5 Website Security Fails Start-Ups Need to Avoid
Let’s say you’re ready to start an online business. You ask a friend of a friend who you know will help you build a website at a low-cost. This person is pretty tech savvy and just so happens to build websites in their spare time. It’s the perfect set up.
A few months later, you've got your products into a nifty new e-commerce site—maybe you’re using a user-friendly content management system to manage your products like Woo Commerce, Shopify, or Wix—and things seem to be easier than you ever imagined! Next thing you know, you’re welcoming your friends and family to your new store and voila you’re on your way to becoming the next sensation.
Sounds almost too good to be true, doesn't it? Well, in a way it is, especially if your site isn't secure.
I've pulled together five of the common website security mistakes you’ll want to take into serious consideration after you've built your site’s foundation. Remember, you can never be too safe—consider your commitment to website security as an opportunity to reinforce your focus on keeping your newly found customers!
1: Accidentally enabling trespassers and thieves
All it takes is a few clicks or some toying with a URL and before you know it, a customer discovers he can visit parts of your website without having to log in.
If you're selling downloadable files, videos and training materials, this can be extremely frustrating—for both customers and business owners.
The customer may ask for their money back because it's clear they could just download all the files or information without having to pay.
This sort of issue often happens when you set up confirmation pages for your products that are not properly behind a pay or login wall. It can also happen via the direct link of where the files are stored. If people find your product valuable, you want them to pay for it, right?—not steal it!
To test whether your content is properly hidden from search, try a simple search on Google using “site:yourdomain.com” to see if Google is able to see your important content, or just type in the confirmation page URLs to Google’s search bar see if they appear in Google. When in doubt, check with your developer to make sure if this is working the way you intend.
2: Google is making private pages, public
Google is the number one search engine in the world for a reason: it’s really, really good at finding what it’s looking for. The problem, however, is that sometimes what it’s looking for isn't meant to be found just yet.
Chances are, you aren't giving search engines the right signals on what content you want to be discovered. Two things that help Google out are (1) a robots.txt file, and (2) a sitemap.xml file. These don't automatically come with every website. But if you're transacting business on your website you want to make sure you have them and that they are communicating the right information to search engines.
Another issue that Google can exacerbate is digging up “stealth” development/prototype pages or websites that are discoverable by a simple domain search. Even if you think you’re working on your website behind the scenes, keep in mind that enterprising young developers might be able to find your website project by setting a few Google search parameters.
Again, if you’re unsure about your page’s searchability, contact your developer right away.
3: Temporary website failure
You don’t want to be the last one to hear that your own website is offline. “Why, this is embarrassing. My site is down? Hm, let me look into that…”
You probably have many questions when this happens, including:
- Why did my site go down?
- How long has it been down?
- Is my web developer aware?
- Did something break?
- Wait a sec—if my developer is aware, how come we weren't alerted?
These are all great questions! Your developer has hopefully set you up with a Google Webmasters Tools (GWT) account, which can alert you when things go wrong on your website, like an outage, spikes in traffic, or lots of pages suddenly showing up as broken links. If you're running an e-commerce store and broken links mean lost revenue, this is definitely an issue you’ll want to keep an eye on.
Depending on the scale of your business, the tools you may need to monitor issues with your website may differ. I recommend that all start-ups have a GWT account at a minimum.
4: Credit card fraud
This is a major issue these days, with large, well-known companies issuing apologies every few weeks as their systems were hacked and credit card information was compromised.
For a start-up, while the risk of an attack isn't as great as with the larger companies, you’ll want to make sure your site is secure.
Do you have a security certificate installed on your website? Is it configured properly? You should see a green lock or something similar on your browser on any page where you are collecting data. If you see a big red X or your browser gives your visitors security warnings, you need to look into your certificate.
You have to purchase and pay for security certificates, and they aren't exclusive to collecting credit card information. If you're collecting and storing ANY personally identifiable information (like customer names, addresses, birth dates, social security numbers; medical, educational, financial, and employment information; even IP addresses) it is a good idea to install and maintain an active “https://” version of your site.
5: Coupon code abuse
If you start to notice that coupon codes are getting used on every purchase—sometimes multiple codes—you may actually be losing money on your products due to non-secure coupons.
Using more secure coupon codes or setting limits on usage are typical best practices to ensure your coupons aren't being abused. It’ll help if you set up clear expectations on your coupon codes before promoting any new campaign so you can carefully track how many codes should be in use. There’s also several apps and even WordPress plug-ins that will help you generate and manage coupon codes.
In addition to making sure your site and customer data is safe, investing in security measures might also help you get venture capital for your start-up. Many investors are looking for companies that are taking their business seriously and with security as a hot topic for websites these days, ensuring your website it properly secure may help you get the investing you need.
At a minimum, and depending on the size and resources for your start-up venture, make sure the person or agency you’re using to develop your website is familiar with website security and takes it seriously.