Following point is written from my experience and webmaster observation since becoming server administrator of various web servers:
Directory Browsing Enabled
Depending on your web host server configuration, you might need to check this feature should be DISABLED. If not, it will allow unnecessary access by public user to other files. Plus, others can understand on how your site directories, which is not good.
Bear in mind that directory browsing is being indexed by search engines crawler. This will increase the chance for others to find and simply target your website due to viewable content.
Allow Hotlinking To Static Content
Bandwidth is expensive. Do not allow others to use your content as part of their content and consume your bandwidth. To prevent bandwidth stealing, do not forget to disallow others from hotlinking your static contents including image (.jpg, .png, .gif, .bmp), presentation material (.pdf, .swf, .flv) and script (.js/.css/.xml).
Depending on your web host, there must be embedded function to disable hotlinking to your static content. Contact them for more information.
We must always think that others might steal our images. So do not forget to append watermark to every image in your website.
User will get noticed on the stolen image if they see it in other website. Indirectly, you have been advertised and people will start find the real content, rather than the duplicated one. More traffic will coming in.
PHPinfo Page is Accessible
During the web development process, PHPinfo is one of the things that developer need to have in order to understand the web server environment. Even though the PHPinfo page is not retrievable via search engine, this file MUST not exist in your web server or not accessible publicly if your site has go live.
Most webmaster forget to delete this page after development process completed, which means you are exposing the web server environment to the world.
Ignore Website Appearance in Linux and Mobile Device
Most webmasters will try to test run their website in all browsers run on Windows or Mac. Assuming that Linux and mobile device are using the same browser engine, they usually forget that the appearance might be different in other boxes. Even though at this moment Linux and mobile users are less than 7% of total operating system market shares (statistic by W3schools), you should not ignore them entirely.
The site’s font might look standard in Windows, but in Ubuntu it will look slightly bigger due to system font default size is different. Same goes to mobile device which font looks smaller.
Open Hyperlink in Same Windows
Make sure your hyperlink inside your content will be opened in new tab/windows with <target=”_blank”> HTML tag.
Do not interrupt your user experience while they are accessing the content. Many webmaster forgot about this resulting bad experience for users because they have been redirected from the information that they actually want.
Display Email Address on the Website
Email addresses are easily harvested by address-harversting bots. They just need a search engine to build the list of victims site and read the html tag: “mailto:” or seek for complete email address format which is “[email protected]“. You might start getting spam mails usually from 3 to 6 months after the email address publicly displayed, unless your site block search engine crawler to access.
There are some alternative way to display your email address on the website like using CloudFlare service, where they protect your website email address or follow this example at http://csarven.ca/hiding-email-addresses on how to hide email address in HTML.
The best solution is never reveal your email address and use contact form instead.
No CAPTCHA for Form
Do not ever expect your website visitors are all humans. There are many bad bots (comment spam bots, forum spam bots) out there try to do nasty things with your website, which mostly to generate backlinks for Search Engine Optimization (SEO).
Use CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart) for every forms you have like comment form, contact form or registration form. Even some CAPTCHA are breakable as refer to here. The most popular CAPTCHA provider nowadays is RECAPTCHA, which acquired by Google. It is a free service to use while preventing spambots from messing up your site.
Backup in the Same Server
Your website backup should NOT exist in the same server of your web server. Especially if the backup directory can be accessible publicly. Usually, webmaster will create backup from inside the web server. It should then download and remove the backup file from the web server. Some webmasters forget to remove the backup files, which then filling up the disk space and unintentionally turn the backup files downloadable by others.
The best backup practice is to have a remote backup repository server and scheduled to be run on daily basis during non-peak hours.
Simple Password Usage
Do not use simple password for any credentials in your website or web host service. Hackers and bots can simply gain access from any point of authentication like email account, database user, protected directory user, back-end system user, web hosting service user and FTP user if they succeed on guessing your password, usually by using brute-force method.
The best password practice is to have alphabet, numerical and symbols combined in your password which more than 10 characters and always change your password within 3 months, at least.
Simple mistake can lead to bigger problem if we are not careful and realize the consequences that we might face. Standard of procedure, checklist and reminder are some methods to overcome humans’ common mistake which is forgetful.