Once the mist has cleared over New Year celebrations this is probably the best time to review your website security. Many of us will enter 2019 with a skip in our step, confidence high, new ideas for SEO and plans to make great progress over the next 12 months. Grab this enthusiasm, make the most of it and carry out an annual checklist of your website security.
Some of the subjects we will be discussing may seem extremely basic, very simple but they are all part of your overall website security. The slightest chink in your armor or missed software update can in some circumstances be catastrophic.
1. Password Management
It is very easy to become complacent about password management. We tend to ignore advice to change them on a regular basis. But most importantly, we ignore advice to not use the same passwords and usernames across different accounts. The reality is that password management is one of the simplest entry points available to hackers and cyber thieves. This is not rocket science, it does not require extensive software protection but it is simple management of login details.
There are many common elements of our everyday lives which we use as a basis for creating passwords. Do you recognize any of these:
- Name of your pet dog
- Your partner’s birthday
- Place of birth
- Your favorite football team
- Website name
- Your children’s name
We could go on and on but the chances are that many people will use one or more of the above as the basis for their passwords. In times gone by it may well have been easy to keep the name of your pet dog or your favorite football team private. However, the introduction of social media means that many people, both business and non-business people, live their lives online.
Be honest, if somebody was to visit your Facebook page (marked not private) how many of the above pieces of information would they be able to find relatively quickly?
There are many simple software programs out there which will create random passwords that have no relevance to people, places or events. Alternatively, simply press a number of random keys on your keyboard, save the results and use them as your password. You should change your password at least once a year if not more regularly. Do not make it simple for the hackers to gain access to your account, your websites and your life!
2. Whois Privacy
The very nature of the Internet means that a lot of information about domain names and websites is publicly available. The Whois service holds the most basic of information about active domain names. Though recent changes have led to the suppression of owner contact details. If your website got hijacked or a domain name compromised in some way then the change of server/last update details will reflect on the Whois service. So what can you do?
It is vitally important that you review Whois information for each individual website at least once a year. Make this one of your New Year’s resolutions or to the top of your self improvement list. If you see any anomalies, strange changes to the server details or indications that the record may recently have been changed, take action. The security and trust factor associated with domain names and websites continues to grow. So, if your Whois data is inaccurate in any way, and not updated, in some circumstances it may lead to its suspension. Not a good start to a new website!
In the vast majority of cases there will be nothing to do, simply a quick review of your website Whois information and then tick the box on your checklist as done and dusted. However, that time you spot something different, a change you have not authorized could be a lifesaver. In the event of unforeseen changes to your Whois records, contact your domain name registrar as soon as possible. Inquire about the change and conduct further investigation. Do not automatically assume it is a simple administration error. Your website could have been hacked. Leaving your business potentially on the verge of ruin. Domain hijacking is more common than you think!
3. SSL Certificates
Those who are actively involved in any form of e-commerce will be well aware that SSL certificates and the accompanying HTTPS protocol are now recognized best practice. It is amazing to learn of the number of people who take a relaxed approach to SSL certificates and conversion to HTTPS protocol assuming this is “something they can do tomorrow”. Security is more important today to the online community and those who neglect their obligations will pay the price.
Aside from the fact that an SSL certificate confirms authenticity of your domain name and additional security for visitors, used in tandem with the HTTPS it ensures safe transfer of data. Historically it was possible for “third man” data theft with hackers placing themselves between a website visitor and the website server. They could easily gather private and confidential information and using these for illegal purposes. The use of encryption, a secure path between visitors and website servers, not only protects the data visitors are sending to you but can also shield you from prosecution under new data protection laws.
Like so many forms of online security, the implementation of SSL certificates and conversion to HTTPS protocol is relatively straightforward. You will find that browsers and search engines are regularly issuing warnings and alerts. For instance if SSL certificates are missing or HTTPS protocol has an error then there will be a message in the browser. We know that even the slightest concern among online users can see them dismissing your site, placing you on a blacklist and looking elsewhere. Do not give visitors a reason to leave you!
