As a business owner, you probably own and manage a website; it’s central to your online presence, and a crucial platform for making sales and growing a business. But have you thought about the security implications of your website? Just like any other system, emails, CRM, cloud services etc., your website is vulnerable to cyber attacks and must have the appropriate safeguards in place. In our latest article, we will list the ways in which you can protect your website from the most common threats.
Why Do You Need a Website Security Strategy?
Research suggests that around 30,000 websites are hacked daily. Imagine waking up one day to find that your entire website has been deleted, and all you’re left with is a ransom note demanding a large sum of money in order for it to be restored. The consequences are be severe – financial impact, loss of customer data, reputational damage, fines, and even loss of your business. It’s a scary thought, but fortunately, it’s a scenario that can be avoided. Develop a website security strategy that incorporates the measures we have listed below.
1. Use Strong, Unique Passwords for All Website Users’ Accounts
One of the first things you’ll want to do is to ensure that all users’ accounts are secured with a strong password. Here are a few guidelines:
- A strong password consists of at least 12 characters. If the account is also protected by multi-factor authentication (MFA), the password needs to be at least 8 characters long.
- Passwords must be unique, i.e. you must not reuse passwords across multiple accounts, and passwords must not be easily guessable.
- Do not write down passwords on paper, or store them within emails, spreadsheets, instant messaging platforms etc. Instead, use a password manager and train all staff members on how to use it correctly. Password managers can also be used to generate random passwords for your accounts.
- Never share your password with other users.
If you believe that a password has been compromised, you must change it immediately.
2. Implement Multi-Factor Authentication (MFA), Where Supported
Multi-factor authentication provides an additional layer of security by requiring the user to prove their identity in two or more ways. Here is an example):
- A user signs into a website with their username/password credentials
- A one-time passcode (OTP) is sent to an authenticator app on their mobile phone
MFA is very effective at preventing brute force attacks. A brute force attack occurs when a malicious actor repeatedly tries different username/password combinations until they find the one which gains them access to the system. When MFA is in place, a malicious actor would be unable to access a system even if they knew the correct username/password combination as they wouldn’t know the one-time passcode.
Ensure that MFA is implemented on all websites that support it.
3. Observe the Principle of Least Privilege
The principle of least privilege is a concept that requires users to be given the minimal level of access needed to perform their tasks.
Look at the list of users who have access to your website and determine the appropriate permissions required for each one. Staff members change over time, so it’s important that you audit users on a regular basis to ensure that all users are assigned the appropriate permissions for their role.
Any users who have left your organisation should have their access removed.
4. Ensure That an SSL Certificate is Installed on Your Website
Secure Sockets Layer (SSL) is a technology that encrypts data flowing to and from your website, so that it cannot easily be read by those who are not authorised to do so. When your website has an SSL certificate installed, a padlock symbol is usually displayed in the address bar of the browser. The website URL will also begin with https:// instead of http://. If no SSL is present, then a security warning may be displayed in the browser, or the browser may block access to the site entirely, causing a poor experience for users.
Your website should have an SSL certificate in place, particularly if users submit personal data on it (e.g. contact information, or payment information). Speak to your hosting provider about getting one set up. For optimum performance, purchase an SSL certificate that automatically renews.
Installing an SSL certificate on your website also helps to comply with data protection regulations.
5. Set Up a Web Application Firewall (WAF)
A web application firewall, or WAF, is a firewall which specifically protects web applications and APIs. A WAF is essentially a filter which is placed between the web application and the Internet, monitoring requests and blocking harmful traffic from passing through to the web application.
A WAF can protect your website from common threats, including distributed denial of service (DDoS) attacks, SQL injection, cross-site scripting (XSS) attacks and cross-site forgery.
Consider using a service like Cloudflare, which can easily be set up on your website to protect it against the most common threats. The free plan of Cloudflare provides a basic level of protection; as well as the WAF, you also have access to analytics, hotlink protection and more.
6. Keep Your Website Updated
Hackers are always finding new ways to break into websites; fortunately, developers regularly release new versions of software that contain fixes for these security vulnerabilities as well as new features. These new versions are delivered in the form of updates.
If your website is self-hosted on a platform such as WordPress, you will need to ensure that all plugins, themes and WordPress core files are kept updated, and that you are running the latest supported version of PHP.
It is possible to automate the updating of plugins, themes and WordPress core files, however, we do not recommend this. Updating your website automatically affords more control and allows you to better diagnose issues if your website breaks after a particular update is made.
Ensure to create a backup of your website before making any major updates. Delete any plugins or apps that are no longer needed.
We will be delving into WordPress security in a future blog post.
7. Beware of Phishing Scams
Phishing emails trick unsuspecting users into revealing personal information or login credentials, or installing malware on a system. Malicious actors can determine your website hosting platform, and will send you an email pretending to be from said platform.
See the below example, which appears to be from Shopify. The email prompts the user to click the link which opens a login page on a spoofed website.
Here are a few things to remember when dealing with phishing emails:
- Beware of emails that convey a sense of urgency or use threats
- Never respond to a phishing email
- Do not click on the links, and do not download any attachments
- Report phishing emails via your email program before deleting them.
Ensure that your staff are aware of the latest phishing threats with regular training. This is the best way to protect your organisation against such attacks.
8. Remove Unnecessary Data From Your Website
Over time, data can accumulate on your website, which can increase risk as well as use of storage space. This data can come from sources including enquiry forms, newsletter signup forms or an online store, if you have one. You may be unaware of the amount of data that your website is storing.
Conduct an audit of the data that has been collected, and delete any which you no longer need. If you must keep some data, consider moving it to a more secure or offline location. When conducting your audit, be mindful of relevant data protection legislation and your legal obligations. These will determine which data you will keep and which data you will delete.
9. Monitor Website Login and Other Activity
Monitoring login activity helps you to keep track of who is accessing your website, when they are accessing it, from which location, IP address, and from which ISP.
Here is an example of login session history:
If you notice many failed login attempts originating from the same location, this could be a potential brute force attack.
In particular, watch out for successful logins from unknown ISPs, locations, or IP addresses. If you see any in your login history, this may indicate that an account has been compromised. If this is the case, the password for that account must be changed immediately. Where supported, enable multi-factor authentication (MFA) on all accounts.
Depending on your website’s platform, you may be able to track other activity including:
- Changes to products
- Changes to blog posts
- App or plugin changes
- User management
Keeping an eye on the above activity will help you to maintain your website’s security by being able to respond appropriately, should any unauthorised changes be made.
10. Backup Your Website
We cannot stress enough the importance of backing up your website. Keeping backups is necessary for several reasons. Consider the following scenarios:
- Your website develops an error because a plugin failed to update correctly.
- You decide to move your website to a different hosting provider.
- Your website was compromised and suffered loss of data.
The frequency of backups will depend on how often you update your website. If possible, automate the backup process.
The location where you are storing backups must have ample storage space. Backups must be tested regularly to ensure that they are working. You wouldn’t want your backups to fail when you need them the most!
Conclusion
By implementing the measures outlined in this article, you will have developed a robust strategy for protecting your website. However, website security is not a ‘set and forget’ process. Business needs evolve over time, staff members change, data accumulates, and new cyber threats are constantly emerging. For optimum protection and to minimise risk, you must conduct regular audits to review the areas we mentioned within this article.
If you need help with any aspect of your website security, please contact us.
0 Comments