I want to clear this up right from the start. No matter how security conscious you are, your website can always be hacked.
In fact, if security isn’t really on your radar and you’re not already taking steps to keep your website (and the underlying application stack) patched and up to date, then it is almost certain that your site will get hacked—and soon.
The thing is, it’s not just your data at risk if your site is hacked. You also run the risk of Google dropping it like a hot potato (meaning you’ll be removed from Google’s search index) if the hackers use it to distribute malware; a common tactic the bad guys will use to harvest credit card and personal data from people. In today’s digital world, getting de-listed from Google would almost certainly seriously damage your business.
Unfortunately, the reality is that keeping your site secure is a pretty big task. There are so many ways that the bad guys can find and compromise your website, that you should assume you will get hacked and have a plan in place to minimise the damage.
In addition to having a solid restoration plan (that you’ve tested), I’d recommend paying a lot of attention to the following areas. Doing so will by no means guarantee you’ll be safe, but it will ensure that your site will represent one of the more challenging targets out there, increasing the chances that the bad guys will simply move on to an easier target.
It’s important to understand that no-one needs to specifically target your website for you to be hacked; there are millions of automated tools that continually scan the internet looking for easy targets. Don’t make your site one of them.
1. Understand the risks and eliminate the biggest ones
There are multiple ways in which these automated hacking tools can compromise your site. The most common method is to look for known, documented vulnerabilities found in your site’s content management system (aka the CMS), which typically happens because you’ve not kept your codebase up to date. Similarly, these tools will exploit file and folder permissions that aren’t sufficiently locked down, and make light work of short, simple passwords which you mistakenly believe are protecting your database, FTP account or administration login. Short passwords are quickly and simply “brute forced”, so that they provide little to no protection.
If you’re worried about security then you really shouldn’t be using shared web hosting either. A VPS or cloud server is more secure because it is separated from other websites and you have much greater control over software versions and firewalls. You’ll have the option to make use of additional security measures too.
So here’s the rub. Don’t use shared hosting and don’t use FTP. If you really must, use SFTP. Do use long, complex passwords and keep your CMS patched and bang-up-to–date—which brings me to point number two:
2. Patch everything
Other than using long and complex passwords, staying on top of patching is the most important thing you can do to protect your website. Vulnerabilities are constantly being found, published and exploited, and unless you keep the various layers of software up to date you are asking for trouble. The primary risk is at the application layer; whether you’re using WordPress, Drupal, Joomla, Magento, Kentico, Sitecore or one of the hundreds of other possibilities, your developers absolutely must keep your code updated. Not only does your CMS need to be kept up to date, any plugins that it relies on also represent a significant risk to your site if they’re not maintained and patched on a regular basis.
The application layer might be the greatest risk but it’s not the only area that needs attention; you should also keep the underlying language frameworks and server Operating System up to date too. Many vulnerabilities target the technologies that support your CMS such as MySQL, PHP, Rails, Apache or Nginx. Work with your developer and hosting company to ensure a maintenance plan is in place to keep everything current.
3. SSL everywhere
Using an SSL certificate ensures that any data transmitted to and from your website is encrypted, helping to keep your (and your customer) data secure. SSL protects the data from being spied upon, which is surprisingly simple to do, especially if you’re still using FTP! SSL is so important nowadays that you’ll be penalised in Google’s natural search listings if you aren’t using it, which will negatively impact your SEO efforts. Get it done!
4. Use a firewall—or two
Make sure your server only allows access to traffic that is absolutely necessary. This is most commonly achieved by first ‘hardening’ your server by removing any unused services, and secondly using a host-based firewall such as IPTables—the industry standard for web servers running Linux. A network based firewall can provide further protection if you’ve got the cash, and if you layer on a ‘web application firewall’ (WAF) then you’ll have covered most of your bases. A WAF protects your website from a variety of common attacks such as SQL injection, cross-site scripting and application specific (e.g. WordPress, Magento) attacks. If you’re an online retailer then you really should be using a WAF; they’re an essential building block as part of your PCI compliance strategy.
5. Ensure you have pro-active server management & quality support.
Fully managed hosting means your hosting company should have your back, providing round the clock active server monitoring and pro-actively patching your server’s Operating System and application stack. And should the worst happen, you’ll need to speak with a knowledgable team to get your site clean and back online. Here at Anchor, we can take care of just about everything, leaving you (or your developers) to focus on your application and/or custom code, leaving all the server configuration and maintenance shenanigans to us.
Bonus Tip – Bug Bounties.
One of my favourite security services is https://bugcrowd.com/ They run “bug bounties” that focus on finding security vulnerabilities in your website or application. Essentially, what you’re doing is to put up a prize (say, $5000) and invite a bunch of white-hat hackers (the good guys) to try to break into your site and steal some data. Those who succeed win some money and you get any problems or vulnerabilities identified so you can fix them before the bad guys give you a bad day.
Once you’ve run through the above list, and if you’re serious about securing your site, a bug bounty might just be one of the very best ways to spend your leftover cash.