Website security is sometimes neglected, or treated as an afterthought. Focusing on securing only one layer of your website leaves you vulnerable. Let's prevent that, shall we? Websites are static vectors for targeted and blanket attacks. To put it bluntly, if you have a website, you need to keep security first and foremost in mind. When it comes to website security there are many layers that need to be taken into account.
Before sharing key things to keep in mind when addressing security issues for your website, I am going to continue my theme of sharing my experiences so you can learn from my mistakes. I have had websites hacked before. If you have not experienced that stomach-dropping moment, let me tell you, it’s enough to turn your blood into ice, and cause your hands to start shaking. But it is not the end of the world.
If you take nothing else from this post, take the knowledge that it is not a matter of if, but when your website will be compromised. We live in a world where the “bad peeps” are ahead of us technologically and the “good peeps” are playing catch-up. There is no such thing as 100% safe. Simply being online is a risk. Having that domain URL makes your target static and increases your risk of compromise.
Back before I really understood all the different layers of security that needed to be implemented, I thought I was safe. I was one blog in a world of millions of other blogs. I didn’t write about anything political. There was nothing being posted that could be considered controversial. Still, I woke up one day to an email from a university's admin informing me that my website was attempting to attack one of their systems. Cue the cold sweat.
I was using WordPress, and my first thought was that the vulnerability was my site. I sat down with my host, and through a sleepless and stressful 26 hours we discovered the issue was not my site at all. It was previously unreleased vulnerability that targeted the hosting server. We were able to patch it and put rules in place to prevent it from happening again. In a way, I thank the bot that attacked the server, because it inspired me to focus on internet security for my Masters degree and really dig into what is really going on behind the scenes in all the click-bait news.
You didn’t read that header wrong. Your website does not exist in a vacuum. The website is a collection of code which produces content for people to see. To serve that content a service such as Internet Information Services or Apache is running. Depending on your site, a database is used to store content. To run these applications, they need an environment. This is usually a hosted server (physical or virtual).
These operating systems, along with all those other collections of code, are all individual attack vectors. These different systems are just for your website to exist. For a visitor to reach your site, they use a domain. That domain tells the computer to go out onto the internet and find the IP address associated with that unique name and direct all traffic that way. This adds yet another attack vector.
One thing I rarely see mentioned when it comes to website security is the users. Who has access to your site? Who can login to your site? Are they using a secure password? Are they using 2-factor authentication? When they login are they treated as an admin? Can they see and update everything? Does the person who is responsible for creating new job listings need to have access to editing the blog post that was written by someone in a different department? Now imagine if that user account was given carte blanche and its password was compromised.
As you can see, your website is actually a layered cake. Each layer works together to create that sugary goodness that presents your brand, content, and marketing to visitors. With all these layers to watch, it can seem daunting and instil a sense of impending doom. Do not fret though fellow website owner. Every single layer can be protected.
Every day new vulnerabilities are being discovered which threaten to poison your brand or service. New attacks are created to exploit these vulnerabilities. In most cases, the attacks are not targeting your company directly. Instead, they become part of blanket attacks--testing every single domain, and IP, to find an attack vector. True website security requires each layer to be addressed. There are four key steps you should keep in mind:
Update - When the platform you’re using for your site, plugin, component, extensions, database, operating system, etc has an update, and it’s security related, then you must update. If your site is mission critical to your brand, you need to decide if you push that new update out without testing, but you need to keep it updated. The amount of websites still being defaced because they did not update the core code is staggering. Don’t become a victim to a situation you could have prevented.
Backup - Don’t just backup your website. Back up that database too. Hosting providers should be doing the same thing to their servers. And test the backups! I cannot tell you how many times I, and many other security professionals, have been called in to help fix a compromised site only to discover that the last working backup was from six months ago--or in one extreme case the backups never worked in the first place.
Protect - There are so many security tools out there for websites. Use them. Many offer anti-rootkits, firewalls, and antivirus. Those tools should also be used for your database and your hosting operating system.
Access Lists - Be aware of what each user can do, has access to, and the login process. Add 2-step verification to the login process. It is important to know who can do what. If Jim is no longer responsible for creating new blog posts for you, change their access level. Keep it updated.
As I said before, there is no such thing as 100% safe. Instead, what you can do is work to ensure each layer of your website is protected. This is one of the biggest reasons I advocate having someone whose sole job is to protect your website. This allows you to stay focused on making your company and brand shine.