Cyber security represents and will continue to be a risk factor for technology and for humanity. As machines become more powerful, do more things through code, there will be more opportunities than ever for cyber attacks. Security is not a destination or a place with zero risk. It is a journey, a cat and mouse game. Sites become more secure. Hackers find new opportunities. This post gives you some basic guidance on securing your website.
Use strong, unique passwords
The first line of defense to your site is your password, and generally all the passwords you use to authenticate and load code. This includes your sFTP or SSH login mechanism, your database credentials, and your WordPress, CMS or app user credentials that allow you to login as a user. Malware and hacking bots routinely come to websites randomly and try to inject many passwords sequentially, attempting to successfully authenticate through brute force. Using a password manager greatly simplifies the creation of unique and strong passwords for each site and database, as well as the overall password storage and management.
Enable two-factor authentication when available
Using a second factor for authentication is now available on many apps and web services. When possible this steps up the password strength, such that even if a bot or thief was to guess or discover your passwords they still could not authenticate, as they would not have the second factor. Alas this method is not available for all cases, and be mindful to create backup and secondary mechanisms for your second factor, in the event you lose your phone or the app you use for 2FA fails or crashes.
Use SSL if you can
SSL and TLS allow the transit of passwords over the internet in an encrypted format. This is especially important if you’re accessing password protected resources over public networks like WIFI in a coffee shop, in an airport, at a hotel. Other users on the network may intercept traffic from your machine and be able to read your passwords, traveling over the internet in plain text. In some cases SSL is still not an option as of 2017, but the top players like Google are pushing hard to get everyone in the industry to use encryption. Over time this will become the norm.
Add a web application firewall, configure it and use analytics to tune it
What’s a WAF? A Web Application Firewall is like a bouncer at the entrance of a bar. It checks some signs of your identity to detect if you’re the kind of person who should get in or not. In the digital world it checks that you’re human through many ways, like CAPTCHA or the type of browser you’re using, or your IP address and its history. Web application firewalls filter traffic to your site, and you can adjust settings in many ways from low, medium or high, to more granular rules. WAF consoles often provide you with analytics, where you can see the type of traffic being blocks, if it’s a hard block or a CAPTCHA, where the threats come from, etc. Seeing this allows you to tune the settings to blocks more bad guys and keep the legitimate visitors coming to your site. You’ve done all this work creating content and optimizing for SEO. Last thing you want is to block a real user.
Restrict access permission of files that contain credentials
Config files stored on your server contain credentials. It’s critical that this file is not made publicly readable. Of things that bots and malware scanners look for, it’s the URL path to those files. It only takes a site with an open read permission, typically set at 644, to expose all your passwords in that file publicly on the internet. Often times, a 640 permission will block external access while keeping the programs on your server able to access that information. Check with your host on the right setting for this, as some hosts want file and folder settings with different permissions than other hosts.
Add plugins carefully
Plugins add functionality to your server. This is wonderful, as long as they do not become a source for hackers to enter or contaminate your site. Inevitably, the more plugins you run the more codebase your site or app contains, the more vulnerable you become. Plugins that write to the file system tend to have a higher risk profile because the plugin has superior permissions to add code on your server and to execute it. In addition to security, plugins also slow down your site, even marginally. When adding a plugin ask yourself “Is there no other way that would be simpler and do the job? Do I really need this?”
Use file change detection service or software
There are several web services that monitor your site, scan it for malware, and detect file changes or uploads, injections, that you haven’t made. This is good practice to use one of these services. You won’t be the only one looking at your code and checking that all doors are closed. Security experts will look at it for you and inform you of ways to protect it further. A second set of eyes when it comes to security can be worth it if your site earns revenue.
Keep your software stack up to date
Many vulnerabilities are fixed by the vendor when they are discovered. If you update your stack fast enough you will be protected, compared to keeping old versions running. Just like simple passwords it allows brute force malware scanners to apply known vulnerabilities and get in, where you would otherwise stop them with up-to-date software.
Always be learning
There are several blogs from security companies and experts that report new risks and ways to improve security on your site. The methods employed this year will morph into newer methods in the coming years. Always be learning about securing your site. Keep your knowledge and your code base up to date.