10 website & app security mistakes we have seen most over the last 17+ years

10 website & app security mistakes we have seen most over the last 17+ years

At Green17, security isn’t an afterthought — it’s built into everything we do. Every login system we deliver supports two-factor authentication as standard, because strong access controls are the simplest and most effective way to keep sensitive data safe.

We use best-in-class software, hosting, and practices to secure every project. Many of our clients also choose to have their systems independently penetration tested by accredited third-party security experts. That means the results are objective, we’re not just “marking our own homework.”

We also align our work with the UK Government’s Cyber Security 14 Principles, which guide departments and public bodies in protecting digital services. These principles cover access control, secure configuration, monitoring, response, and more.

With 17 years of experience supporting councils, charities, and large organisations, we understand that real security is a combination of technology and habits. 

1. Check if your credentials have been leaked

Most people are surprised to discover that their details have already been exposed in a breach. When large companies like LinkedIn, X (Twitter), or Adobe are hacked, millions of usernames and passwords are compromised and made available in databases that attackers can freely use.

From there, cybercriminals attempt credential stuffing: trying those leaked passwords across different services, hoping that the same combination unlocks more than one account.

You can check your own details with Have I Been Pwned. If your email address shows up, you should immediately change any account using the same password. Even if you don’t see your name on the list, it’s wise to rotate passwords on critical systems every few months because breaches happen regularly.

2. Use strong, unique passwords everywhere

Using the same password across multiple systems is like using one key for your office, car, and house. If it’s stolen, everything is suddenly vulnerable.

A strong password should be at least 12–16 characters long, completely unique, and not based on dictionary words. Common substitutions like “Pa$$word1” won’t fool attackers — they use tools that can predict these patterns.

Services like 1Password’s generator or Bitwarden’s generator create long, random strings that are far harder to crack. Combined with a password manager, you don’t need to remember them — you just need one strong master password to access the vault.

3. Never send passwords by email

Email was never designed for sending sensitive information. Most traffic isn’t encrypted end-to-end, and messages often sit in inboxes for years — meaning that if an inbox is ever compromised, all past shared passwords are exposed.

Instead, use secure sharing methods. 1Password Secure Sharing or Cancom OTP Share let you share logins without exposing them. If those tools aren’t available, at the very least, split the information: send the username by email and the password via a phone call or SMS. It’s a simple step that makes attackers’ jobs much harder.

4. Use a trusted password manager

Remembering dozens of unique, strong passwords is impossible without help. That’s where password managers come in — secure digital vaults that store and auto-fill your logins.

For SMEs, government bodies, and charities, we recommend 1Password for ease of use or Bitwarden for its open-source transparency. Both allow secure password sharing across teams and enforce policies to prevent the use of weak credentials.

When choosing a manager, look for independent audits, strong encryption, and the ability to manage organisational accounts and groups.

5. Enable biometrics and two-step verification (2FA/MFA)

Passwords alone are no longer enough. Two-factor authentication (2FA) — sometimes called multi-factor authentication (MFA) — adds an extra step, such as entering a code from your phone or approving a push notification.

This simple measure stops the vast majority of credential-based attacks. Even if an attacker has your password, they can’t get in without the second factor.

We recommend using authenticator apps like Authy, Google Authenticator, or Microsoft Authenticator, which are safer than SMS codes. Biometrics like fingerprints or facial recognition can also add convenience and security.

At Green17, every login system we build now supports 2FA by default.

6. Remove unused accounts and limit access

Every forgotten account is a potential way in. We’ve seen breaches where old volunteer or contractor accounts — never closed after a project — became the entry point for attackers.

Set a schedule to review your user list every quarter. Remove accounts that are no longer needed, and reduce permissions where possible. The principle of least privilege is key: give people only the access they need for their role, not a blanket “admin” status.

This approach not only reduces risk but also simplifies system management.

7. Keep software, plugins, and dependencies up to date

Out-of-date code is the number one doorway into websites. Once a vulnerability is published, attackers build automated tools to scan the internet for unpatched sites.

Content management systems, plugins, and third-party libraries all need regular updating. If you’re hosting with us, we handle these updates proactively — patching before flaws can be exploited.

If you self-manage, check weekly for updates and don’t just update — also remove plugins or modules you no longer use. Old, forgotten code is often the weakest link.

8. Secure development and test environments equally

Attackers don’t care whether a system is “just a test site.” If it’s online, it can be exploited. In fact, development and staging systems are often softer targets — weak passwords like “password123” or accounts without 2FA are still surprisingly common.

We secure all environments equally: strong, unique passwords, 2FA, restricted access, and no real customer data in test systems. That way, even if a staging server is compromised, there’s no sensitive information to steal — and no easy path into production.

9. Address human risk (phishing, scams, and social engineering)

The single biggest risk factor isn’t code — it’s people. Many of the largest breaches in recent years, including incidents at well-known brands like Marks & Spencer and McDonald’s, began with social engineering: tricking staff into handing over access.

This could be a phishing email that looks like a genuine login request, or a phone call from someone pretending to be IT support. Once attackers get into one system, they often pivot into others.

Training and awareness make a huge difference. Encourage staff to slow down and verify before clicking links or sharing credentials. Create a clear policy for reporting suspicious emails or calls. And design your systems to minimise the damage if someone slips — for example, requiring 2FA, or limiting admin privileges.

10. AI-driven attacks and quantum speed risks

Attack methods evolve as technology advances. Today, attackers are using AI to automate and scale their work — from scanning code for vulnerabilities to generating realistic phishing messages. Unlike humans, AI systems can probe for weaknesses 24/7 without pause.

Looking further ahead, quantum computing could one day break many of today’s encryption methods much faster than current machines. While this isn’t an immediate threat, it’s an area where governments and industry are already preparing with post-quantum cryptography.

At Green17, we stay ahead of these changes, adopting stronger standards as they emerge, so your site is not only secure today, but also ready for tomorrow.

What Green17 Does to Keep Websites & Apps Secure

Security is not something we add at the end of a project. It’s built into every stage of how we design, develop, and maintain your website or app. Over 17 years, we’ve created practices that protect against both technical flaws and human error.

• Two-factor authentication as standard Every login system we deliver supports 2FA. Even if a password is stolen, attackers cannot get in without the second factor.
• Principle of least privilege We never give blanket admin access. Each user has only the permissions needed for their role, which limits damage if an account is compromised.
• Secure development practices Our developers follow secure coding standards, peer reviews, and automated security checks. We avoid shortcuts such as shared logins or hard-coded credentials that often lead to breaches.
• Environment separation We keep development, staging, and live systems separate — all secured to the same standard. No sensitive data is ever stored in test environments.
• Continuous updates and patching We monitor the frameworks and plugins that power your site. When a vulnerability is disclosed, we apply updates quickly to close the gap before it can be exploited.
• Regular security audits We don’t just assume systems are safe. We run structured audits to review access, data storage, integrations, and configuration. Many of our clients also bring in independent penetration testers for extra assurance.
• Monitoring and alerts Where possible, we set up monitoring to detect unusual activity, such as repeated failed logins from unexpected locations. This allows for faster response if something goes wrong.
• Encrypted data and secure hosting We partner with trusted hosting providers offering strong firewalls, SSL certificates, encrypted storage, and intrusion detection. HTTPS is included as standard in every project.
• Backups that are tested, not just stored We make sure backups are not only in place but also tested, so they can be restored quickly if needed.
• Evolving with new threats We track the rise of AI and prepare for future challenges like quantum computing. Our goal is to keep your systems safe today and future-ready tomorrow.