Website security is the measures taken to secure a website from cyberattacks. In this sense, website security is an ongoing process and an essential part of managing a website.
Website security can be a complex (or even confusing) topic in an ever-evolving landscape. This guide is meant to provide a clear framework for website owners seeking to mitigate risk and apply security principles to their web properties.
Before we get started, it’s important to keep in mind that security is never a set-it-and-forget-it solution. Instead, we encourage you to think of it as a continuous process that requires a constant assessment to reduce the overall risk.
By applying a systematic approach to website security, we can think of it as an onion, with many layers of defense all coming together to form one piece. We need to view website security holistically and approach it with a defense in depth strategy.
Why is Website Security Important?
Website security is important because nobody wants to have a hacked website. Having a secure website is as vital to someone’s online presence as having a website host. If a website is hacked and blacklisted, for example, it loses up to 98% of its traffic. Not having a secure website can be as bad as not having a website at all or even worse. For example, a client data breach can result in lawsuits, heavy fines, and a ruined reputation.
Why Websites Get Hacked
There are over 1.94 billion websites online in 2019. This provides an extensive playground for bad actors.
There is often a misconception about why websites get hacked. Owners and administrators often believe they won’t get hacked because their sites are smaller, and therefore make less attractive targets. Hackers may choose bigger sites if they want to steal information or sabotage. For their other goals (which are more common), any small site is valuable enough.
Tips For Better Website Security
You need to stay up to date with hacking threats. If you have at least a basic knowledge of what is possible then you can protect your website against it. Follow updates at a tech site. Use the information you gain to put fresh precautions in place when necessary.
Toughen up access control.
The admin-level of your website is an easy way into everything you do not want a hacker to see. Enforce user names and passwords that can not be guessed. Change the default database prefix from “wp6_” to something random and harder to guess. Limit the number of login attempts within a certain time, even with password resets, because email accounts can be hacked as well. Never send login details by email, in case an unauthorized user has gained access to the account.
Updates cost software companies money. They only do it when necessary, yet many people who use the software do not install updates immediately. If the reason behind the update is a security vulnerability, delaying an update exposes you to attack in the interim period. Hackers can scan thousands of websites an hour looking for vulnerabilities that will allow them to break in. They network like crazy, so if one hacker knows how to get into a program then hundreds of hackers will know as well.
Tighten network security.
Computer users in your office may be inadvertently providing an easy access route to your website servers. Ensure that:
- Logins expire after a short period of inactivity.
- Passwords are changed frequently.
- Passwords are strong and NEVER written down.
- All devices plugged into the network are scanned for malware each time they are attached.
Install a web application firewall.
A web application firewall (WAF) can be software or hardware-based. It sets between your website server and the data connection and reads every bit of data passing through it.
Most of the modern WAFs are cloud-based and provided as a plug-and-play service, for a modest monthly subscription fee. The cloud service is deployed in front of your server, where it serves as a gateway for all incoming traffic. Once installed, the web application firewall provides complete peace of mind, by blocking all hacking attempts and also filtering out other types of unwanted traffic, like spammers and malicious bots. This is a great way to avoid getting hacked like Craigslist.
Install security applications.
While not as effective as a full-blown WAF, there are some free and paid for security applications that you can install that will make life a bit more difficult for hackers. Even some free plugins such as that from Acunetix WP Security can provide an additional level of protection by hiding the identity of your website’s CMS. By doing so this tool makes you more resilient against automated hacking tools that scout the web, looking for WordPress sites with specific build and version, which has one or more known vulnerabilities.
Hide admin pages.
You do not want your admin pages to be indexed by search engines, so you should use the robots_txt file to discourage search engines from listing them. If they are not indexed then they are harder for hackers to find. This tutorial from SEObook.com is all the help you will need.
Limit file uploads.
File uploads are a major concern. No matter how thoroughly the system checks them out, bugs can still get through and allow a hacker unlimited access to your site’s data. The best solution is to prevent direct access to any uploaded files. Store them outside the root directory and use a script to access them when necessary. Your web host will probably help you to set this up.
Use an encrypted SSL protocol to transfer users’ personal information between the website and your database. This will prevent the information from being read in transit and accesses without the proper authority.
Remove from auto-fill.
When you leave auto-fill enabled for forms on your website, you leave it vulnerable to attack from any user’s computer or phone that has been stolen. You should never expose your website to attacks that utilize the laziness of a legitimate user.
Just in case the worst happens anyway, keep everything backed-up. Back up on-site, back up off-site, back up everything multiple times a day. Every time a user saves a file it should automatically back up in multiple locations. Backing up once a day means that you lose that day’s data when your hard drive fails. Remember every hard drive will fail.
You can’t hide your code.
You can buy software that says it will hide the code on your webpages. It doesn’t work. Browsers need access to your code to render your website pages, so there are simple ways to get around web-page “encryption.”
Disabling “right-click” as a way to view your website code is annoying to users because it also disables every other “right-click” function, and there are simple workarounds that every hacker knows anyway. If you have been told that it is possible then read this article on HTMLgoodies.com to get in-depth explanations of why you can never hide your code.
Your Experience: Has your website been hacked? How did the criminals get in? Please use the comments facility below to share your story including the changes you made after the attack.
Contact TheWebOrion.com to secure your website by an expert.