Let’s be honest – security’s not the most exciting part of a new website build. You’re (rightly) more focused on how things look, what the user journey feels like, and whether the CMS does what you need it to.
But while you’re focused on what you can see, there’s a whole world behind the scenes that hackers are very interested in – and it’s our job to make sure they can’t get in.
This post isn’t about scaring you. It’s about lifting the curtain a little on what we, as your technical partner, are doing to keep your website secure. You don’t need to know how to fix a SQL injection attack. But you do need to know that your website is being built by people who do.
Because security isn’t optional anymore. It’s expected. And if it goes wrong, it’s your brand that takes the hit.
Why Clients Should Care About Website Security
Let’s break it down. Here’s why security isn’t just a ‘tech thing’ – it’s a business-critical thing.
1. You’re the one who’ll be blamed - not the platform
If something goes wrong – your customer data leaks, your checkout stops working, your homepage starts flashing weird pop-ups – your clients aren’t going to blame Umbraco, or .NET, or OWASP. They’ll blame you. Fair or not, it’s your name on the site. Your reputation on the line.
2. Security builds trust - and trust drives conversion
A secure website feels different. It behaves reliably. It doesn’t throw up strange warnings. It gives your users confidence to sign up, log in, buy, and come back again. And those feelings are no accident – they’re the result of conscious, technical choices happening behind the scenes.
3. A breach costs more than you think
The average cost of a data breach for a UK SME? Somewhere in the ballpark of £15,000–£20,000. That’s before you factor in things like:
- Lost sales
- Damage to your brand
- GDPR reporting obligations
- Development time to fix the issue
- Time spent telling clients “we’re really sorry…”
Security isn’t just a technical safeguard. It’s business insurance.
4. Not every agency builds with security in mind
Here’s the uncomfortable truth: not all agencies take security seriously. Some might be brilliant at creative, but not great at secure coding. Others might just not be up to date on best practices.
At Gecko, we work with Umbraco – a secure and flexible platform, yes – but it’s what we do with it that matters most. We follow best practice frameworks like the OWASP Top 10, which is essentially a checklist of the most critical vulnerabilities found across real-world websites.
What We’re Doing to Protect You
We won’t go into full developer-mode (unless you really want us to), but here’s a quick look at some of the risks we’re protecting against – and what that means for you.
1. Cross-Site Scripting (XSS)
The risk: Attackers inject scripts into your site, tricking it into showing malicious content to your users.
Why it matters: This could mean fake login forms, spammy pop-ups, or malware – all served from your domain.
Our approach: We escape all user input by default and never trust raw data. We test and sanitise wherever needed. No untrusted scripts, ever.
2. Broken Access Control
The risk: Users can access admin-only pages or data just by fiddling with URLs or hidden fields.
Why it matters: That ‘download backups’ button? If not protected, anyone could find it. Including your competitors.
Our approach: Roles and permissions are enforced on the server, not the interface. Even if someone tries to trick the system, they hit a brick wall.
3. Security Misconfiguration
The risk: Debug info, stack traces or error messages accidentally shown in live environments.
Why it matters: Hackers love a roadmap. Seeing what broke gives them a head start.
Our approach: Our live environments never show system-level detail to end users. Errors are logged securely and silently. Users just see a friendly “something went wrong” – not a blueprint to your infrastructure.
4. Cryptographic Failures
The risk: Sensitive data (think payment info or passwords) is stored or sent in plain text.
Why it matters: If the data leaks, it’s readable. GDPR fines incoming.
Our approach: We use industry-standard encryption (AES) for sensitive data. Passwords are never stored in readable format. We also help clients understand what data they shouldn’t collect in the first place.
5. SQL Injection
The risk: Attackers insert malicious code into your database via forms or search bars.
Why it matters: It can lead to stolen data – or worse, entire tables being deleted.
Our approach: All database queries use parameterised inputs. No raw SQL. No shortcuts.
6. Outdated Components
The risk: Using old, vulnerable packages or libraries in your solution.
Why it matters: Hackers specifically target known vulnerabilities in outdated software.
Our approach: We monitor and maintain your codebase with regular audits and updates. Vulnerabilities are flagged and fixed before they become a problem.
7. Lack of Logging and Monitoring
The risk: You don’t see when something suspicious is happening.
Why it matters: A breach you don’t notice is even worse than one you do.
Our approach: We build in structured logging from day one. So if something’s off – we see it. Fast.
What You Can Do (And What You Don’t Have To)
We don’t expect you to become a cybersecurity expert. That’s our job. But there are a few smart habits that help keep everything watertight:
- Use strong, unique admin passwords
- Don’t store sensitive data unless you need it
- Review your user roles regularly
- Let us know if anything feels weird
If you're on a support plan with us, we’ll also be keeping your site, Umbraco CMS, and plugins updated on a regular schedule.
Final Word: You Shouldn't See Security – But You Should Expect It
Like plumbing or insurance, the best security is invisible. You don’t notice it day to day – because it’s doing its job quietly. But when it’s not there? That’s when things get ugly.
At Gecko, we don’t just build beautiful Umbraco websites. We build them to last. And that means thinking about the things most people ignore – like security. It’s part of the craft. Part of the care. Part of the reason our clients stick with us.
Want to know how secure your current site is?
We’re happy to take a look. Just drop us a line and we’ll run a quick security sanity check – no strings attached.
