At Burnthebook we highly value web security as a vital part of any reputable business’ online presence, and we want to help create a safer and higher quality online community. To help you make sure your website is secure, we’ve assembled a list of 10 important steps you can take to make sure that this is the case.
1. Stay Up to Date
Keeping your software up to date is one of the easiest ways to keep your website secure. Hackers are often quick to find any holes in software and even quicker to abuse them. Luckily most software developers are also quick to fix these holes, and any other bugs, when they’re discovered…but if you don’t keep your software up to date, you won’t be able to enjoy the benefits of these fixes.
2. Use Strong Encrypted Passwords
Using strong and encrypted passwords is something you should apply to both yourself and any end users with accounts linked to your website. While some people might not like being forced to create a password with a minimum character count, or at least one number or one uppercase character, such a step keeps both their accounts and your website secure.
Passwords should also only ever be stored as encrypted values; this means that when you authenticate users you only ever compare encrypted values. While there are a number of ways to do this, one of the best is to use a one-way algorithm such as SHA. Another extra layer of security for passwords is to salt them; this is an additional input that will ‘hash’ a password and means the password hacking process is far slower and computationally more expensive, as each password has to be hashed separately for every salt and every password.
3. SSL Certificates
SSL certificates secure a website by creating an encrypted connection between the web server and the visitor’s web browser so private information can be transmitted without problems of eavesdropping, data tampering or message forgery. While once only common on websites that handled private information such as payment details, they are now far more prominent with Google even including SSL certificates among its ranking factors as a part of their aim to create “HTTPS everywhere”. SSL secure websites will have HTTPS in the URL bar, as well as a padlock icon; Google Chrome users will now even be warned against non-SSL websites as they might be unsafe.
The SSL certificate doesn’t just protect your website, but protects those who use your website too, and so helps build trust with the end user. If a hacker intercepts information, for example payment details, while they are encrypted by SSL, then the information can only be read as gibberish. Just make sure you don’t forget to renew your certificate before it expires!
4. Content Delivery Network (CDN)
A CDN is a globally distributed network of proxy servers in multiple data centers, intended to serve content to end users with high availability and performance by storing cached versions of a website on different proxy servers around the world. Whenever the CDN detects a change in the website, it updates automatically. This means that information has less distance to travel and therefore your website has faster speeds with good usability and end user experience, and it even uses less bandwidth on your server to save on hosting costs. Yet it also adds an extra layer of security, protecting against a variety of brute force attacks, including DDoS attacks. In a non-CDN setup, the hacker can “talk” directly to the host server, but in a CDN, the CDN server acts as a middle-man and verifies any requests before they are directed to the host server. The IP address of the host server will always remain hidden. If, for example in the case of a brute force attack, robots throw millions of passwords for a user login at the website, the CDN will prevent access by highlighting that it’s clearly a wrong user.
5. Install Firewall or Security Application
Firewalls and security applications are both extremely useful in securing your website against hackers. A web application firewall is software or hardware that sits between your web server and the data connection and reads all of the data that passes through, filtering unwanted traffic such as spammers, malicious bots and hackers. While security applications aren’t as effective as a full firewall, they can still make life a lot more difficult for hackers. Both of these will be totally ineffective, however, if anyone can gain physical access to your server, so make sure this isn’t possible either.
6. Error Messages
Be careful how much information you give away to end users via error messages. While you might want to hide all error messages completely, for example hiding a PHP error is very important, this isn’t always possible. User errors, such as wrong usernames and passwords are important to show, but if you do have such a login form on your website, make sure to use generic messages such as “incorrect username or password”. If you specify which field is correct and which is wrong, then a hacker knows they have one field correct and can concentrate on the other which can easily enable them to make a brute force attack.
7. Input Sanitization
Input sanitization helps protect against two particular forms of attack: SQL injection and cross site scripting (XSS). SQL is a programming language for communicating with a database, and if inserted into an input field, or even a file upload, a hacker can inject SQL code into the website and make mass database changes, from deleting to reading the entire database. To prevent this, the website must have some kind of data-cleansing ability for any user-input data to ensure injected code cannot be run.
XSS occurs when malicious JavaScript code is inserted into an input field on a website, file upload or is directly injected. This code hijacks the website script by being read as programing language. To prevent this, you need to again make sure all inputs are sanitized and injected code is removed from the inputs. JavaScript code cannot simply be prevented from running like SQL – it needs to be completely removed. Twitter actually had a huge problem with XSS; a user inserted JavaScript into a Tweet via TweetDeck which led to it being automatically retweeted by anyone who viewed it. The overall result was thousands of retweets in a matter of minutes
Input sanitization can also apply to file uploads. You can’t rely on the file extension alone to verify a document as these can easily be faked. By installing an extension or package you can ensure not only that the file type is what it says it is, but also that it doesn’t contain any viruses or other harmful code.
8. Setting the Correct File & Folder Permissions
This is important to ensure that only the correct people can access certain information about your website. Directory access is a huge issue, and even one we’ve discovered as we completed an audit of a new client’s website. If a hacker or developer knows a particular piece of software, for example WordPress, they can bypass your website and go straight to your files by exploiting their knowledge of weaknesses in the software and file structure. This means that any sensitive information intentionally stored away from public view can be easily accessed and made publically available. By setting the correct file and directory permissions, however, this is no longer a problem. Good .htaccess rules can also help prevent this.
File permissions are also important in any file uploads. Make sure you change file permissions to limit access on certain folders and files that have been uploaded by a user, for example a profile picture.
9. Hide Admin Panel URL
Most CMS admin panels sit on a URL that can be easily guessed by hackers, typically involving phrases such as “/system”, “/manage”, “/login”. As a result, hackers can easily use brute force attacks to try and guess the login credentials for the CMS. The easiest way to prevent this and deter some hacking attacks is to change the admin URL to something more complex, such as “/our-admin-panel-1712”.
10. Set Up Multi-level CMS Permissions
Many website owners will have a single username and password combination to manage their website that will then be shared between colleagues. This can, however, pose a huge security issue. A single login means that it is almost impossible to know who made what change to the website and when. It also means that everyone will have full access to add and remove elements across the entire site. Besides this, it also means that if one user isn’t careful with how they maintain their login details then resetting passwords affects everyone else who uses the login. The same is true if an employee leaves the business.
There is an easy solution to this, however. By setting up member groups in the CMS, such as ‘Systems Admin’, ‘Blog Management’ etc., each group can then be assigned certain permissions that restrict what they can do and what they can access. If each group then has their own username and password, each member assigned to that group is then also limited in the functions they can perform.
While these are all good things to ensure you are protected by and from, the best way to check whether your website is secure is to undergo a full site audit by a reputable digital or web development agency. This can reveal even the tiniest weakness in your website, as well as instruct you on the right solution to fix it.