Are You Concerned About Website Security?

What can be done to secure your website

Website security can be a constant form of stress for those responsible for ensuring a website stays online and operational. Security vulnerabilities, hackers, computer viruses, spyware and spam all conspire to bring down your hard earned efforts. Well, perhaps I am getting a little paranoid here (though just a little).

There is virtually nothing on the internet that is totally secure. Just look at recent reports of security threats to military systems or cyber attacks on banks. If these organisations are not secure, what hope is there for smaller businesses?

Where most of us can relax a little is that large organisations like the above are simply larger targets. Cyber-criminals are looking for some sort of payoff for their efforts. Hacking into a bank can provide this. Breaking into a small business rarely does.

The truth is that there are many levels of security that can be enacted. Some, in fact, are easier for a small business to put in place than a corporation. Additionally, there is a big difference between not “totally secure” and leaving a wide-open invitation for attack. Make it difficult for the attackers and they will look for easier targets.

So to finally answer the question posed in the title; should you be concerned about your website security? The answer is a definitive, Yes!

To pose a second question; is there anything that can be done? The answer is also a definitive, Yes of course!

Protecting Your Website

When it comes to the security of your website, there are a number of layers that can be reviewed. Most of the layers will be directly accessible however some may require changes by your Internet Service Provider (ISP).

The vital first step in your security setup is to determine your website vulnerabilities. How could potential hackers gain access to your system or data? There are a number of attack vectors to consider;

1. Website software vulnerabilities.
2. Server vulnerabilities.
3. Human error/apathy.

The best time to consider all these security factors is when you are planning or building a new website. Having said this, implementing security measures at any time is better than none.

Website Software Security

The following elements of website security are typically manageable from within the administrator section of your website.

Core Content Management Systems

Most modern websites are built using a Content Management System (CMS). We most often use WordPress CMS to build websites, however, there are plenty of options out there.

One of the most important steps you can take to secure your website is ensuring that your CMS is up-to-date. From time-to-time security flaws are found in the CMS that may allow an attacker entry into your system. Patching those flaws quickly is important in maintaining a secure website.

This is one of the reasons we like open source software so much. There are many strange and talented individuals out there who spend a large amount of their time looking for programming flaws such as these. Once found, especially if they are critical security vulnerabilities, they are generally fixed quickly.

Plugins

A number of CMSs allow additional functionality to be added to the core system through the installation of plugins. These plugins can add features or fill gaps in the core components of the CMS.

Just as it is important to maintain a watch over security vulnerabilities in the CMS, so it is with plugins. The software code of plugins needs updating as bugs and flaws are discovered. Doing this promptly, especially with security issues will minimise the risk to your website.

An additional threat that has arisen more recently is fake plugins. These are plugins that have been intentionally written to provide illegal access to your website, but marketed as something else. Always be certain of the providence of the software installed on your system.

Even more of a worry are plugins that were originally legitimate (and reasonably popular), the rights to which are then purchased by cybercriminals. They modify the code to make the plugin vulnerable and next update, that vulnerability gets added to your website. The original authors of these plugins do not usually knowingly sell to these criminals. Once discovered alerts are put out to notify users of the situation.

Security Software

An additional layer of site security can be added through the installation of a security plugin or software. These can help close down known attacks or close gaps in the core CMS.

A number of security software development firms even have teams of their own researchers. They are constantly investigating programs for potential vulnerabilities so that their software can close the holes.

Form validations

When entering and submitting data in a web form, there are two types of form validation that can occur.

Client-side validation happens locally in your browser. It is good for ensuring that email addresses are the correct format, phone number the right length, etc… Client-side validations, however, are easily avoided if someone has malicious intent.

Server-side validation is much more secure. It prevents a range of attacks such as malicious SQL code being injected into the database.

Server Security

Your web server is controlled by a website hosting company. The software and setup used by the web host is very important to the security of your website.

Unfortunately, much of the setup of your web server is not normally under your control. Because of this, it is important that you properly research the web hosting company. Make sure they have a good reputation and there is no evidence of them experiencing security issues.

PHP Version

PHP is an important underlying technology or many web servers. As of writing this article PHP 7.2 is the most recent version. Some web servers allow direct access to the PHP version selection.

Many websites are still running on outdated and no longer supported versions of PHP. This means that security holes are not fixed, and in fact, your site is taking a huge performance hit. Versions PHP 7.0 onwards are almost twice as fast as PHP 5.6 (hint: great for SEO).

HTTPS

HTTPS is the protocol that dictates how information is transferred between server and browser, and how it should be treated. Obtaining a security certificate leads the way for the setup of HTTPS on your website. As all data sent via HTTPS is encrypted, this prevents some types of attach, provides data integrity, and prevents eavesdropping.

Human Aspects

Back to security risks that can be more directly controlled. Unlike the above, however, these are more based on human behaviour than technical aspects.

Secure password procedures

Ensuring that all website users have strong passwords, especially those with administrative access, is vital in keeping your site secure. Simple or insecure passwords are a major portion of data breaches.

Education and awareness of password management are important in dealing with this form of vulnerability. Using available tools or plugins to ensure strong passwords can also be helpful.

User management

This shouldn’t really need to be stated, but don’t give access to your system to anyone you don’t fully trust. Alternatively, limit access to users who don’t need it. Ensure processes are put in place to manage website users and admins so that appropriate access is provided.

Another important element here is to be aware of current scams and educate yourself and staff members about them. Scams are typically used to either discover a users personal information or to trick them into clicking on something which could compromise the security.

Additional Thoughts on Security

These last couple of items are not specifically focused on securing a website however they are important enough to mention.

Emails! Clicking on insecure links or opening malicious attachments are both still major paths for breaching computer security. Never open an attachment unless you know and trust the person who sent it. Even then double check, as their email may have been compromised. If you are uncertain, simply give them a call and ask if they sent you something.

Another simple method to alert a colleague that an attachment is secure is to write confirming information in the body of the email. If the person knows you, they can recognise your style of writing which will then confirm an attachment is legitimate.

The last but not least important item is backups. Whilst they are not specifically a security measure, they do allow for recovery from any breach. The important thing to remember here is that if someone is able to access your server, they can also access your backups. Keep a copy of your website backups in an alternative location.

Comments

I am certain there is a vast range of issues, risks and technique that I have not touched upon. What I have tried to achieve is a broad-brush overview of the risks and possible solutions. I therefore welcome any comments or questions about this article.