Ensuring your website is secure and ready for GDPR
Stuart Morrison – Mister Metric – helping business protect and maintain their website
The 25th May 2018 sees the start of enforcement of the EU’s General Data Protection Regulations, and for many small business owners there’s a lot of confusion and questions relating to GDPR. Whilst there’s much to understand in many areas for a small business there are some simple steps that will improve the compliance of your website data gathering and security and help you to get ready for GDPR online.
HTTPS or Hyper Text Transfer Protocol Secured is familiar to a lot of people as the ‘thing’ responsible for the green padlock in their browser address bar. Most commonly seen on ecommerce enabled websites it has been growing in popularity. Google has stated that websites using HTTPS will be looked on more favourably and be ranked better if using HTTPS, whether they are ecommerce enabled or not.
Purchasing and configuring a SSL/TLS security certificate is perhaps not a “one click” install and can be complicated if you don’t know what you are doing and might be beyond your technical abilities. However, applying HTTPS to your website and ensuring all content is delivered via the encryption that HTTPS affords you is definitely a “must have” requirement if you wish to afford your visitors the best protection for their browsing when they connect with your website.
HTTPS will also protect and encrypt your visitor’s personal details, such as email address, name and phone number should they submit them via a form on a HTTPS protected website. This then gives you a much more secure way to process your visitors details from forms and checkout processes to logins and downloads. Even without any GDPR requirement HTTPS is something all small business owners should look to do.
From our experience we note that general website security is rather lax on a large percentage of the small business websites we see. Many small businesses use WordPress, a good content management system but it does have some security flaws that should be addressed. However the following issues could also affect other non-WordPress websites, so please check yours whether you use WordPress or other website software.
Ensure you hide your WordPress Version number from casual visitors. Knowing what version of WordPress you use can help hackers and malicious coders use known security weaknesses against your website. Keeping WordPress patched and up to date is likely to help limit and reduce your exposure to any malicious attempts to hack your website.
Hackers also use “User Enumeration” to scan your database for usernames. It’s then much easier to hack a site with a known username. Thus preventing your database from username scans helps to secure the website from further intrusive unwanted attention.
Usernames can be protected in other ways; when a legitimate user attempts to login your site wants to help them should they have problems, which is very user friendly. However, revealing too much information can put the site at risk. Therefore error messages for failed logins should be limited and non-specific. An example, your user is John Smith, and his password is ABCD
User inputs the following;
Username: John Smith
Password: 1234
Your website then shows an error message as follows: “Your password is Incorrect John Smith” This confirms to the hacker
1) You have a username John Smith
2) Their password is not right
The hacker can now start to work through passwords to figure out the correct one (if you let them!). A much better login error message would be
“Please check your username and password.”
You should then limit failed logins to 3 or 4 before locking out the user’s IP address for a period of time. Initially you can make this 5 minutes to start with, then after another 3 or 4 tries lock them out for an hour, then a day etc. You can of course help the genuine user by offering them a password reset on any registered email address.
Directory Indexing is another weakness that also affects non-WordPress websites and allows hackers to see the structure of a website, and thus predict where any useful or vulnerable code might be. Another such issue is “full path disclosure” which again helps hackers similar information. Both of these vulnerabilities are easily overcome for a competent web developer or coder and should be considered when looking to protect your website visitors.
These are just a few of the security improvements you should consider to ensure your user’s data both from their machine to your website and that held within your website is protected as much as possible.
One update you should look to make is ensuring you have an up to date publicly accessible Privacy Policy. We’d encourage you to use the URL /privacy-policy as this is the most obvious URL to use. The GDPR says information your business provides about how you process customer’s or visitors personal data must be:
1) “concise, transparent, intelligible and easily accessible”
2) “written in clear and plain language, particularly if addressed to a child”
3) “free of charge”
Further to this the Information Commissioners Office states,
“The starting point of a privacy notice should be to tell people:”
“who you are;
“what you are going to do with their information; and
“who it will be shared with.”
Your privacy notice should, therefore contain all the ways their personal data may be collected and processed by your business, including explanation of any cookies or tracking code that you may use to identify a visitor. It would also be useful to include details of who they need to contact to discuss all matters arising from your privacy policy. As well as how they can object, what your review process involves and what to expect when objecting to your businesses use of their private data.
You could also encourage users to register and login to manage their data and tell you specifically how they wish it to be used and when. This would make changing consent easy for anyone to update their consent automatically. Some additional tips to help you when gathering data:
- Give the user as much control over their data as you can whenever possible.
- Only collect the data that you need now.
- Secure user’s data in its collection, storage, and use at all times and at all stages.
- Respond promptly and clearly to users who ask about your privacy practices.
- Avoid ‘secret’ updates to user permissions, privacy policy and terms and conditions.
- Make the use of any social features transparent, users will not thank you if you share their information if they were not aware that you would do so. Testimonials and feedback is a good example, ensure you have permission to use publicly.
- Obtain consent to use a user’s location or other private data to customise their experience of your website.
- Make sure you have a very public privacy policy that is easily accessible from all pages on your website.
Go and carefully review your website and make sure all elements listed above are reviewed and then make changes and updates as required.
Please note, that a lot of website “hacks” are not immediately apparent, hacks that damage the front end and are highly visible are called “defacements”. If hackers want to gather sensitive data from your website they will not alert you to their intrusion by defacing your pages, preferring to quietly insert code that collects user data and feeds it back to them. So our final guidance is to make a regular scan part of your ongoing security routines.
The sooner you start, the quicker you will offer the best GDPR compliant customer experience for your visitors but more importantly, you protect your visitors and offer your customers a secure way to do business with you.
To scan your WordPress website for the most common issues visit: https://mistermetric.com/security-test/
by Stuart Morrison MD – Mister Metric – helping business protect and maintain their website