Your company's website is a vital part of your business, and it is often the first impression a potential customer has of you or your company. At a minimum, it is a major avenue of providing information and attracting customers. If you're involved in e-commerce it is a direct source of revenue. Just as you need to protect your physical property, you need to protect your website and data.
Every day, new threats emerge and new ways are discovered to access your information, insert malicious code into your site to threaten your customers or deface your content. You may not think your site will ever be the target of a malicious attack, but you simply can't afford to make that assumption.
In this article, we offer 10 things you can do to help protect your website. Some of these can be very technical to implement, so if you have any questions don't hesitate to contact us and ask for help.
1. Choose your site software carefully and keep it up to date
I'm going to start off with this one because it's a biggie, and is arguably one of the easiest steps you can take to protect your website. Many sites today are managed using software written by someone else, specifically content management systems (CMS). According to WebsiteSetup, as of December 2017 Wordpress holds a 60% market share of CMS software and hosts nearly 30% of all websites on the Internet (source). That amounts to 540 million out of the approximately 1.8 billion sites that are running on a single CMS platform. That coverage makes for a huge target as vulnerabilities are discovered and hackers find new ways to compromise your security.
I'm singling out one platform, but the same applies to any software you decide to use on your site. Aside from the main CMS, there are also the plugins and mods you have added to your site. Each of those may have been created by a different developer and are therefore maintained separately.
As new vulnerabilities are discovered (and it happens all the time), this software is updated to correct the flaw or prevent the vulnerability. These updates don't do you any good if you don't install them, though. Make sure you check your site frequently to make sure you are using the latest releases of your main CMS platform as well as all plugins, themes and mods installed.
In addition to keeping everything updated, make sure you are installing software from reputable sources. There have been cases recently where popular Wordpress plugins have been acquired by a new develop for the sole purpose of adding malicous code to the plugin. As you update the plugin, you may be unknowingly allowing malicious code into your site that threatens your data, your reputation, or your customers.
2. Prevent malicious code
This tip encompasses a lot of different things and can get very technical, so I'm just going to touch briefly on it. A large amount of content on the internet today is contributed by users. This can be articles added to a site, comments shared on your content, or data the user submits to your site through the browser. If you're not careful and don't take steps to protect yourself, some of this content can contain harmful code that can compromise your site if you don't take steps to prevent this. Most of this is handled internally within the platform you run, but it's good to be aware. Here are a couple of the ways this can happen:
- SQL Injection
SQL injection is a way for users to execute code in your database by submitting it through a form on your website or through a URL parameter. This could allow the user to access or alter the data in your database. The best way to prevent this is to make sure all queries used in your site are parameterized. This ensures that any data passed to a query matches the type of data you expect and prevents unwanted code from being executed.
- Cross-Site Scripting (XSS)
Cross-site scripting is another common method used to compromise your website. Basically, this happens when a user finds a way to add their own code to the page on your site. This allows their own to be executed when a user views your site, either altering your content or compromising your users' systems. There are a number of ways to prevent this from happening, starting with validating all information submitted by users through a form or URL parameter. Similar to using parameters in a SQL query, this ensures that the information being submitted is the type of data you expect and does not contain any unwanted code. Another method is to implement a Content Security Policy (CSP) to your site. Mozilla has provided a great resource with more information about setting up a CSP on your site.
3. Make sure your passwords are secure
You've probably heard this over and over again, but I'm going to repeat it anyway. A simple way to protect your website is to make sure any passwords you use are strong, and change them periodically. I know it's very tempting to use a password that you can remember (that's why the most common password is still "123456"). It can be more difficult to keep track of, but make sure you are using a strong password to protect your site. This applies to every login used on your site: your FTP account, database login information and any user passwords on the site. While I'm mentioning it, don't use the same password for every account. Use a different password for every account and stick to the following guidelines:
- make it as long as possible
- use a mix of special characters, numbers and letters (upper and lower case)
- don't use information that is easy to guess from your business information (such as phone numbers or other personal information)
Yes, I know it's hard to remember all those different passwords. If you really struggle to remember the different passwords, there are tools you can use to help you store and look up passwords (but make sure you protect that with a strong password as well. Some CMS systems allow you to enforce a password policy and can generate passwords for your users so those accounts are protected as well. There are also a number of tools available to help you create strong password, such as the password generator from LastPass.
4. Use HTTPS
Set up your site to enforce a connection over HTTPS rather than regular HTTP. Using this protocol ensures that any information sent to and from your site is encrypted and that you are communicating with the website you expect. Implementing HTTPS for a site used to be more complicated and expensive than it is now. Services such as Let's Encrypt provide free and automated certificates, and many hosting companies allow you to manage HTTPS certificates through a control panel. You may need to make some configuration changes to your site to ensure that all communication is done over HTTPS once a certificate is installed.
As an added bonus, using HTTPS will improve your search engine rankings. Some search engines give a ranking boost to sites that utilize HTTPS security, and an announcement in 2017 from Google called HTTPS "a requirement".
5. Use security tools
If this all seems really daunting so far, there's hope. There is software available for some CMS platforms that can provide an extra layer of security for your site. This software can automate a number of security tasks such keeping track of available updates for software, scanning traffic to your site for suspicious behavior and even actively blocking users. In the case of Wordpress, there are modules you can install such as WordFence and iThemes Security to help protect your site.
There are also free tools available you can use to scan your site for vulnerabilities such as Gravityscan that can analyze your site without installing a plugin. If you want even more robust protection, you can look into using a Web Application Firewall to protect your site. These range from dedicated hardware appliances to rented cloud-based services.
6. Obscure admin areas
This applies particularly to sites using a CMS. One way a potential hacker can try to gain access to your site is to go directly to a known admin folder address and try to gain entry to your content management system. For example, the default admin folder for Wordpress is "/wp-admin". If you change this to a different, innocuous folder name it can help reduce the possibility of a security breach. It's a basic and easily avoidable scenario.
7. Hide error message details
By default many platforms provide very detailed information in the error messages displayed on a site. While this is helpful for troubleshooting and fixing issues on the site, these error messages could inadvertently reveal details about your site such as database credentials or software keys. Make sure you are logging detailed error information in your server logs, but hide this information from site users. Not only will this protect potentially sensitive information, but cleaner errror messages look better to your users and won't distract from the design and functionality of your site.
8. Back it up
This seems obvious, but it's a step that I see neglected frequently in security-related advice. If the worst happens and your site is compromised, you need to be able to recover from this disaster as quickly and with as little loss as possible. In order to do this, you need current back-ups of your site files and database. Your hosting provider may provide this as part of your hosting package, but this isn't always the case. If they are backing your database and site files up, you will need to contact them for support in restoring files and data that have been erased or damaged.
There are also plugins available for popular CMS platforms that can automate this process. Plugins such as UpdraftPlus for WordPress give you the ability to schedule periodic backups of your site files and database. The backup files can be stored on the server itself, emailed out or uploaded to cloud-based storage. If disaster strikes, you can use the plugin to restore these files with reduced loss of data.
The Bottom Line
Your website and data are an important of doing business, and you need to protect it just like you would any other vital part of your business. There is a lot involved in doing this, and the tips above are just a handful of the things you can do to protect your site and your business. Most modern content management systems have built-in features to protect your site, but these are some additional things you can do to help prevent this from happening. Hopefully this information can help you keep your site safe. As always, if you have any questions please contact us.