Website Security & Protection: How to Secure a Website

Website security can be a complex (or even confusing) topic in an ever-evolving landscape. This guide is meant to provide a clear framework for website owners seeking to mitigate risk and apply security principles to their web properties.

Before we get started, it’s important to keep in mind that security is never a set-it-and-forge-it solution. Instead, we encourage you to think of it as a continuous process that requires constant assessment to reduce the overall risk.

By applying a systematic approach to website security, we can think of it as an onion, with many layers of defense all coming together to form one piece. We need to view website security holistically and approach it with a defense in depth strategy.

What is Website Security?

Website security is the measures taken to secure a website from cyberattacks. In this sense, website security is an ongoing process and an essential part of managing a website.

Why is Website Security Important?

Website security can be challenging, especially when dealing with a large network of sites. Having a secure website is as vital to someone’s online presence as having a website host. If a website is hacked and blocklisted, for example, it can lose up to 98% of its traffic. Not having a secure website can be as bad as not having a website at all or even worse. For example, client data breach can result in lawsuits, heavy fines, and ruined reputation.

 

Defense in Depth Strategy

A defense in depth strategy for website security looks at the depth of the defense and at the breadth of the attack surface to analyze the tools used across the stack. This approach provides a more accurate picture of today’s website security threat landscape.

1.2How Web Pros See Website Security

We can’t forget about the statistics, which make website security a compelling topic for any online business—regardless of their size.

Why Websites Get Hacked

There are over 1.94 billion websites online in 2019. This provides an extensive playground for bad actors.

There is often a misconception about why websites get hacked. Owners and administrators often believe they won’t get hacked because their sites are smaller, and therefore make less attractive targets. Hackers may choose bigger sites if they want to steal information or sabotage. For their other goals (which are more common), any small site is valuable enough.

There are various goals when hacking websites, but the main ones are:

  • Exploiting site visitors.
  • Stealing information stored on the server.
  • Tricking bots and crawlers (black-hat SEO).
  • Abusing server resources.
  • Pure hooliganism (defacement).

Automated Website Attacks

Unfortunately, automation reduces overhead, allows for mass exposure, and increases the odds for a successful compromise—regardless of the amount of traffic or popularity of the website.

In fact, automation is king in the world of hacking. Automated attacks often involve leveraging known vulnerabilities to impact a large subset of sites, sometimes without the site owner even knowing.

Automated attacks are based on opportunity. Contrary to popular belief, automated attacks are much more common than handpicked targeted attacks due to their reach and ease of access.

CMS Security Considerations

It has become easier for the average site owner to get online quickly with the use of an open source content management system (CMS) such as WordPress, Magento, Joomla or Drupal.

While these platforms often provide frequent security updates, the use of third party extensible components – such as plugins or themes – lead to vulnerabilities that attacks of opportunity can easily exploit.

We have developed detailed website security guides for each popular CMS to help website owners protect their environments and mitigate threats.

Information Security CIA Triad

A benchmark in information security is the CIA triad – Confidentiality, Integrity and Availability. This model is used to develop policies for securing organizations.

Confidentiality

Confidentiality refers to access control of information to ensure that those who should not have access are kept out. This can be done with passwords, usernames, and other access control components.

3.2Integrity

Integrity ensures that the information end-users receive is accurate and unaltered by anyone other than the site owner. This is often done with encryption, such as Secure Socket Layer (SSL) certificates which ensure that data in transit is encrypted.

3.3Availability

Availability rounds out the triad and ensures information can be accessed when needed. The most common threat to website availability is a Distributed Denial of Service attack or DDoS attack.

Now that we have some background on automated and targeted attacks, we can dive into some of the most common website security threats.

Website Vulnerabilities & Threats

Here are the most common website security vulnerabilities and threats:

4.1SQL Injections

SQL injection attacks are done by injecting malicious code in a vulnerable SQL query. They rely on an attacker adding a specially crafted request within the message sent by the website to the database.

A successful attack will alter the database query in such a way that it will return the information desired by the attacker, instead of the information the website expected. SQL injections can even modify or add malicious information to the database.

Cross-site Scripting (XSS)

Cross-site scripting attacks consist of injecting malicious client-side scripts into a website and using the website as a propagation method.

The danger behind XSS is that it allows an attacker to inject content into a website and modify how it is displayed, forcing a victim’s browser to execute the code provided by the attacker when loading the page. If a logged in site administrator loads the code, the script will be executed with their level of privilege, which could potentially lead to site takeover.

4.3Credential Brute Force Attacks

Gaining access to a website’s admin area, control panel or even to the SFTP server is one of the most common vectors used to compromise websites. The process is very simple; the attackers basically program a script to try multiple combinations of usernames and passwords until it finds one that works.

Once access is granted, attackers can launch a variety of malicious activities, from spam campaigns to coin-miners and credit card stealers.

