SPF for Your Website: Three Simple Steps to Protect Your Online Presence
As the days get longer and the mercury rises, we’re reminded yet again of the importance of remaining vigilant when it comes to applying sunscreen to protect ourselves from summer’s damaging rays. It’s a simple yet necessary precaution that if neglected has both short-term consequences – the painful agony of sunburn – and long-term ramifications – skin damage and increased risk of skin cancer. The same holds true for our websites. If we are not proactive in taking the necessary precautions to keep our online presence safe, problems will inevitably arise. Here are three simple measures you can take to apply SPF to your website that will safeguard the integrity not only of your brand’s online presence but its reputation as well:
(S)ecure your site against SQL injections.
Websites that feature data-driven applications can be vulnerable to attacks known as SQL injections, whereby malicious code is added to an entry field, then run and executed. These attacks exploit security vulnerabilities in problematic code, attacking your site’s database and performing any number of actions, from adding unapproved content to your public-facing site to allowing the hacker to download your entire database. This is a prime example of why rigorous testing is absolutely critical prior to launch. If your site is already up and running, consult with your web team to make sure that it has undergone thorough testing and is protected against such hacks. If you want to take additional precautionary measures, there are also security companies that specialize in detecting these types of website and database vulnerabilities, and they can provide you with a security audit.
(P)rotect your domain name.
It’s common sense that you must pay to acquire the domain name where your business will reside online. However, it’s important to remember that you have to continue to pay in order to retain the rights to use that domain name. Essentially, when you purchase your domain name, you’re not buying it outright. Rather, you’re renting that name for a specified period of time. Most registrars (Network Solutions, GoDaddy, Register.com, etc.) allow you to secure a name for anywhere from 12 months to 99 years. If you allow your registration to lapse, however, the domain name becomes available for purchase again and is open to the public for anyone to acquire. Bear in mind that there are actually companies that profit handsomely from business owners who neglect their domain registrations. They monitor domains that are nearing expiration, taking ownership of them the moment they become available. If you have the misfortune of having your domain acquired by one of these companies, usually you can negotiate having ownership transferred back to you, but it will cost you dearly. Unfortunately, while this is a shady practice, it is not illegal. If you allow your domain name to expire, it is fair game for anyone to register it – including these types of companies. Before your domain name expires, your registrar will likely send you many notices prompting you to renew. I start getting domain name renewal notices six months or more before the scheduled expiration date, and as that date gets closer, the notices start coming more and more frequently. Still, despite this barrage of email notifications, there are still many companies that are unaware that their expiration date is approaching, and they either lose their domain name altogether or are forced to pay a king’s ransom to get it back. Often when this situation occurs, it is because the person who initially completed the registration process for the domain name is no longer with the company, and therefore the email address they used to register the name is no longer valid, so the multitude of email notices go unreceived. The company innocently thinks they are protected until one day they stop receiving emails (yes, your email is tied into your domain name), or a customer mentions that they tried to go to the site, and it was simply gone. Even though there is a grace period after a domain has lapsed that allows you to reclaim your ownership before it becomes open to the public, the lapse isn’t always discovered in time to take advantage of this safety net. To prevent this, it is critically important to keep the contact information for your domain registration up to date. Either contact your registrar directly or speak with your web team to make sure you know when each of the domain names you own needs to be renewed, and double-check to ensure that the contact information for your account is valid.
(F)ortify your forms.
Web forms are a staple of doing business online. In fact, rare is the site that doesn’t include a form of some sort that allows the user to input information to be transmitted to the site’s owner, whether its purpose is to make a contact inquiry, sign up for a mailing list, complete a purchase, apply for employment, etc. As anyone who has a form on their site can attest, however, not all submissions received via these forms are legitimate. This is called robot spam, which is created by spammers who write programs that send out spambots to indiscriminately fill out any and all different types of forms on the Web, looking for entryways to expose a site’s security vulnerabilities (see SQL injections above). If you find your inbox filling up with indecipherable junk submissions, it’s these bots who are to blame. To combat these spambots, you can install a CAPTCHA system on your form, which generates an image with a random combination of numbers and letters that the user must enter in order to submit the form. The spambots can't interpret these CAPTCHA images, so therefore they can’t complete the process of sending the form. While there is legitimate debate as to whether or not CAPTCHA is the most effective way to prevent bogus submissions, it still remains the most popular solution for web form security. However, the reason it’s important to block these bots goes beyond eliminating the annoyance of a cluttered inbox. A few months ago, my company decided to remove the CAPTCHA requirement from our contact form. We knew we would get a flood of spam submissions, but we decided we could deal with a little extra hassle on our end in exchange for reducing the inconvenience to legitimate users of having to interpret those squiggly letters in order to simply get in touch with us. As expected, the amount of spam we received increased dramatically, but it was still manageable. Then, all of a sudden, we stopped receiving any submissions at all. We also began seeing some of our emails to other people bounce back. What we discovered was that our web domain (which is where our emails originate from) had been blacklisted as spam by Microsoft (which is what powers our email platform). Apparently, all the bogus submissions from our website (which resides on our domain) to our email caused Microsoft to identify us as spammers. This is because our form submissions came from an email address associated with our own domain name (many web forms are configured this way). Obviously, we were not the ones generating the spam, but this strange series of coincidences conspired to get us blacklisted! Fortunately, it was an easy process to get our domain removed from the blacklist, and we quickly re-installed the CAPTCHA system on our contact form, but we certainly learned an important lesson about security and spambots along the way. If you allow those bogus entries to make it through, there is a risk that you, too, could find yourself blacklisted and unable to send email to some of your most important contacts.
Seize the day and stay safe.
Since summer is vacation season for many of us, business tends to slow down slightly as our clients and colleagues enjoy much-deserved time off. That makes this the perfect time to seize the opportunity to apply these S-P-F practices today to ensure that your online presence is well protected all year long.