Usually, the matter of security is something web developers are concerned with. Vulnerabilities can be caused by poorly written code, software not updated by users, something malicious injected into the site, or hackers finding a way to break through the main login area. However a website gets compromised, you don’t often hear stories about a design gone rogue. As such, web designers might not be too concerned with security or what role their design elements play within it.
That said, there are certain design elements that could impact your site’s security. Understanding how those elements may be compromised and how they affect your site will help you make smarter choices when it comes to using them. It’s simply a matter of knowing what they are, so you can be on the lookout.
If it’s not a part of your process yet, then I’m going to suggest that web security become something you pay closer attention to. Not sure exactly how or why that should be? Let’s take a look at the 8 design elements that have the potential to affect your site’s security.
1. Compromised Themes
Whenever you use a third-party software in order to build or start a design, be extra careful in which ones you choose. Even if you download or purchase a theme from a trusted repository, you could still run into trouble. Their software is just as susceptible to a security breach as any other piece of software.
Unfortunately, it’s not always the theme that’s been compromised either. Take the TimThumb exploit, for example. An image resizing tool called TimThumb was included in a number of WordPress themes, which opened any user of that theme to attack.
2. Compromised Plugins
Third-party extensions are another tool designers often use to create advanced or complicated design elements on websites. Again, because software is particularly vulnerable to hackers, you have to be very careful in which ones you use and how you maintain them.
The image slider plugin, Slider Revolution (RevSlider), was one such case of an exploit introduced to websites by a third-party extension.
3. Compromised Components
That’s not to say you can’t trust code from others, but you should, again, be mindful of the quality of component you hook into your design.
4. Malicious File Uploads
In order for a website to be successful in converting visitors to paying customers or subscribed members, there needs to be a way for it to actively engage with them. Contact forms and comments systems can be particularly troublesome when they’re not protected against spam. However, there are also design elements that can come from external users that cause issues with security.
Specifically, if your website accepts file uploads from users–for instance, if users upload visuals to guest-submitted content or submit images for a contest–you could be putting your site at risk. That doesn’t mean you shouldn’t accept media from other users; it just means having your developer implement ways to better vet those files and ensure it’s not a way to inject malicious code.
There are a number of ways to monetize a website. But if you want to do so with an element that more seamlessly integrates with your design, you would probably use a system like AdSense that places ad content on your site. Again, though, you have to trust that the third party behind the ad content doesn’t mean your site or its visitors any harm.
In 2015, AdSense made the news when malvertising campaigns were discovered on users’ websites. These ads seemed harmless in nature until visitors started being redirected to scam sites.
6. Phishing Pages
When you design a site, you’re very careful about including pages that are necessary for the user’s experience. Every now and again, you may build a landing page that exists outside of the navigation, but is there for the purposes of promoting something special. This is a commonly used marketing tactic.
However, hackers are well-aware of this, too, which is why some of them are able to get away with planting fake pages on legit websites. This is what’s known as a phishing page and it’s built with the purposes of installing malware on a visitor’s computer or directing them to a scam site.
7. Infected Images
Did you know that malware can be hidden inside of images, too? In 2011, this very problem was discovered within Google Images. In 2015, Saumil Shah gave a presentation at the HITB Security Conference where he discussed the Stegosploit hack.
Both of these examples demonstrate how hackers have learned to get around users’ growing awareness of malicious links and attachments. Now, they’ve found a way to compromise images.
8. Mixed Content
As the web moves towards a more secure place with the adoption of SSL certificates and HTTPS, some web designers run into trouble when media files aren’t properly shifted over to a secure address. This is what’s known as “mixed content”.
Basically, this is what happens when a website resides on a secure HTTP domain (HTTPS). However, when images remain sitting on the unsecured server (HTTP), they open the rest of the website up to the possibility of a breach.
Protect Your Design Elements
You’ve built a stunning design for your client, but worry now that your choice of design elements or third-party integrations may compromise the security of the site. While the probability of something like that happening might not be high, you don’t want to leave your design assets unprotected.
If you and your web developer haven’t done so yet, focus on setting up the following on your web server:
- SSL certificate
- Malware and DDoS protection
- Brute force protection
- Scheduled software updates
And if you’re nervous about being able to secure these elements–as well as the rest of the site–on your own, then it’s time you considered moving to secure WordPress hosting. A managed WordPress hosting provider will take care of security, so you can focus strictly on the design piece of your clients’ websites.