How to protect your website

12 Jul 2021 Author: Andrew Buldyzhov

TOP-7 security tips how to protect your website from hackers

We are receiving many requests from small business owners regarding website security. Despite the fact that we are mainly involved in relatively large security projects, we try not to ignore our small clients. We provide them with guidance and free automated security services. In this article, we decided to summarize our recommendations and answer frequently asked questions about website protection.

hacker works

Most website owners mistakenly think that their site is of no value to hackers and that there is no point in hacking it. Despite the fact that the most attractive targets for cybercriminals are still Internet banking and online stores, in the era of digitalization, the number of hacked websites in other areas of business is increasing.

Even if the website disruption or data theft do not directly benefit attackers, they can use the compromised website to further attack other businesses, send spam, or distribute illegal files. The website owners can be held responsible for this. It is similar to a body infected with microbes or parasites when the carrier of the infection can also spread it. That is why it is critically important to prepare in advance the protection of all your public resources.

Below are several ways to protect against hackers. These methods will be useful for owners of small websites, who quite often become victims of massive hacks by automated tools.

When websites of large companies undergo targeted attacks, these listed protection measures will not be sufficient. In such cases, attacks are carried out by hackers with clear objectives and a high level of training. Therefore, to protect such websites and companies, it is necessary to apply, respectively, hardening and security standards.

SSL Certificate

Due to the advancement of web security and the expansion of mobile devices, an SSL certificate has become a must for any website. Some browsers already have modes in which sites without SSL are not displayed at all. The trend is that such websites will soon be terminated altogether.

An SSL certificate ensures the confidentiality of information and allows you to verify the website’s authenticity. This is especially important when using open wireless networks. Bank cards, logins, passwords and other sensitive data that are protected with an SSL certificate are hidden from prying eyes. It is easy to check if the website has a certificate by clicking on the lock icon next to the website address in the browser bar.

In addition, an SSL certificate matters for SEO (search engine optimization). For example, websites with such a certificate have an advantage in Google search ranking.

Interestingly, the name “SSL” is used by inertia. SSL certificates per se are deprecated and insecure. The more secure family of protocols that replace SSL is called TLS.

In order to stay protected, pay attention to the versions of these protocols and their implementations. From time to time, protocols become obsolete and insecure.

Password Policy

It is important to ensure that users and website administrators use complex, unique passwords. This is one of the best and easiest ways to protect your accounts from hacking and confidential information from theft.

This short manual from Google provides basic guidelines for password security. Having uppercase letters and numbers in a password that is at least 12 characters long will definitely make it harder to steal information. At the same time, you are advised not to use personal information when creating a password, since it is often publicly available. It is also crucial that you do not use the same password for different accounts.

From the website side, it is extremely important not to store passwords in the database in a clear-text form, but to use reliable libraries and functions for hashing passwords with the addition of “salt”.

In addition to the password, it is worth using two-factor authentication (2FA) or two-step verification (2SV) as an additional line of defence in case of password leakage. If you implement 2FA/2SV then, to log into the account, the user will need to enter a confirmation in the form of a one-time code from the mobile application (preferred) or SMS (acceptable, although less secure). This feature will significantly improve security by making it harder to steal your account.

Vulnerability testing

Testing is an effective way to assess the security of a website. It can be implemented in several ways:

  • Scanning – is used for searching for various vulnerabilities and security issues, as well as checking the security of your website infrastructure.
  • Checking – allows you to find out the level of protection of your resource from threats. You can also make sure that there are no malicious programs that hackers often insert into the content posted on the website.
  • Penetration testing – is an effective method for finding vulnerabilities. Performed by security experts to assess the protection of the website and the likelihood of information leakage, service failures, and unauthorized access.

Checking uploaded files

The ability to upload files to the website is a big security risk. You should be careful with all such files, even the most seemingly harmless ones, as they may contain malicious scripts that will open access to your website through the server. You also need to specify correctly which types of files can be uploaded to your website and the allowed file size. Don’t forget to check the files for viruses before downloading and opening them. Executable files downloaded from suspicious sources, including the files that had been uploaded onto your website, must be opened in an isolated environment, e.g. virtual machine.

Use file integrity checking systems on the server and view their reports daily.

Update

A significant contribution to the security of your website is achieved by regularly updating the software. This is a trivial rule, but many neglect it. This gives hackers an additional loophole for hacking. Therefore, you should make sure to update your software, including security plugins.

Many software vendors notify their users about security issues, usually in the form of newsletters, push notifications, or RSS feeds. If your website is made on a CMS, most likely you can also receive notifications from this system about the available updates.

Backup

It is important to have a streamlined process for creating backups with a certain frequency. Thus, you insure yourself against data loss in the following cases:

  • site hacking
  • virus infection
  • accidental deletion of the website files
  • mechanical damage to the media
  • server malfunction
  • hosting provider crash.

Backups are a truly universal security measure. The only security issue that backups do not protect against is information leakage.

Usually, website backups are made automatically using special plugins, modules or scripts. The frequency and type of backups, as a rule, are defined in the CMS, but manual backups are possible too.

Choosing a reliable hosting provider

The operation of your website directly depends on the hosting provider, so you should choose one carefully.

A large number of hosting providers offer their clients regular backup services, network monitoring, support for web scripts and PHP, as well as built-in server control panels, protection against viruses and other attacks.

An important point is prompt and easy technical support in case of any problems.

Make sure that your hosting provider is up to date, and will be able to respond in a timely manner to unforeseen problems. Do not hesitate to request from your hosting provider all the information you need to be sure that your website is secure.

If you use shared hosting, make sure, by analyzing the IP address of your website, that there are no websites with a bad reputation on your server, otherwise, their reputation will negatively affect your website.

Conclusion

If, despite the above measures, you are exposed to hacker attacks and regularly become a victim of cybercrime, then you need a deeper analysis to identify the root causes of security problems. In this case, write to us about your situation, and we will provide additional advice, help eliminate the consequences of hacking and prevent future attacks using hardening and penetration testing.

Other posts

07/03/2024
Hack your brains before a hacker does
08/02/2024
Essential skills and careers in information security