Website security has become a much more covered topic in the world of marketing. Protecting user information and other sensitive data has also become more important to everyday internet users. To ensure you’re protecting yourself and your users, we wrote this article to:
-
Provide the basics of website security
-
Help you understand potential security risks
-
Provide potential paths toward resolution
By the end of this article, you will have an understanding of the basics of website security and know where you should be looking for potential risks.
Before we dive into the common security issues encountered around the web, I want to talk a bit about the importance of website security. Search engines like Google hold website security in high regard. They have outlined a few ranking indicators that will influence how your site performs without having a secure website connection.
Download Our Free 187 Point Self-Audit Checklist
Without a secure webpage, Google may display a “Non-Secure” website marker, It will look something like this:
This can also be triggered by having mixed content present on a page, which we will talk about later on in this article. Without these basic security measures put in place, you could see a dramatic drop in rankings. This error can not only be seen in the example above, but can also be seen in the Dev Tools console shown below.
4 Common Website Security Issues
1. Pages containing mixed content.
What this means in plain English:
Having mixed content on your site means that you are loading the URLs over a secure connection (HTTPS) but resources on that URL are loading over HTTP. For example, you could have an older image file being loaded over HTTP rather than HTTPS.
Here’s the potential risk:
Loading this mixture of security protocols decreases the overall integrity of the page. This scenario is vulnerable to where an attacker can access a network connection and view or modify the communication between two parties.
How to solve this issue:
Eliminate or replace any links pointing to non-secure, HTTP, resources like images, videos, etc.
How this issue might appear:
- Google Search Console: “Mixed Content”
- Bing Webmaster Tools: “Mixed Content”
- SEMrush: “Mixed Content”
- Moz: “Pages with Mixed Content”
- Ahrefs: “HTTPS/HTTP mixed content”
- Sitebulb” “Pages containing mixed content”
2. HTTPS URL Links to an HTTP URL
What this means in plain English:
This is similar to mixed content issues but instead of having HTTP resources like images, this means you’re linking to an HTTP page.
Here’s the potential risk:
Any URL loaded over the HTTPS protocol, ensures that all communications are encrypted, breaking this communication by linking to an HTTP site could remove this encryption. Serving pages over HTTP may affect the user’s confidence in your website.
How to solve this issue:
Update any links pointing to HTTP whether it be in the <head> or in the body content of a given page.
3. HTTP URL contains a password input field
What this means in plain English:
A URL is using HTTP protocol while also containing a form with a password input field.
Here’s the potential risk:
Any kind of sensitive data should be communicated using a secure connection. Any HTTP URL isn’t secured with an SSL certificate. This poses the risk of leaking password information or any other information used in the form itself.
How to solve this issue:
The first thing you should do is load the entire site of an HTTPS connection and force all pages to load this way via an htaccess rule. If you can’t do this, you should remove the form and place it in a separate pop up window.
4. Loads Page Resources Using Protocol Relative URIs
What this means in plain English:
This means that a URL loads resources with protocol relative URLs, which can be requested over HTTP, which presents a security risk:
Here’s the potential risk:
Protocol relative syntax eliminates the need for developers to build URLs based on the user’s security connection type. If the user is using an HTTP connection to view the page, then the site will load resources from the CDN over an HTTP connection. If their connection is on an HTTPS page, it retrieves the HTTPS version. Allowing the URL to request over HTTP opens the door for attacks.
How to solve this issue:
You should only be using “https://” URLs when loading resources. For each URL that loads relative resources, update the resource URLs so they are coming from an HTTPS source.
Get a website audit to make sure your website is secure.
One of the best ways to make sure that your website is secure is to do a deep dive technical audit on all of these common security considerations. Our team of specialists will be able to audit and identify potential issues that are lurking on your site. Not only will we spike out the most common issues, but we also break down some of the more complex issues and how you can solve them.
If you want a more holistic look at your site, we also offer a gameplan service that can outline where you are now, and show you a roadmap to where you want to be to accomplish your goals.