Securing your website protects not only brand and reputation, but it also safeguards your customers’ sensitive information from prying eyes.
Website security is the measures taken to secure a website from being hacked. It is not only an essential process but an ongoing part of managing a website.
As known vulnerabilities are identified and patched, hackers find alternative methods to exploit web applications.
Why is website security important?
Nobody wants a hacked website. It creates a multitude of issues from data loss to a loss of traffic and possibility being blacklisted by search engines. From a ruined reputation to a loss of business, there is no upside to not securing your website as best as possible.
Why do websites get hacked?
Often, there is a misconception about why websites get targeted. Whilst it is true that big brands get targeted for different reasons, small business owners are equally at risk.
The majority of exploits are done using automation, brute force malicious bots, and software. Therefore, the size of the business or website is irrelevant to the risk levels.
Automation is the primary source of websites that have their security compromised. Why? Because automation exploits look at known vulnerabilities in popular CMS’s (Content Management Systems) and then target websites using those CMS’s.
The pros and cons of CMS’s
The upsides far outweigh the negatives when it comes to the use of using content management systems to develop your website.
Platforms such as WordPress, Magento, Joomla and Drupal allow users to fair more easily and cheaper, develop a platform to promote their online brand compared to using a proprietary developed CMS.
And whilst these CMS’s are regularly updated with security patches as well as feature and performance improvements, they are targeted more by hackers.
It’s the same as Windows vs Linux. Most of your software likely supports the Microsoft OS, whilst few support Linux. Therefore, as there are more users of Windows, it’s going to be targeted more.
Types of common cyber attacks
There are various forms of cyberattacks that website owners are under threat from. However, some of the more common ones include:
One of the more common forms of attacks is SQL injection. As most websites use a SQL database, it is one of the more commonly found attacks. By injecting malicious code, hackers can modify, dump, or delete data from a database that is supposed to be restricted to the end-user.
This could range from ‘dumping’ a database container user stored information such as emails, passwords, and credit card details, to modifying a database so content is displayed without your permission.
Worse still, this method is often used to inject a hidden admin user enabling a back-door login to your website.
Cross-Site Scripting (XSS)
A more difficult technique but one that has successfully been used against some big names including Microsoft and Google.
Denial of Service (DDoS)
Often targeted against bigger sites, this technique is used to primarily take websites offline. By flooding a web server with huge amounts of traffic at the same time, it causes the server to become overloaded and go offline. Microsoft and Sony have both been victims of DDoS attacks in the past.
How to make a website secure
So how do you protect your website efficiently in a world where definitions and exploits are forever evolving and changing?
The good news is, there are steps you can take to reduce your risk level though what CMS you use, plugins and modules, will determine parts of the route you take.
1. Keep your local machine protected and up to date
It may seem obvious, but make sure that when you are establishing a connection from your local PC to your web server, that you have an up to date antivirus application running on your machine.
You should also ensure that your local machine is kept up to date with security patches for your operating system.
2. Keep your online software up to date
First and foremost, you should ensure you keep your software up to date. This applies to both your server where you host your website, as well as your CMS.
The reason this is so important is that when exploits are discovered, they are patched though it is up to you to make sure you apply those patches. For most users, their hosting provider will offer a managed hosting solution, therefore this part is likely done for you.
However, when it comes to your website – this is a step you will need to take yourselves.
Note: We always advise, before applying updates that you take a full backup first and read the patch notes supplied.
3. Keep 3rd party online applications up to date
Most website owners will be utilising a CMS which has 3rd party addons in the form of themes and plugins. You must regularly check and update these 3rd party addons.
Note: As above, you should always take a full backup before applying these updates. The reason being is that sometimes the updates will break cross-compatibility with other 3rd party applications. Unfortunately, this is a downside of having 3rd party modules and whilst there may be compatibility issues with updates, security should be the focal point.
4. Hide the fact you use a well-known CMS
Automated hacking attempts look for traces of code that your website is developed on a platform that is widely recognised. Once these processes are aware of the CMS that is used, they then try to target known exploits. It’s a forever back and forth battle between developers and hackers.
When you consider that the largest of these platforms, WordPress powers just over 35% of all websites in the world and has a 62% market share – it’s no surprise that malicious attempts are carried out to try and hijack websites utilising this platform.
Some of the things you could do would be to hide your login page. On WordPress the default login page is www.yourdomain.com/wp-admin.
