Website Safety Check – 10 things you can do to keep your site secure
“Most companies may not even know that they’ve been hacked. We have a joke in the industry that most companies manage cyber-security using “DLPI” – denial, luck, prayer and ignorance.”
Andy Norton, Security Expert at FireEye
Electronic criminals can be invisible and extremely fast in searching your website for details of customers’ accounts. Although in the past it has always been the case that security hacks were probably due to mistakes the company or organisation had made that allowed the hackers access, as technology has become more sophisticated, the ways that hackers get around even the most secure online environments often evolves quicker than security measures to prevent them can. Although it is somewhat impossible to guarantee prevention of a security attack, there are measures that websites can take to make it as difficult as possible for it to be successful if attempted.
- Keeping software up to date
Security updates and patches are essential to maintaining security for your website and preventing hackers being able to access important databases. At Nimbus, we automatically patch your server with any security or bug updates to maintain security but it is your responsibility to ensure that the CMS platform that your site runs off remains constantly up to date and any patches that are released are installed as quickly as possible.
- Using vague Error Messages
By ensuring that any error messages are kept fairly vague it makes it harder for hackers to work out what parts they have correct and incorrect and therefore does not give away any clues. For example, if there is a failed log-in attempt, the error message should not tell the user what part of their log-in details was entered incorrectly.
- Using complex Passwords
SplashData recently published a list of the most used passwords of 2015. Explaining why this list is significant, the firm explained that this collection “will expose anybody to being hacked or having their identities stolen.” As annoying as the restrictions on what passwords must contain are, they do help to protect sensitive information. The best someone can do is a brute force attack, in essence guessing every combination until it finds a match. This website HERE, gives a really handy guide on how long it would take a potential hacker to gain access via brute force. The more complex your password is, the longer it would take and less likely an attack becomes.
- Limiting File Uploads
If you have the option for users to upload files through a file upload form, all files need to be treated with suspicion. The risk is that any file uploaded, even if it looks completely innocent, may contain a script that could be used to open up your website.
- Using an SSL certificate
SSL (or Secure Sockets Layer) is a protocol used to provide security over the internet as it allows sensitive information like credit card numbers and login details to be transmitted securely over an encrypted link between the server and client. Recently, Google, in their efforts to promote a safer online world have been clamping down on sites that do not offer this level of encription to their visitors. Pretty soon, all websites viewed through Google Chrome without an SSL will flag this to the visitor, possibly affecting not only trust, but sales. You can check your websites SSL status HERE.
- Switch to HTTPS
HTTPS is a secure version of HTTP which allows data to be sent between your browser and the website you’re trying to connect to. When using HTTPS, it means that all communications are encrypted and therefore protecting the integrity and confidentiality of your users data. HTTPS also prevents man-in-the-middle attacks as it provides authentication that your users are communicating with the intended website. We have a nifty infographic of the things you need to do to move over to HTTPS HERE.
- Make Admin Directories Tough to Spot
Hackers can use scripts that can scan all the directories on your web server for names like ‘Admin’ or ‘login’ and then focus on gaining access to these files and therefore compromising your websites security. Most CMS platforms allow you to rename these admin folders to anything of your choice in order to make it harder to identify for potential hackers.
- Use a firewall to shield your network
A web application firewall can either be software or hardware based. With our Plesk Linux packages we automatically include a WAF firewall that sits in front of the web server to prevent the most common type of attacks – this is enabled by default for you.
- Check your system and Web logs for suspicious activity
Unusual log file activity can sometimes be the first warning sign that someone is trying to break into your system. There are some programs such as Tripwire for Unix systems and Internet Security Scanner for Windows NT that monitor log files and send you alerts if any unusual behaviour is detected.
- Back-up, Back-up, Back-up!
Even websites that take every security measure possible can get hacked, especially if they are specifically targeted. Regular backups ensure that even if your site is compromised, you can get it restored quickly and easily. Occasionally, updates can break your website’s design or functionality and some updates can be buggy, in which case you can use a backup to restore to a previous version.
A security attack on your site not only leads to compromising of users’ data and your own information, it can also lead to a blacklisting of your site by Google and other search providers as your infected site risks spreading malicious content, not to mention the often irreparable loss in consumer trust for your customers or clients. As the owner of an online business, it is your responsibility to ensure that all measures are taken to protect your site from security threats.