You protect any office computer with antivirus. You install firewalls to prevent unwanted access to your network. But what do you do to secure your site? And what can happen if it is not secure?
This article is for publishers who are not experts in website security or web application security – especially for small businesses. We will explain what steps you can take to build a good security policy for your site and how to avoid security threats. We will also talk about common misconceptions.
Let’s start with the definition.
What is website security?
Website security is any security measure that protects your site from cyber attacks committed by cyber criminals.
What does website security include?
Website security includes the right procedures, the right people, as well as the right tools and applications. It often goes beyond the site only and includes a web host / web server (for example, Apache / IIS / Nginx) and hosting providers security as well.
What can happen if the security of your site is not good enough?
If you do not have a secure site, cybercriminals may gain access to your site, for example:
- Cause data breach and theft of sensitive information / sensitive information (for example, passwords or credit card numbers from e-commerce sites)
- Escalation to attack your other systems (for example, to install a backdoor or ransomware)
- Use your existing site functionality to attack others (for example, send phishing messages that include your URL)
- Destroying your site, causes you to lose reputation.
Is an SSL certificate sufficient?
Many businesses think that installing an SSL certificate for your domain name is sufficient to ensure cyber security. Although it’s important, it’s definitely not enough:
- An SSL / TLS certificate will protect your site from “middle person” attacks. No one will be able to listen to the communication between the web browser and your web server if the connection is secure.
- SSL / TLS authentication will not prevent cybercriminals from exploiting vulnerabilities in your site code or your web server configuration.
Most hacked sites are caused by security breaches in the site code and web server configuration.
Are strong passwords enough?
Strong passwords help you protect your sensitive areas – those that require you to log in to access functionality or information that should not be available to the public. A strong password helps you avoid both gross force and dictionary attacks. However, most computer users have many misconceptions about what a strong password is – in short, length and uniqueness (there is no reuse in different places) are more important than special characters or ordinary changes.
While strong passwords are an important component in security, not just website security, we know of very few major internet attacks caused by a weak password.
What are Internet vulnerabilities and where do they come from?
Internet vulnerabilities are errors in the code of a website or web application. Such security issues are presented by software developers.
These common threats allow an attacker to access information that they should not have access to or to allow an attacker to include their own malicious code. This malicious code is powered by the web server or by visitors to your site.
What kind of software can help secure your site?
To avoid security risks, you must be sure that there are no vulnerabilities on the site that cybercriminals can exploit.
The most effective way to check for possible vulnerabilities is to use a web security scanner. Such security solutions:
- Analyze your site structure very carefully to find every possible entry point into the data (in the case of Acunetix, it even works on very complex applications with a lot of HTML5 and JavaScript)
- Submit special data to your site to see how the site code responds to such data
- If they find a vulnerability, they report it (in the case of Acunetix, including proof that the vulnerability is real and information on how to fix the error)
However, automated software will never find any possible vulnerabilities. It is therefore advisable to perform periodic penetration tests. If you do not hire security experts, you can hire an outside security contractor to do it.
What about Web application firewalls (WAF)?
Web application firewalls are useful for protecting your site until you can fix a vulnerability. A web application firewall checks the data sent by users and looks for patterns that may be a sign of an attack. If such a pattern is blacklisted by WAF, the data will never reach the server.
The problem with using WAFs is that it’s like fixing your car with duct tape. It keeps the parts together but does not solve the problem. If an attacker is smart enough and manages to send data that is not recognized by the web application’s firewall, but still contains malicious code, it can still attack your site.
What are SQL and XSS injections and are they a big problem?
SQL injections and cross-site scripts (XSS) are the two most known types of vulnerabilities in websites. They have been around for a long time, more than 20 years. However, they still exist in the code of many websites and web applications. The Acunetix Web Application Vulnerability Report for 2021 shows that SQL injections still exist on 7% of sites and cross-site scripts still exist on 25% of sites. Chances are your site has one of these weaknesses.
Such vulnerabilities are common even for very large internet companies like Google. For example, independent researchers used Acunetix to find XSS vulnerability in Google and a large IT security provider, Sophos, was found to have SQL injection.
SQL injections and XSS vulnerabilities are very serious and can have very serious consequences. SQL injection attacks may allow an attacker to gain access to your database, and even the web hosting operating system. Cross-site scripts allow cybercriminals to attack and impersonate your users.
Does Malware Affect Websites?
Malware attacks desktops more often, but an attacker who compromises a site may place malicious scripts on that site. Such malicious scripts may help cybercriminals attack users on your site.
Professional web security scanners like Acunetix also protect you from this threat. Acunetix downloads all the scripts from the websites it analyzes and checks them for malware. However, no software can help you remove malware from your server – you will have to deal with it manually.
How can I protect against DDoS attacks?
You can not buy any software that will fully protect you from most DDoS (Distributed Denial of Service) attacks.
Some DDoS attacks are possible because of vulnerabilities (for example, Slowloris vulnerabilities). Vulnerability scanners often protect you from such attacks.
However, most DDoS attacks, performed with tools such as Low-Orbit Ion Cannon (LOIC) or High-Orbit Ion Cannon (HOIC), are indistinguishable from standard user requests. The easiest way to protect against them is to have a very powerful server with dedicated anti-DoS solutions.
Fortunately, most business sites today are hosted on such servers. Large storage companies like Akamai can handle so many requests that DDoS attacks are much less threatening. They also have special mechanisms that protect websites.
How do I keep WordPress secure?
WordPress is the most common content management system and is also the one known to have the most security issues. However, most problems with WordPress are not caused by the kernel software but by plugins and themes.
The first two things for maintaining WordPress security are, therefore:
- Always use the latest version of WordPress. Install software updates (especially security patches) immediately.
- Use only the necessary plugins and designs. The less you have of them, the more confident you are. Use only known plugins and themes and avoid the less popular ones.
- Regularly scan your WordPress site with a vulnerability scanner for security verification. For example, Acunetix has a lot of WordPress-specific testing but it can also detect other generic vulnerabilities.
Note that all of the above suggestions apply even if you are not using WordPress but you are using Joomla !, Drupal or other CMS systems.
Download the displayed ebook
Includes security of web applications in agile SDLC
Download this ebook to learn how a medium-sized business has successfully incorporated web security testing into its SDLC processes.
Download the displayed ebook
Includes security of web applications in agile SDLC
The author
Writes technical content
Tomasz Andrzej Nidecki (also known as tonid) is a technical content writer who works for Acunetix. Journalist, translator and technical writer with 25 years of experience in IT, Tomasz was the editor-in-chief of hakin9 IT Security magazine in its early years and used to run a large technical blog dedicated to email security.
