When you leave the office for the evening you make sure your doors and windows are locked but if your website isn’t secure your business is still vulnerable. Whether your site is static or dynamic it may be vulnerable to cyber attacks.
To help keep your website secure, and your data safe, here are nine things you can do to help keep intruders out.
3 Tips for Securing A Static Site
Ensure You Have an SSL Certificate
Have you ever noticed the little lock and the word “Secure” next to a website’s address in the address bar? That is there because of SSL. SSL establishes a secure, two-way tunnel that allows data to move between your server and the user’s computer, keeping private information hidden from prying eyes. It also helps us ensure that we are connecting to the websites we actually want to visit. SSL helps ensure that when you try to visit your bank’s website (where you are likely going to enter sensitive financial information such as your credit card number) you can verify that you are actually visiting the real website and not a fake set up to steal data.
Even though your static website doesn’t have any user data or credentials that need to be protected you still need to protect your website’s content from being deleted, hacked, or defaced. You also want to ensure that your user’s privacy is maintained since cybercriminals can still target users who visit unprotected websites. Having an SSL certificate also puts users more at ease, and makes it more likely that they will visit your website again.
Keep Your Software Up to Date
One way that cybercriminals can gain unauthorized access to websites is by exploiting vulnerabilities that they find in out-of-date software. Once they gain entry they can deface your website’s content, knock your website offline, or even gain access to things like your server in order to host illegal files or send spam. To counteract this always make sure that your web server’s software is always up to date. As programmers discover flaws in their software they create patches to fix them, but the patch only works if you have it installed.
Stay In the Loop
You may not visit your website every day, but you should still know what is going on. By using programs that provide uptime monitoring you can set up alerts that will let you know if your site has undergone any unexpected content changes. This will alert you if a breach has happened, and let you mitigate or prevent damage as quickly as possible. A defaced or damaged website is bad for business and could send a bad message to legitimate website visitors.
3 Tips for Securing a WordPress (or Other Database) Website
Implement a Rigorous Username and Password Policy and add Multifactor Authentication (MFA)
It is important for you to educate all of your users about the importance of having strong passwords. To help users select strong passwords the National Institute of Standards and Technology (NIST) released updated guidelines in 2017. Suggestions for making user passwords stronger can be found in section 18.104.22.168 (Memorized Secret Identifiers).
One thing you should always do is make sure that are choosing usernames are not easy to guess. One way to do this is to have users use email addresses instead of usernames. If you need to store user passwords on your site for any reason you should make sure they are always stored in an encrypted form. To do this you may want to consider using OAuth or another third party identity management site.
You should also ensure that all users are employing multifactor authentication when logging into your website. Multifactor authentication adds another layer of security and alerts users when someone else is trying to log in using their account.
Limit User Logins Based on the Number of Failed Attempts or Implement Rate Limiting
If a user can’t enter their correct credentials three or four times in a row, but don’t click on the “forgot password” button it isn’t a usually a good sign. Some cybercriminals will attempt to “brute force” a website in order to gain access. They do this by trying common usernames like “admin” and pairing them with common passwords in the hopes that they will guess the correct combination. Restricting access after a number of failed attempts is a great way to keep unauthorized users out and discourage them from trying to gain access again.
Many unauthorized users use bots to try and brute force their way into websites. One way to dissuade bots from attacking your site is to implement rate limiting. Rate limiting allows users virtually unlimited login attempts but causes a delay between each attempt. Even a delay of one second, which doesn’s seem like a lot, can hinder a bot’s brute force attempt by making the process impossibly slow by computer standards. This can also delay a bot from accessing your site, and increase the likelihood of someone noticing that the site is being attacked and have time to implement countermeasures before a potential breach occurs.
Rename Your Admin Account
One of the first rules of website security is to not use Admin as your administrator username or your WordPress username. By ensuring that your admin account’s username is less easy to guess it can slow down and even prevent unauthorized users from gaining access to your website. When you keep the default Admin username you are solving half of the login puzzle for any potential cybercriminals and reducing your website’s security.
Change the Login Path to a Non-Default URL
WordPress is the most popular CMS on the planet, and /wp-admin/ is the typical login path. Bad actors exploit this by quickly accessing your login page and attempting to brute force their way in. A simple act of changing the login path is surprisingly effective.
3 Tips For Making Sure Your Hosting Provider Is Secure
Make sure you vet your hosting provider carefully and select one that offers a secure hosting environment.
Ask if Your Hosting Provider Monitors Their Network
In order to prevent malware from spreading it needs to be detected first. If malware manages to get onto the server system your hosting provider is better able to keep it from infecting the server that hosts your site if they are monitoring their internal traffic diligently. When choosing a hosting provider you should ask for some details about how the support team monitors the network, which staff conducts the monitoring, and what sort of traffic raises their suspicions.
Look For Antivirus and Malware Scanning and Removal Capabilities
Before you choose a hosting provider make sure you understand what sort of protection from malware they offer and what you will need to do to ensure your website is fully secure. You should also be sure to ask if their support team scans files in your account and if you can access those reports. You should also be clear on what will happen if your account becomes infected and if your hosting provider will help you identify and remove malware.
Ask About SSL, Firewalls, and DDoS Prevention
Ask your provider about what sort of protocols they have in place to prevent cyber attacks. A good firewall can help prevent DDoS (Denial of Service) attacks from occurring in the first place. DDoS attacks flood your website with traffic, rendering it useless to legitimate visitors.
You should also check to see if your hosting provider makes SSL certificates available. You will likely be responsible for implementing the certificate, but your host needs to be able to provide them in order for you to do that.
There are a number of things you can do to help keep your website secure from cybercriminals. By having robust security practices (such as strong passwords) in place and keeping your software up to date you can dissuade cybercriminals from attacking your site. You also don’t have to handle all of your cybersecurity alone. By selecting a web hosting provider that has their own robust security protocols in place you can add another layer of security to your digital assets.
Lock Down Folders and Subdirectories
Preventing people from accessing subdirectories in the site helps ensure that they are unable to access exploits or vulnerabilities associated with back-end software, upload folders, etc. Setting these permissions to 755 is a simple way to keep people out.
Add Bot Filters & Maintain an Active Blacklist
Many bad actors utilize bot networks with known IP addresses and points of origin. Several blacklists exist that you can use to filter out these bots. Work with your web host to ensure your IP filtering and firewall is appropriately configured.
This a Great Start… But It Is Only a Start
Implementing the above precautions will go a long way in preventing intrusion. However, the above is very much “the basics”. Once you’ve got them completed, look into more advanced methods to keep your website and data secure.