4.4Website Malware Infections & Attacks

Using some of the previous security issues as a means to gain unauthorized access to a website, attackers can then:

  • Inject SEO spam on the page
  • Drop a backdoor to maintain access
  • Collect visitor information or credit card data
  • Run exploits on the server to escalate access level
  • Use visitors’ computers to mine cryptocurrencies
  • Store botnets command & control scripts
  • Show unwanted ads, redirect visitors to scam sites
  • Host malicious downloads
  • Launch attacks against other sites

DoS/DDoS Attacks

A Distributed Denial of Service (DDoS) attack is a non-intrusive internet attack. It is made to take down the targeted website or slow it down by flooding the network, server or application with fake traffic.

DDoS attacks are threats that website owners must familiarize themselves with as they are a critical piece of the security landscape. When a DDoS attack targets a vulnerable resource-intensive endpoint, even a tiny amount of traffic is enough for the attack to be successful.

Ecommerce Website Security & PCI Compliance

The Payment Card Industry Data Security Standards (PCI-DSS) outlines requirements for website owners with online stores. These requirements help ensure that you are properly securing the cardholder data you collect as an online store.

Under PCI DSS, cardholder data that must be secured refers to the full primary account number (PAN), but may also appear in the form of one of the following:

  • Full magnetic stripe data (or chip equivalent)
  • Expiration date
  • Service code
  • PIN code
  • CVV digits

PCI compliance regulations apply regardless of whether you share data digitally, in written form, or speak to another individual with access to the data.

For ecommerce websites, it’s critical to do everything in your power to ensure that cardholder data passes from the browser to the web server by being properly encrypted via HTTPS. It should also be stored on the server securely and similarly encrypted when transmitted to any third-party payment processing services.

Hackers may try to steal or intercept cardholder data at any time, whether the data is at rest or in transit. Our PCI Compliance Guide and Checklist can help you walk through how to meet these requirements.

Website Security Framework

Regardless of the size of your business, developing a security framework can help reduce your overall risk.

The US National Institute of Standards and Technology (NIST) developed The Cybersecurity Framework which forms the basis of our website security principles framework in this guide.

Knowing security is a continuous process means it starting with the foundation of a website security framework. This framework will involve creating a “culture of security” where scheduled audits will help in keeping things simple and timely.

The five functions: Identify, Protect, Detect, Respond and Recover will be broken out in more detail along with actions to be applied.

Identify

During this stage all asset inventory and management is documented and reviewed.

Asset inventory and management can be taken one step further into the following subcategories:

  • web properties,
  • web servers and infrastructure,
  • plugins, extensions, themes, and modules,
  • third-party integrations and services,
  • access points/nodes.

Once you have a list of your website assets, you can take steps to audit and defend each of them from attacks.

6.2Protect

There are many reasons why having preventative web security measures in place is crucial, but where do you begin? These are known as protective technologies and layers of defense.

Sometimes these measures satisfy compliance requirements such as PCI, or make it easy to virtually patch and harden environments that are vulnerable to attack. Protection can also include employee training and access control policies.

One of the best ways to secure your website is by activating a web application firewall. Taking the time to think through security processes, tools, and configurations will impact your website security posture.

6.3Detect

Continuous monitoring is a concept that refers to implementing tools to monitor your website (assets) and alert you to any issues.

Monitoring should be in place to verify the security state of:

  • DNS records,
  • SSL certificates,
  • web server configuration,
  • application updates,
  • user access,
  • file integrity.

You can also use security scanners and tools (such as SiteCheck) to scan for indicators of compromise or vulnerability.

6.4Respond

Analysis and mitigation help to build out the response category. When there is an incident, there needs to be a response plan in place. Having a response plan prior to an incident of compromise will do wonders for the psyche.

A proper incident response plan includes:

  • Selecting an incident response team or person
  • Reporting of incident to review findings
  • Mitigating the event

During the remediation process, we never know beforehand what malware we are going to find. Some issues can spread quickly and infect other websites in shared server environments (cross-contamination).

The incident response process, as defined by NIST, is broken down into four broad phases:

  • Preparation & planning
  • Detection & analysis
  • Containment, eradication & recovery
  • Post incident activities

Having a comprehensive preparation phase and a website security team you can count on is critical to the success of the mission.

Here’s what that should look like:

Preparation & Planning

In this phase, we make sure that we have all the necessary tools and resources before an incident occurs.

This goes hand in hand with the previous sections in the security framework.

Hosting companies play a crucial role in this phase by ensuring that systems, servers, and networks are sufficiently secure. It is also important to ensure your web developer or technical team is prepared to handle a security incident.

Detection & Analysis

Although there are several methods of attack, we should be prepared to handle any incident. After hundreds of thousands of responses, we narrow down most of the infections to vulnerable components installed on the website (mostly plugins), password compromises (weak password, brute force) and others.

Depending on the issue and intent, the detection phase can be tricky. Some attackers are looking for fame, others may want to use resources or intercept sensitive information (credit card).

In some cases, there is no sign that a backdoor has been installed, waiting to be accessed by the attacker for malicious activities. Therefore, it’s highly recommended to implement mechanisms to ensure the integrity of your file system.

