Articles, Information, Resources

Even if your web site does not hold any national security document you should take the security of your web site seriously. This is especially important if you are selling products on your web site.

A typical setup is that you have one or more sales pages for your product and when a prospect clicks on an order link they are redirected to PayPal, 2CheckOut or some other payment processing service. This setup is good for several reasons, the most important being the fact that you avoid having to deal with credit card numbers and other sensitive customer information. So far in 2007 there have been published reports of more than 89 million identity records exposed from data breaches. See the Identity Theft Resource Center for some really scary reading. Leaving data theft worries to companies who specialize in handling financial information is a great strategy for most small businesses.

But you are not quite out of the woods yet. As a vendor of a digital "soft product" that can be bought and downloaded straight away, you have to guard against digital shoplifting. There's lots of ways that people in your position leave their website goods on display, unattended - leaving people to make off with them without paying, if they know how.

We present the three most frequently occurring mistakes:

1. Easy to guess filenames.

If you have named your electronic book 'AdWords Secrets', do not include either 'Adwords' or 'Secrets' in the name. The location www.example.com/AdWordsSecrets.pdf is the first thing a user might try to access your work.

At least add a version number or a date into the filename, e.g. AdWordsSecrets_v42.pdf or AdWordsSecrets_20070707.pdf. This will make it much more difficult to guess the filename and the URL.

2. Indexing the product itself or the download page is the function of search engines.

Today's search engines are extremely efficient in spidering content on the web and keeping your web pages secret from search engines is becoming increasingly difficult. Even if you don't have any public links to your secret product download page there are several ways that a search engine can find out about the page and index it. Once it's indexed anyone who uses that search engine may see your product download page in the search results, and they can download your product for free.

You should regularly check what each search engine knows about your web site. In most major search engines you can use the site: operator, e.g. site:example.com, to get a listing of all the pages on your web site that have been indexed.

3. Improperly configured robots.txt

On your web server, you will probably include a robots.txt file. This text file is used by most search engines and tells them what to index and what not to index. Typically, you will want to prevent search engines from looking at certain directories that you use for statistics reporting or downloads. Theoretically, this should mean that search engines won't index any hidden, non-public, or secret pages on your website. Unfortunately though, some hackers may try to view the robots.txt file. This could make you vulnerable to someone possibly downloading your product without paying.

A balance needs to be determined between securing some files and file directories in a robots.txt file and at the same time not telling too much detail about the set up of your overall web site.

Selling digital products online is a great business. Make sure that you get paid for the products that you have painstakingly created by following the guidelines above and applying common sense.