4. Two-Factor Authentication
Those who have a Google email account, or various other online services, will no doubt have come across two-factor authentication in recent years. This is something which is being used more and more whether integrated with backup code, mobile phone SMS messages or even automated phone calls with passcodes. There are also various forum/blog software packages which incorporate two-factor authentication procedures which are predominantly aimed at administration accounts. The idea is that admin accounts tend to hold the widest range of rights with regards to backend access therefore need the greatest level of protection.
It is also possible to add two-factor authentication to control panel access or regular client account access. There will be occasions where it will seem cumbersome and time-consuming. However, we live in a world where hackers are becoming ever more ingenious. The reality is that once your site has been hacked the access details and route will likely be made public on the “dark web” and you will come under serious attack. Like so many different forms of website security, two-factor authentication is very simple in principle and extremely useful in practice. There is a balance between integrating too many levels of security and allowing customers to access their accounts with limited information. Maybe ask your customers how they would view two-factor authentication for their client account with your business? At worst it will show you care and at best offer them the opportunity to lock-down and secure their accounts.
5. Check file changes
One of the simplest ways to secure and monitor your website is to check activity logs and file edit dates on a regular basis. Next time you log into your Control Panel, check out any files in your website directory. You will see an entry which shows the last time they were edited. There are files which are automatically edited and updated on a regular basis. However, the vast majority of your software files will not need updated on a regular basis. Therefore, a rogue update or edit of a particular file should be investigated further. You might find that hackers have gained access to your server. They could have possibly injected harmful code into your files. This is definitely an warning that you should not take lightly. It often opens a backdoor to unhindered access.
The checking of file changes also goes hand-in-hand with website backups because in the event that you are unable to remove all harmful code you can simply revert to a recent backup prior to the hack. You may lose some data, some client files may need updated but the code will have been removed therefore allowing you to change passwords and add any relevant additional security measures. The assumption that shared web hosting services are perhaps more susceptible to hacks than VPS hosting packages is a common misconception.
There are many effective website monitoring packages available such as Wordfence or Monitoring.me. These tools will monitor changes to your website files, unauthorized entry, failed-logins and even alert you to DDOS attacks. Many security/monitoring packages have free versions. Afterwards you can update to premium membership. You should certainly consider these in the modern era.
6. Delete old software/files
It is a shame that many online entrepreneurs do not clean up old software or website files that they no longer require. The world of e-commerce is littered with hacks. Most of which originated from old software packages and files which had been obsolete for many years. As a rule of thumb, if you no longer use a particular software package or files, delete them. Even though they are not necessarily active they can sometimes offer backdoor entry routes for hackers. Some of whom are very keen and able to exploit ancient security vulnerabilities.
You should also review any plug-ins or additional coding which you integrate into your website and ensure you have the latest version.
WordPress is a very popular content management system which is described as “open source”. This simply means the base code is available to anybody. This has created a market which produces thousands upon thousands of plug-ins each and every year. Due to the “open source” nature of the package, plug-ins and coding is tested and tested again by many different users. As a consequence, security issues will be raised fairly quickly. So as a means of protecting websites and coder reputations, plug-in and software updates are released on a regular basis. Ensure you upgrade as soon as possible to maintain maximum security going forward.
The above list of actions should ensure you maintain website security going forward. If you have the time it may be sensible to do your own specific tests for website vulnerabilities. You can run scans like a simple data entry in contact forms, etc. This particular method is often used to inject rogue code into the SQL databases. This can then be used to open back doors and allow hackers access to your website and server. As a means of avoiding the injection of rogue code via this method it is very easy to carry out checks and basically reject specific types of code and specific characters.
Try to put yourself in the shoes of a hacker. Run tests on your site, try to bring it down and gain potential entry. Only then will begin to understand how they think and how you can stop them.