Main Website Security Vulnerabilities
Keeping your website safe from attack is an ongoing task. Security systems and counter measures are continually enhanced and hackers are always looking for new ways to breach them.
Most attacks don’t take the form of an evil computer genius with the latest supercomputer. They come in the form of exploiting well-known weaknesses that have not been protected, generally as a result of ignorance but sometimes just plain laziness. Let us have a look at the main website security vulnerabilities and how you can prevent them being exploited.
- Hosting breach
- Out of date code
- Unsafe code
- Brute force attacks
- Password capture
We will look at each in turn, explaining what it is and how you can protect yourself from exposure.
Web hosting is often marketed and purchased on the basis of cost. Cost is an easy comparison point – especially when most hosts offer pseudo ‘unlimited’ packages. The problem with comparing cost is that it assumes that all other things are equal. And that is a bad assumption to make.
When something is sold on the basis of price, two things tend to happen. Costs have to be reduced and sales volumes have to increase. It is natural then to question the investment in architecture, security monitoring, support staff, servers and so on.
In making sure your choice of host is correct from a security perspective, you should ask for information and details on their security processes and procedures. Some questions might be:
- Do they have 24/7 log scanning for suspicious activity? – And pro-actively investigate.
- What measures are in place against known malicious requests? – are they blocked or allowed to reach your site.
- Are file system roots segregated? – to protect against other users on the same server.
- Do they have any independent, third-party security and penetration testing?
- What is the backup schedule? If there is one.
- Where are backups stored? Don’t take it for granted that backups are safe. We have had a client where his host stored backups on the same server as the website. When it went, so did the backup.
- What are the recovery procedures in the event of a successful attack?
This list is not exhaustive, but your host should be able to provide you with satisfactory answers to these questions. Where security is compromised for cost in selecting your host, make sure you are protecting yourself with other appropriate measures.
Out of date code
Most websites use some form of content management system (CMS). WordPress powers nearly 20% of the world’s top 10 million websites on its own.
Open-source CMSs like WordPress bring a fantastic array of benefits to the table and too many to go through here. However, open-source code is readily available to anyone (that’s the whole point), which means hackers know (at least some) of the code used to build your site.
With each update, new features are released and are the focus of any announcements made. Looking into the actual code that has changed will reveal security patches and enhancements.
That means old versions of your CMS have, in effect, published where potential vulnerabilities are in previous editions. If your site is out of date, hackers know where potential vulnerabilities are and you are asking for trouble.
That isn’t to say that popular CMSs are not secure – they are. As I said at the top of the article, technology moves forward, quickly, so what is safe today, may not be tomorrow. Check the version of your website regularly and keep it up to date.
If you use your own custom code, or have had a developer build a fully custom site for you, a programme of audits and security checks should be maintained.
If you use anyone else’s code on your website then you are trusting your site/business to their code. You should do your homework before using any code, whether it is a theme/plugin for your CMS, or having someone do custom development for you.
- Research the author of the code, or the development company you are using.
- Check the version, release history and latest release date of any plugins or other third-party code you use. If it hasn’t been developed for a period of time, it should be either very simple or treated with caution.
- Remove code that you don’t need or use. It can’t be hacked if it isn’t there! This applies to plugins on CMS powered sites too – the code is still there even if you deactivate the plugin.
- Don’t expect premium support/security from free plugins/code. Almost always distributed without warranty. This means it is your responsibility to make sure the code is secure in your environment. Expect to pay the author for support if it is required.
If you are not a software developer or keep up to date with best security practices this process is always going to involve a degree of trust. But that doesn’t mean security is out of your control, taking appropriate precautions to use experienced, established developers will reduce risk.
Brute Force Attacks
A brute force attack is an attempt to gain access to your system by ‘guessing’ your username and password. With advancements in computing power guessing thousands of combinations in a short space of time very easy.
This type of attack is relatively simple to counter, using two simple methods that you will already be aware of. Firstly, limit the amount of attempts that can be made before an account is locked out. Second, use a strong, hard to guess password.
Similarly to entering your PIN number with your bank card, you should lock your website down if you breach a certain number of incorrect guesses at your password. If unrestricted your PIN could be hacked in under a second. There is no reason to leave your website exposed in the same way.
Brute force attacks are increasingly more intelligent and better at ‘guessing’ passwords. For example, they know that you swapped an ‘s’ for a $, or an ‘i’ for an !in your password. They will guess it quickly if you are using regular words/phrases, even if you obfuscated them slightly.
Strong passwords are not as difficult to come up with as you may think and what you have been told in the past about strong passwords not be true.
Test the strength of your password, or use the password strength meter on the profile page of your WordPress site.
With a strong password and a limited number of attempts to get it right, the probability of guessing your password is reduced to near zero.
The above points all fall into insignificance if an attacker already has your password. Overlooking the spoof sites that try to trick you into entering your credentials (watch out for them), the big risk here is if you use the same password on multiple services.
Secure websites don’t tend to get hacked directly, they are exposed because the same password was used on their site and an insecure one that just got hacked. It could be a little online shop, or forum long since forgotten, perfect prey for a hacker.
As soon as your password is compromised on this site, the hacker will most likely have your email address too and can try the combination on every popular service on the web, Google, Hotmail, Amazon, Apple and anyone else.
It is easy to protect against this. Just use a different password for each online service you use. This way any successful hack is restricted to one service.
A more elaborate and increasingly common way to mitigate this risk is to use two-factor authentication. To access a system protected with two-factor authentication you need two things.
- Something you know – i.e. your password
- Something you have – e.g. your mobile phone
By only allowing access where you can enter the correct code from your mobile phone as well as your password, the damage done by your password being captured can be further restricted.
Keeping your website safe and secure is not a one-off task, it requires continued vigilance, testing and updates. Don’t assume that your site is safe and, as a minimum, make sure you have a quality hosting partner, up to date code and strong, unique passwords.