to Pages Containing Sensitive Information

If you would like to post sensitive information online but don’t want just anyone to have access to it, you can protect certain areas of your website with password protection.

Many people and organizations use this method to manage access for:

  • résumé or CV pages
  • family photos
  • memberships
  • employee pages
  • board member pages
  • subscriptions

If you’d like to know more, or have general questions regarding website security, contact us at in**@bl************.com.