Containment, Eradication & Recovery

As for the “Containment, Eradication & Recovery” phase, the process has to adapt to the type of issue found on the website and predefined strategies based on the attack.

For instance, cryptominer infections usually consume lots of resources from the server (leecher), and before starting the remediation process the incident response team has to contain the threat. The containment of this attack is a critical step to prevent the depletion of additional resources and further damage.

This decision-making system and strategies are a crucial part of this phase. For instance, if we identify a particular file as being 100% malicious, there should be an action to wipe it out. If the file contains partially malicious code, only that piece should be removed. Each scenario should have a specific process.

Although there are several methods of attack, we should be prepared to handle any incident. After hundreds of thousands of responses, we narrow down most of the infections to vulnerable components installed on the website (mostly plugins), password compromises (weak password, brute force) and others.

Post Incident Activities

Last but not least, the “Post Incident Activities” could also be called the “Lessons Learned” phase.

In this phase, the Incident Response Team should present a report detailing what occurred, what actions were taken, and how well intervention worked. We should reflect on the incident, learn from it, and take action to prevent similar issues in the future. These actions could be as simple as updating a component, changing passwords, or adding a website firewall to prevent attacks at the edge.

Conduct a review of the actions your department needs to take to continue fortifying your security posture. Next, ensure you take those actions as quickly as possible.

You can base all further actions on the following tips:

  • Restrict global access to your site (or certain areas) via GET or POST methods to minimize exposure.
  • Update directory and file permissions to ensure the read/write access is properly set.
  • Update or remove outdated software/themes/plugins.
  • Reset your passwords immediately with a strong password policy.
  • Activate 2FA/MFA wherever possible to add an extra layer of authentication.

In addition, if you’re actively using a web application firewall (WAF), review your existing configuration to identify potential adjustments to be made.

Remember that even though WAFs help in meeting several Payment Card Industry Data Security Standards (PCI DSS), they are not a silver bullet solution. There are other factors that can impact your business, especially the human factor.

recover

Recovery planning will happen when a complete review of all phases in the event of an incident takes place. Recover also relates to having a backup plan for situations in which all prior phases failed, for example, in the event of ransomware attacks.

This process should also include arranging time to speak with your security vendor on how to improve areas of weakness. They are better equipped to offer insight into what can be done.

Have a Communication Strategy

If any data is at risk, notify your customers. This is particularly important if you’re a business operating in the EU where an organization must report a data breach within 72 hours, according to Article 33 of the General Data Protection Regulation (GDPR).

Use Automatic Backups

No matter what you do to secure your website, the risk will never be zero. If your website functionality is damaged, you need a way to recover the data quickly – not only one way, but at least two. It’s essential to have a local backup of the entire application and an external backup not directly connected to the application in case of a hardware failure or an attack.

How to Protect Your Website & Maintain Security

The importance of website security cannot be overlooked. In this section, we will review how to secure and protect your website. This is not a step-by-step guide, but it will provide you with website security guidelines to find the right services for your needs.

Update Everything

Countless websites are compromised every day due to outdated and insecure software.

It is important to update your site as soon as a new plugin or CMS version is available. Those updates might just contain security enhancements or patch a vulnerability.

Most website attacks are automated. Bots are constantly scanning every site they can for any exploitation opportunities. It is no longer good enough to update once a month or even once a week because bots are very likely to find a vulnerability before you patch it.

This is why you should use a website firewall, which will virtually patch the security hole as soon as updates are released.

If you have a WordPress website, one plugin you should consider is WP Updates Notifier. It emails you to let you know when a plugin or WordPress core update is available.

Have Strong Passwords

Having a secure website depends a lot on your security posture. Have you ever thought of how the passwords you use can threaten your website security?

In order to clean up infected websites, remediators need to log into a client’s site or server using their admin user details. They might be surprised to see how insecure root passwords can be. With logins like admin/admin you might as well not have any password at all.

There are many lists of breached passwords online. Hackers will combine these with dictionary word lists to generate even larger lists of potential passwords. If the passwords you use are on one of those lists, it is just a matter of time before your site is compromised.

Strong Passwords Best Practices

The best practices for you to have a strong password are:

  • Do not reuse your passwords: Every single password you have should be unique. A password manager can make this easier.
  • Have long passwords: Try longer than 12 characters. The longer the password is, the longer it will take a computer program to crack it.
  • Use random passwords: Password-cracking programs can guess millions of passwords in minutes if they contain words found online or in dictionaries. If you have real words in your password, it isn’t random. If you can easily speak your password, it means that it is not strong enough. Even using character replacement (i.e. replacing the letter O with the number 0) is not enough. There are several helpful password managers out there, such as LastPass (online) and KeePass 2 (offline). These tools store all your passwords in an encrypted format and can easily generate random passwords at the click of a button. Password managers make it possible to use strong passwords by taking away the work of memorizing weaker ones or jotting them down.