Securing Your Website Isn’t that Difficult
By Andrew Rufener
Your new and wonderful website is finally ready and good to go - Congratulations! But have you also secured it effectively? Security is often an afterthought and considered as “difficult” and a “thing” IT needs to take care of, but is it really so? We think security deserves your attention to make sure that your website will continue to make an impression for years to come.
Security doesn’t have to be difficult and to get you started we have compiled a simple list of the most common and important things you should consider. While this is not a complete list, ticking off the items on this checklist should get you started.
1. Understand your exposure
The first step is to ensure you understand the exposure. Risks that are well understood can be managed, so start by making an inventory. Some points to consider are the following:
- Data Privacy Regulation: Are you bound by any data privacy regulations such as the EU General Data Protection Regulation (GDPR), the Singapore Personal Data Protection Act (PDPA), the California Consumer Privacy Act (CCPA) or other relevant regulations? Do you hold personally identifiable information (PII) on your site? If so, make sure that you understand your obligations under the act and take appropriate measures that may also include site terms and conditions, security measures and other. Note also that with regulation such as GDPR this may affect you even if you are not based within the EU!
- What Service Level do you require or in other words, if your site is down for a few hours, would that pose a problem for you? For e-commerce sites this may lead to a loss in revenue, or for organizations this may lead to reputational damage. What is the maximum downtime that you can accept? If your site crashes, what is the maximum time acceptable for you until a backup is restored and the site is functional again?
- Are you concerned about possible contamination of your site? What would the damage be if someone posted content on your site that is undesirable or would use your site to deliver malware? Try to quantify the possible reputational damage. That will help you decide what protective measures you should take.
- Do you host an e-commerce site? If so, review where critical information such as credit card data and personal information is held. Try to understand the risk and potential exposure in case of a hack.
2. Secure data in transit
The first order of business is to secure information passing back and forth between your site and the user viewing the data. In order to do that, your site should be configured to only allow https and should have a certificate installed which will provide the “lock” next to the site name in your browser. The added benefit of using https is that search engines will rate your site higher than http only, so you will be found more easily. If you don’t know how to install a certificate or how to configure your site for https, then your website provider should be able to assist.
3. Secure your site
The second order of business is to secure your site. There are a number of ways to do this and again, if you are non-technical, your provider should be able to assist. Some of the key measures you should consider are listed below. If you are using WordPress then there are a number of plugins such as Wordfence and Sucuri that can help you achieve this goal. The key points you should consider as a minimum are:
- Firstly you should secure access only to the required ports (usually https) to limit the site exposure.
- You or your development or operations team should ensure that all key files in the filesystem have the required access rights and executables are restricted only to the rights they need to run.
- Users should only have the level of access rights they need to have in order to do their job. So don’t make everyone a full administrator; that is usually not required.
- Ensure that passwords are strong. Also, that passwords are enforced and changed on a regular basis and wherever possible, multi-factor authentication (MFA or 2FA) should be used.
- Finally, protecting your system against viruses and malware is advisable and helps to make sure you don’t end up being used to infect your visitors PC’s.
- You may want to blacklist certain IP addresses and geographical regions if you don’t do business there. For example, if you don’t do any business in Africa, you may wish to geo-block that region to limit exposure. Additionally, you may want to block known “bad IP’s” to help reduce your attack surface.
4. Review your site architecture
This usually only applies to larger and more complex websites or e-commerce sites, but it is good practise to review the architecture in light of the risk profile you have identified. For example if you are running an e-commerce site you may select to decouple your shop from a professional payment provider who allows you to keep customer details, credit card information, etc. in their secured environment. The possible options will depend on the type of site you host, but these are worthwhile considerations. If you are using an established, skilled and professional provider, they should be able to advise you.
5. Ensure you have a backup and possible fail-over site
A backup is a must! If you don’t back-up, nobody will feel sorry for you if you lose your data. But not only that, you also need to ensure that your backup meets your business needs. For example if you can only lose a maximum of 1 hour of data on your site and you need to be backed up after 30 minutes after an incident then you must look carefully at your backup approach and should also regularly test your restore procedures - which should all be documented. If you have high availability requirements you should probably also consider having a fail-over site that can serve your customers requests if your primary site is down and finally if you have a global customer base you may also consider location based load-balancing and caching which also supports high availability in addition to improving performance.
6. DNS and contact details
Your DNS is the system that translates your www.mysite to an IP address that your PC can use to connect to the site. Depending on your availability requirements, this system needs to be set-up accordingly. Also, your domain registration comes with contact details and you should ensure that these are up to date. It is common to use an address such as firstname.lastname@example.org as an e-mail address. You should ensure your contact details are up to date and the address points to the right person in your organization so that if there are any issues and 3rd parties are trying to contact you, they can reach you.
As with your PC, keeping your system up to date is generally advisable. If you are using WordPress there are a range of plugins that can help you update your site automatically, an example being “Easy Updates Manager”. This plug-in helps you keep your site and plugins up to date, but naturally the mechanisms for your site may be different.
Monitoring your site 24/7 if you have specific requirements is good practise. Good monitoring tools can help you understand the availability of your site but also global performance metrics as well as warnings if your certifications are about to expire.
9. You have been hacked - what now?
So you have been hacked? The good news is that if you have followed the steps above and have backups then you should be able to recover within the required time. But recovering is one thing, understanding how the attacker managed to penetrate your system and ensuring it can’t happen again, is just as important. Here your provider or specialized security service providers can help, but you should at least know whom to approach if you have an issue.