We use WordPress, but you will notice that our login page as above does not exist.
Furthermore, neither does any reference to default directories such as the content folder, themes or plugins.
By limiting information such as above, we also limit the risk exposure as automation systems are far less likely to discover what platform we’re using and therefore automated targeting becomes less effective.
5. Only use encrypted connections (HTTPS)
As we have mentioned previously on the blog, ensuring your site is protected with an SSL certificate is important.
We won’t run over it all again (here’s the link to the importance of having an SSL on your website) but to summarise:
Having an SSL on your website is crucial as it encrypts data sent over the browser. This means that if your website address starts with https, any data you enter in a browser is encrypted as it is sent to the server. If your website address starts with HTTP, (notice no ‘S’) then your data is not encrypted and can be intercepted.
When entering sensitive data such as usernames and passwords, on your website or others, you should always make sure that the website address starts with https. Otherwise, your login details or personal details (on a 3rd party website) could be stolen.
Note: Some website hosting companies offer free SSL certificates to their clients. One such hosting provider and one that we recommend is SiteGround.
6. Confirm your folder permissions
Often, web developers will develop a website on a localhost or another server before transferring the website to your own server.
If so, the chances are some of your file and folder/directory permissions are set incorrectly as these permissions do not transfer over.
You should make sure that your files are set to 644 and your folders are set to 755.
644 file permission – This means that files are readable by user, group and world and are writeable by user.
755 folder permission – This means that everyone can read and execute files, but only the user is able to write.
Having the correct permissions set means that malicious code cant be injected and files cant be added by external sources / other websites hosted on the same server.
Note: Most businesses will have a shared server. This is how hosting companies make their money by having more than one user on the same server environment. It’s therefore very important that your file and folder permissions are set correctly.
6. Backup, Backup, Backup
Most web hosting providers have a form of backup and restore functionality. However, you should not rely on this solely as a form of protecting your data.
Why? Because web hosting providers restore function works differently to other platforms.
When you take a backup through a web server, it creates an image of your files and databases. When you restore those files and databases, it simply ‘restores’ files to a previous state. However, what it will not do is remove files. Let us take this scenario as an example to explain the problem more clearly:
A. You take backups of your website daily.
B. One day, for some reason or another, your website becomes infected.
C. You log in to your web server and initiate a restore from a date previous to the infection.
In this scenario, your files will indeed be restored to the date before the infection. However, malicious files will remain. This is down to the fact that web servers do not (in general) take disk image backups.
Therefore, you should implement an off-server backup system. This is good practise regardless of above, as it means your data is protected in more than one location at any one time.
7. Website management
Whilst there is a lot to think about, having the time to do so may not be realistic. After all, you are no doubt busy running your business to worry about website maintenance, content updates and now security implementations as well.
That’s why we offer website management services. It’s a stress-free solution to making sure your content is kept up to date as well as your security. From eCommerce management to new features, functionality, and security – we provide flexible website management solutions for businesses and tailor each business with their own unique service solution. Why not contact us for a free consultation to find out how we can help your business.
8. Complete Website Security
If you want to step it up a notch, then you should consider looking at a platform that offers complete website security, protecting your website from hacks and attacks.
Sucuri is a complete website security, protection and monitoring platform that offers businesses peace of mind from online threats and malware removal should they require it.
Their comprehensive platform is split into the following:
Monitoring & detection
Their monitoring and detection features are all about looking for threats. From weekly scans of your website to all files and folders located on your web server. They also look for DNS changes and spam injections so you can be made aware of these and have them removed before they are picked up by search engines and cause damage to your online visibility.
Their active protection comes in the form of a Web Application Firewall (WAF) which filters, monitors and blocks traffic from malicious sources.
This layer of protection also prevents brute force attacks as well as DDoS attacks that we talked about earlier.
Whilst Sucuri offer other features, its core is split into three sections with the last being incident response.
If your website is unfortunately compromised, then they offer a malware removal service. Carried out by security specialists, they’ll remove any malicious code from your files and databases.
Normally this is how people find out about the service, because they’ve been targeted, and their website is displaying some form of spam that the website owner is trying to resolve.
It is normally at this stage where people look at protecting their website from future hacks and that is often how these security companies are found and utilised.
However, if you want to protect yourself now before such incidents take place, we recommend that you check them out. They offer complete website security, monitoring and protection for one yearly subscription.