Is your website secure?
With increasingly regular reports of some of the worlds biggest corporation’s websites being hacked, the importance of keeping your website, and the data within it secure, is critical to give customers confidence to use your site.
While it’s true that the likes of Ashley Maddison (http://www.bbc.co.uk/news/technology-33986228) and Sony (http://www.bbc.co.uk/news/technology-30189029) can become a sitting duck for large scale attacks, they also (in theory at least) have the resources and expertise to adequately secure their online properties. In light of recent high profile attacks, it would appear that perhaps they don’t.
So if data is vulnerable on the largest of websites, is any website vulnerable to these kinds of attacks or data breaches? Well, yes, I’m afraid, they are.
So without a ‘world class’ security team, what can you do to minimise the risk of your site being compromised? The irony about website security is that many of the steps you can take to adequately protect yourself are really simple. Here are some points that you should be thinking about and discussing with your website developers.
This list is intended to provide a few quick suggestions for consideration. These relatively simple precautions will likely be sufficient to guard against intrusion on typical websites – but would be unlikely to stop a committed hacker intent on causing maximum disruption.
Keep your website codebase up to date
Many website vulnerabilities are exploited through weaknesses in the way its been coded. This means it can be possible for someone to hack into your website simply by submitting some carefully concocted characters into a contact or comment form.
Your website might be built on a content management system or framework. These are all updated from time to time, and you should consider keeping your site up to date with the latest stable releases. This doesn’t necessarily mean that you should rush out to install the latest updates (unless the vendor recommends this) but it's likely to be one of the best ways to keep intruders at bay.
Use an established content management system or code framework
Many CMS’s (such as ExpressionEngine) include a raft of security features – many of which can be turned on or off depending on the needs of your site. Features such as throttling (manage the frequency that any given IP address can access your site), secure form processing (only allowing a single submission per page load) and user lockouts make the task of securing your site far easier.
In-house or agency proprietary content management systems will rarely match up to this standard, and with the availability of such good commercial CMSs these days, I struggle to think of good reason to be using a proprietary agency CMS for any website.
Security by obscurity
With so many websites built using off the shelf platforms such as Joomla or WordPress (which we’ve found both to be particularly vulnerable to attacks), these become easy targets for hackers. They wouldn’t have to look far to find the standard installation instructions and therefore have an understanding of your site’s file system. Similarly, with such huge numbers of these sites that don’t get updated, a simple security bulletin might identify the vulnerability for all to see, leaving hackers free to try and exploit sites en-masse until they get a result – and they almost certainly will – but hopefully on someone else’s site.
Simply ensuring your site doesn’t use all the defaults set during the installation can be enough to make a would be hacker give up and move on to another target.
Ensure your server is secure
Once beyond the gates of your website, a hacker potentially has access to your hosting server. Some basic precautions you should be taking here is to use complex passwords, ensure the server operating system is kept up to date and possibly limiting some of the functions it can perform. Being able to protect certain ‘ports’ on the server through a firewall can add an extra layer of security by preventing access from unauthorised locations.
The difficulty here is that we’ve come to expect many basic functions to be available to our users. Take uploading images or files for example – preventing this would improve security, but may be completely impractical, so its about finding a balance between providing a secure server without being overly restrictive.
Never store payment information
Avoid storing payment details at all costs! There are strict rules around storing cardholder data (called PCI compliance), but its far better to have the peace of mind knowing that wherever you’re processing card payments, someone else is taking responsibility for keeping these details secure. Payment gateways such as Stripe, SagePay or Realex all process payments on your behalf without you even having access to view the card number.
Use Encryption
Anywhere you’re collecting a username or password, this should be encrypted to protect against the risk of it’s true identity being exposed. Ideally, these pages will also be secured over SSL with a security certificate as well. If you’re using SSL, you might as well use it across the whole site as you may find there will be additional search optimisation benefits.
Use secure passwords
One of the simplest of all, choose a strong password that isn’t based on a dictionary word. I know what you’re thinking, this means you have to look up the password which is an inconvenience, but better to be safe than sorry.
Archive older data
Archiving old data to a secure location away from your website isn’t a security measure as such, but more a way to mitigate against any possible data breach. While its true a hacker would prefer recent data, any data could be motivation for someone to attempt to attack your website. If your website holds data going back several years, then a breach will obviously affect a greater number of users. Periodic housekeeping to clean up any redundant user accounts will potentially minimise the fall out should your data fall into the wrong hands.
We provide a variety of website and hosting options for websites large and small. We work with commercial content management systems, which you may not have heard of, but are usually more capable (and secure) than the familiar names out there.
If you’re concerned about your website’s security, why not contact us for a chat? While we can’t claim to be impenetrable, security matters to us and we always take every reasonable step to ensure your site is built and hosted securely.
Andrew Armitage
Andrew is the founder of multi-award winning A Digital and believes that technology should be an enabler, making a positive impact on the way people live and work.