Security on the Internet – a password that blazes our ears in subsequent information campaigns, in notifications from our banks, or when reading an article about another data leak. A slogan that – as our parents used to say – falls with one ear and the other one … and we do nothing with all this “security”. Time to change that and not cry… after the damage! How to ensure the security of the website?
Website security – hacking, hacking uneven
Can my website be hacked? Is my website worth a hack? The truth is, there’s no place on the web that isn’t worth breaking into. Each domain and each page is a place that can be used – put links to various types of potency specifics, redirect to your – sham – domain or silently use our server for mailing and serve innocent internet users content intended definitely for adult recipients. The number of ways to use a hijacked website is limited only by the hackers’ creativity.
Taking over the website has various consequences, including problems with the proper functioning of the website and falling out of the Google index as a result of removing optimization. Hacking also increases the risk of your site being cut from the SERPs as a result of penalties for illegal content attacking. In addition, with each subsequent hack, the website loses its credibility in the eyes of the recipients, and they are more cautious about using the products and services offered. Lack of trust stems primarily from fear of your own data – it is user information that attracts hackers. In some cases, the acquisition of the site is also associated with considerable costs, which include, for example, income that could be achieved at the time when the site was closed. The costs of server cleanup and site restoration can also significantly affect your company’s budget. There are also legal consequences.
Who is most at risk?
Every website and every person using the Internet may fall victim to one of
the many types of cyber attacks. Break-ins happen to large
and well-secured companies:
– Adobe lost data in 2013 – username and password, full names, credit and debit card details – from 153 million accounts,
– LinkedIn lost email addresses and passwords of users in 2012 and 2016,
– Garmin lost access to a large part of its systems in 2020 and was forced to disable access to all services. In order to gain access to the data decryption key, the company decided to pay a ransom.
The scale of these break-ins is much greater than what the owners of small websites usually experience. However, this does not mean that you should ignore safety issues and not take appropriate steps in the name of the principle “prevention is better than cure”.
Among the systems that are exposed to hacking attacks, the popular CMSs are usually mentioned – WordPress and Joomla. The frequency of burglaries is influenced, among others, by the universality of installation of these solutions and … quite a frivolous approach to software updates and notifications related to security. In the case of WordPress, the source of attacks are also plugins that allow you to add new functionalities to your website. Some of the plugins are manufactured by third parties. Joomla’s vulnerability manifests itself during system configuration, which tends to generate errors when installing external extensions.
How to ensure the security of the website?
Below are 6 basic elements that allow you to increase the security of the website and reduce light-hearted behavior that may cause risk.
A. Password123, guess you!
Professional tools and the most complex security programs can fail with a lack of common sense and a lack of awareness of threats. I do not wish to imply that modern solutions should not be used – quite the contrary! My only suggestion is that we take a moment to reflect on our slogans. They are the ones that most often fall prey to internet thieves and cause havoc on our virtual estates. The most popular sins related to slogans include:
– their simplicity – i.e. qwerty, 12345, abc123 or passwords associated
with the name of the website where we have an account This
type of security breaks quickly – once they are quite intuitive, and two – they
are one of those most often found on lists of data stolen from various websites,
– their universality – one password for everything? Simple solutions of this type work well … for a short while. Data leakage from one site may result in the loss of accounts also in other spaces.
This infamous group also includes the ugly habit of saving all passwords in one place – be it in a notebook or in an ordinary text file located in one of the folders on the disk. While the traditional notebook can be an attractive prey for a less IT-agile thief, the file can be of interest to anyone who knows how to use the trust of public network users (e.g. wifi in a restaurant) – hence the path to taking over all our Internet incarnations is short.
So how do you keep your passwords secure? One of the solutions that work both in private and in enterprises are applications that allow you to store passwords in a safe way, eg LastPass, 1Password, or their free equivalents – KeePass and BitWarden. These types of solutions work similarly to the above-criticized book – they allow you to store passwords in one place, but they are much more secure. These programs allow you to generate extremely complex passwords, which are then encrypted in various ways and stored in this form. The user only needs one password that allows him to access the application. Programs of this type run not only on computers but also on mobile devices.
An effective way to limit the possibility of account takeover is also multi-stage verification. The introduction of this solution requires verification of logging in in several ways, e.g. using the application installed on the phone. The need to confirm the willingness to access the account allows for additional control and catching unauthorized login attempts.
Passwords should also be changed from time to time, especially in the case of rotation among company employees. After changing the people responsible for various areas of the Internet activity, it is good to refresh the accesses and ensure that only designated employees have access to the password-protected places.
Updating systems is another element of the set of basic activities that allow you to reduce the risk associated with unwanted activity on the website. This applies to all elements related to it – CMS, software on the server, as well as plugins and extensions. The task of the update – apart from developing the application and adding its new functionalities – is also to eliminate bugs and potential threats existing in the earlier code. The lack of updates to programs running within the site makes it much easier to take over from external users.
You can find out how often security patches are implemented by analyzing the information provided with subsequent software updates. Most updates go hand in hand with a blog post or note detailing each subsequent patch.
Additionally, information about the need to update your CMS usually appears on the main page of the administration panel. Note – updating older CMS versions (e.g. those that have not been updated for several months) may result in problems with the basic functionalities of the website. Before starting the update, it is worth taking care of backing up your website files. Archaic versions of CMS are good to update with the help of specialists – e.g. a software house which was responsible for the original appearance of the website. You should remember about the necessity to update the system on which the website is located when designing the website and include help with updating in the contract.
C. Plugins and Extensions
When discussing updates of popular CMSs, it is also worth paying attention to the elements that allow you to extend the capabilities of these programs, i.e. plug-ins, extensions and add-ons. Each of these programs offers a new function for our CMS, unfortunately – not always only the ones we care about. So how do you recognize plugins that will be safe? What to look for?
Before installing an add-on to our CMS, it is worth taking a look at its popularity and opinions, check the credibility of the company that issued it and make sure how often they are and what the updates are about.
It is a mistake to leave plugins without updating – it is thanks to them that bugs and security holes are removed that can be used to take over your Internet ownership.
The implementation of SSL is not only the whim of your SEO positioner or your ad specialist, but one of the ways to improve the security of data flowing through your website. SSL, or in fact TSL, guarantees the confidentiality of data transmission and server authentication. It is based on asymmetric encryption with a public key, the knowledge of which cannot decrypt the data. For this purpose, it is necessary to have a private key that is not shared externally. The length of the keys in the current versions of TSL is at least 128 bits.
E. Take care of a backup
Caution may result in another item on the list of monthly website maintenance costs, but in times of crisis it becomes priceless. Website security is not an area where you should save in the first place. In this case, forethought manifests itself by taking care of the backup. Backups stored in a safe place reduce the risk of data loss. Securing databases and placing them in a different space than the original files will enable business continuity, even in the event of a failure or losses caused by a break-in.
The backups will also be stored by the hosting on which the website is located, which is very useful in the event of technical problems with the website – restoring the state from two or three days ago is usually a matter of one phone. Unfortunately, leaving the security of your websites in the hands of third parties does not always work, as customers of one of the world’s hosting companies could already see in 2016.
F. Educate yourself and your colleagues
The security of a website depends on many factors. The impact of some of them can be reduced by educating everyone who works within them. Sometimes it is enough to refresh the basics related to online security – the rules of creating passwords, the need to use secure internet connections and log out after work is done, or suspicion of unusual-looking emails. A website is a sensitive place, the most sensitive of which is our ignorance. Caring for the security of the website and all resources necessary for our company does not require specialist knowledge or technical skills – in many cases it is enough to implement good practices.