web security“My name’s Hank, and I’m a web developer.” – sounds like an AAA intro!  Yet, that’s sort of how I feel this morning after attending a talk for web developers about web security last night.

Yes, I’m almost feeling ashamed of being associated with these people, by being a web developer, and I’m more convinced than ever that you can do a fine job building your own website.  Here’s what happened –

First off, the speaker didn’t know beans about web security, and what little he did know was outdated and pretty much bad practice in today’s web world.  That much didn’t surprise me.  I should have offered my assistance in putting the talk together, but I was busy.

What DID surprise me was when I pointed out that since hackers can inject code into a website that would then attack VISITORS to that site, both the site owner and the developer were potentially liable if they fail to take reasonable precautions – the speaker objected.

He said that web security wasn’t important for sites that didn’t store credit card numbers and that it was website visitors who were solely responsible for their own web security (“they should have anti-virus”) and that all developers should have an LLC so that if they get sued, “You can just give them a worthless company and start over.”

Even Symantec admits that anti-virus software can’t detect much of the malware out in the wild today.  And putting the onus on the least-knowledgeable people – site visitors – is (IMHO) irresponsible and not likely to hold up in court, especially as courts get more web savvy.

There’s lots of information, other than credit card numbers, where theft can lead to harming customers, and the business.  And, as I’ve already noted, hackers don’t have to steal anything to harm your visitors.

Competitors can hire a hacker to kill your search engine rankings!  I’ve seen that happen where a client’s sites dropped off the charts six months before he called me.  He’d spent all that time re-optimizing his site and trying to regain his rankings without realizing that a hacker’s malicious code was the reason for his downfall.  He eventually decided not to rebuild and gave up his business.

So, yes – you can build your own website.  And “yes”, it takes a professional to know web security.  So how can you DIY?  By sticking to a reputable CMS and keeping it updated.

WordPress has automatic update options, so you’re taken care of for the core files.  But what about custom templates and plug-ins?  Yup.  That’s where you gotta be careful.

Try to stick only with well-known, reputable developers for themes and plug-ins.  If you have to have a custom theme or plugin from a small company, pay a web security person to go through the code and be sure it’s safe.  It might cost you a hundred bucks or two (at most), but that’s a lot cheaper than facing the possible disasters that can happen with insecure code.