Our 10 ten tips for securing your website

Website security is sadly something that is all too often overlooked whilst it is probably one of the most important aspects of running a website and should never be overlooked. There have been some fairly significant security breaches in recent years from very large corporations and this brings into focus how seriously security should be taken.

With a small amount of effort its possible to greatly reduce the risk of being hacked and its far better to put the effort in than have to recover from the smoking ruins of a website. Here are our top-10 tips:

1. Regularly check for security releases and bulletins for the platform your website runs on.

The vast majority of hackers go for the lowest hanging fruit and look for websites running pieces of software with known vulnerabilities. New flaws are found on a regular basis and so it is essential that you should watch the websites for all the pieces of software that make up your website. This should include the applications (eg WordPress, Joomla, Druapl), the webserver (eg Apache, IIS), the database (eg MS-SQL server, MySQL) and the operating system (eg Linux, Windows).

Always upgrade as soon as a security release is made, the clock is quite literally ticking…. Many hackers use automated tools, which can scan thousands of server an hour looking for vulnerable websites and so it is essential to remain fully up-to date.

If possible sign up to mailing lists to receive security alerts and if not possible, regularly (at least once a month) check the softwares sites for security bulletins and updates.

2. Keep good backups that you know you can restore from and store them away from your webserver.

All too often just an after-thought, but one that will leave you up a creek if you get wrong. Be absolutely certain that you are backing up and that the backups themselves are secure. If disaster does happen you need to be 100% certain you can recover quickly without significant loss of information/data.

Lots of website owners simply rely on their hosting partner to take care of backups and simply trust that everything is backed up properly. Take the time to do due diligence so you are happy that in the event of your website being compromised that you can recover all the information.

3. Remove anything that is not necessary from your web server. The more you run, the more likely it is that something will let evil doers in..

Lots of people don’t harden the servers on which they run their websites. Lots of unnecessary features and software is left running and any one of these could provide the backdoor into your site.

A well setup server should be stripped to the bone and then only the software necessary for the website installed. Make sure you web developers follow this approach.

4. Make sure that files can only be written to by the webserver when they need to be.

A common way that hackers compromise a website is by changing files on the webserver that have been left unprotected. This allows all kinds of mischief such as changing the text on pages, capturing information your customers enter into your website, adding malicious code to the pages (such as viruses and trojan horses).

When building your website have your web developers ensure that only the files that all files except the ones that need to be written to are permissioned so that the webserver cannot write to them or change their permission.

5. Use an encrypted webserver when needed

Often websites need to collect or display sensitive information such as your customers username/password or confidential information. Regular webservers don’t encrypt this information meaning that anyone who sits between your website and your users can intercept and read the information that’s being past. For this reason, you should use encryption on your webserver whenever you need to deal with sensitive information

If your website needs to display or receive sensitive information use secure HTTP (SSL/https) to encrypt the information. Avoid allowing users to sign in or register over a regular HTTP session

6. If you use applications like phpMyAdmin, don’t install it in standard directories

Often web developers install off the shelf tools such as phpMyAdmin to assist them in the development and maintenance of a website. Whilst useful, these tools also pose a security risk as they expose the inner workings of the website and loopholes have been found that have allowed hackers in.

In an ideal world these applications should be removed from websites when they go live but if this isn’t possible it is advisable to install them in non-standard locations so that automated tools that hunt out insecure installations have a much reduced chance of finding a way in to your website.

7. Use secure passwords for all accounts and avoid obvious usernames

Another common technique used to compromise your website is the brute force attack whereby the attacker will try to automatically break into your site by guessing your username and password. For this reason, you should always set your password to a combination of upper and lower case letters, numbers and punctuation symbols and ideally have your passwords at least 8 characters long. Never never never use a dictionary word, a name or a date of birth, if someones determined they will manage to guess it eventually.

If possible, also replace standard usernames such as ‘admin’ or ‘Administrator’ on your system with less obvious alternatives and if not possible, pay special attention to giving these accounts a robust non-guesssable password.

8. Use a firewall to protect your server

You should use a firewall to ensure that only the applications that your users need to access are accessible from across the Internet. Applications such as databases should not be exposed to the Internet as this provides an easy way in.

9. Review your server regularly to check for suspicious activity

Often compromises on your server can go unnoticed for a long time. Attackers often want to have control of your machine without you knowing so that they can use it to email spam or attack other peoples computers. To help detect when your machine has been hacked, regularly inspect log files on your firewall and webserver. Often attackers will delete the logs to try to hide their tracks but this in itself is a clue that something is amiss. You can also install intrusion detection software on the server which detects when files are altered and this can be a very useful tool for picking up on a compromise.

10. If your website is compromised, don’t panic!

If you do get compromised by an attacker, the most important thing is to not panic as often this can make the situation worse not better. Here are some sensible steps for getting yourself out of the mire:

1. If possible, take the whole server that your website runs on offline and quarantine it. If you are on shared hosting and this isn’t possible, take your website down and inform your hosting provider of the issue.
2. Put up a simple ‘Out of service’ website in a new location whilst you diagnose and fix the issue
3. Its essential to understand how your site was compromised and the extent of the damage that has been done. Its no good simply cleaning up and putting the site back online as it will get compromised again very quickly.This alas is not easy and will require a fair degree of technical expertise. Techniques such as auditing the log files on the server may help. If you have intrusion detection software installed that may give you a clue as to what happened and what has been compromised
4. Rebuild the site, if possible on a fresh clean server, applying all of the principles discussed in this article

 

I hope you’ve found this article useful. If you’d like further advice please don’t hesitate to get in contact. We can be reached on 01483 894158 or email enquiries@coreware.co.uk