Protecting your website needs to be your priority from the very first day that it’s online. In essence, website security is something you should build right into the foundations of your web pages and hosting servers.
Why? Because your website, whether it’s loaded with financially valuable information or not, is extremely valuable to hackers for all sorts of reasons. For many malicious online players, simply having access to your hosting server or your sites part of a shared server is prize enough to make hacking you worthwhile.
For example, a recent case, called
Fort Disco by investigators, involved hackers using a 25,000 node botnet to scan the web for vulnerable websites and trying to crack their basic hosting control panel admin passwords. It was a simple hack attempt, but it resulted in a breach of the hosting servers behind some 6000 websites that the hackers could then take control of.
What’s the lesson here? Simply that no matter how simple and ordinary or seemingly valueless your website may be, it can still be the victim of a hacker, possibly even in an automated attack. You have to protect your site servers under all circumstances. Yes, even after something happens you can retrieve data and possibly find the culprits but using digital forensics experts like
LWG Consulting, but why go through the hassle?
So how do you go about doing this in a way that actually works at keeping hackers and data thieves at bay? Well, it’s a complex, multifaceted process that involves several basic and slightly more complex steps.
Let’s cover these now.
The Most Common Threats to Websites
First, let’s look over some of the more common threats that websites frequently face on the net so you can have an idea of what we’re talking about. These areas documented by the annual Top 10 Vulnerabilities study conducted by the
Open Web Application Security Project every year.
Injection: Occur when untrusted data is sent back to an interpreter as a command or query resulting in the execution of malicious SQL commands or accessing databases illegally.
Broken session management and Authentication: applications that manage secure authentication and session management aren’t implemented correctly resulting in broken, compromised sessions in which valuable login data and passwords get stolen and later used for digital identity hijacking
Security Misconfiguration: Basically, the misconfiguration of applications, systems, security protocols, application servers, database servers and site platforms so that they don’t deliver optimal security. Often this results because they were left to their default settings when installed and configured.
Cross Site Scripting (XSS): One of the most common sites security flaws lies with cross-site scripting. This is a security bug that occurs when a web application takes unknown, untrusted data and sends to a web browser without first authenticating it. With XSS, hackers can hijack a users browser and redirect them to a malicious or phishing website without their knowledge.
These are just some of the most common threats that could nail your website, there are many more if you take a look at the somewhat technical but very informative OWASP documentation.
Okay, now let’s get down to the nitty-gritty of securing your site from Square One
Use Open Source Scripts and Platforms
Open source scripts are your most basic first step in keeping a secure, strong website right from day one. Why? Because open source scripts are made by large teams of highly talented developers who use clean code that’s highly resistant to the above-mentioned attack schemes
Basically, unless you have a well-trained team of developers or your own personal experience helping you build a rock-solid website from scratch, using open source scripts like WordPress (the most famous) Drupal, Joomla and others are the ideal solutions for a totally robust website framework from square one.
Update the scripts your site runs on constantly. The latest versions of your CMS platforms, third-party software applications and other software are the most secure versions you have, they should be used at all times because they will provide you with the most robust protection from intrusions via the above-listed attack vectors and others.
Use Strong Passwords and Change them Frequently
All of your access passwords should be strong, well randomized and extremely difficult to guess through the accident. This includes the main admin password you use to access your website server
cpanel and also internal passwords for
SQL databases. Furthermore, secure your
FTP access with a strong password as well.
If you let yourself use default or weak passwords, you could easily fall victim to a server directed attack like the one described above in our intro.
Use Secure Password Storage
If you’re storing login data for numerous consumers, clients or users of your site, make sure that you utilize secure password storage. This is crucial because it guarantees that even if attackers manage to access your server database, the information contained within it will be largely useless to them.
How to secure your passwords? Simple: For starters, never store them in plain text on your database. Instead, encrypt them with a strong one-way algorithm, salt them (scatter random data bits among the password text) and finally use a deliberately slow encryption algorithm to store them, making cracking that much harder.
Add Custom Database Table Prefixes
This is a simple little step you can take to make your CMS, forum or blog script database table much more secure: change the database table prefixes from their default lettering to a custom setting. For example, the standard database table prefix in WordPress is wp, you can change it to something like “wp7_q”
Audit your Website
At least once a year, and especially right after any time you’ve beefed up its security, you should give your website a robust security audit that includes a penetration testing procedure, vulnerability scanning software and a manual test of how easy your systems are to hack open. A common black box scanner like the Acunetix Web Vulnerability Scanner will give you an enormously rich listing of vulnerability data on your website.
Use Security Boosting Plugins
If you’re using a CMS such as WordPress, there are all sorts of plugins available for it that can dramatically boost your overall website security with a simple installation and configuration.
Downloading these is as simple as visiting the
WordPress.org website and looking through their plugin selection. Some examples of excellent security plugins: All In One WP Security & Firewall, Better WP Security and WP DB backup. These are just a few and there are many, many more excellent plugins to choose from, at least for WordPress.
FTP, or File Transfer Protocol, is a means of transferring files and data to your website servers from your machine and vice versa. However, ordinary FTP simply isn’t secure enough to be reliable and thieves can theoretically sniff out the data being sent over it as it travels to your site servers.
To avoid this, use a secure FTP program such as
CuteFTP, it uses
HTTPS to transfer data far more securely and in encrypted form.
Use VPS Hosting
Forget shared hosting for your site. If you’re really serious about maintaining good site security fright from day one, then sign up for Virtual private server hosting right from day one.
VPS hosting gives you access to your own dedicated server that you have full control over.
Shared server hosting, which is truly quite a bit cheaper, leaves you open to the security mistakes of others sharing your servers with you. With VPS far more control is in your hands. It also allows you to install custom firewalls and security barriers that aren’t usually possible with shared hosting.
Use Only the Most Security Conscious Hosting
Go with a web host that allows you the maximum number of website and server security options fright from square one. This means choosing a host that allows multifactor authentication, VPS hosting and robust 24 hours technical and security support for if you do suffer a breach.
Choosing a reliable, security-minded host is crucial for keeping a secure website.