Website Security: The road from vulnerability to solution
Website security is a delicate topic requiring both a technical implementation and a daily approach. Strong development of the internet and web space means that you can find whatever you want online. It also means that you can easily create a digital identity and start marketing your products and services. But what happens when a malicious user starts spewing your wheels?
Who wants to compromise your website security?
It is very easy for us to think that this cannot happen to us. After all, who am I? A simple seller from Romania or any other country, with a modest number of daily visitors. They are certainly not a target worthy of their time, right? WRONG. Hackers do not discriminate or analyze your brand, region or popularity.
Who wants your evil? We start from the assumption that everyone wants to sabotage you in the online environment. Especially if you have a good amount of traffic. Your success is the chip in the eyes of the competition. You can be attacked from a large number of unidentifiable sources. The main suspects that may threaten the security of your website are competition and freelancers. During a promotion like Black Friday you may have too many offers. In which case your website should disappear. Or you may have the misfortune to stumble upon a free-time hacker who plays with you for fun. There are also attackers who are trying to use your website and traffic. They insert advertisements, viruses or redirects to their websites. The purpose is to extract money from your visitors.
Regardless of source and reason, your image is affected. Where do you put that in the case of an online store as long as your website is incessant you lose significant amounts of money. It is a very unpleasant situation that can be successfully avoided and relatively easy.
What is Website Security
Let’s talk very briefly about what security means to your website. The word security means, according to the DEX, to be safe from any danger, a feeling of confidence and tranquility that gives the absence of any danger. It also means protection, defense. The definition of security depends on the context in which it is mentioned. In this case, the security of the website involves the following elements:
- Confidentiality: It involves preventing unauthorized disclosure of private data to third parties. These data may be platform or database administration passwords, visitor information, usage statistics, unpublished articles and pages, personal data collected using the forms on the website, etc.
- Integrity: Implies to prevent unauthorized modification of the files, database or content of the website. Thus the veracity of the content present on the website cannot be called into question.
- Data encryption: It is a technique to protect the confidentiality of information, by interceptors. For the security of your website, this involves encrypting the data transmitted by administrators or visitors.
- Authentication: It involves the correct identification of the authorized users to connect to the platform and to make changes to the content.
- Availability: It assumes that the website is available to all users regardless of region or time of day.
Vulnerabilitățile platformei și a limbajelor utilizate
Even if you use a CMS system such as WordPress, Drupal or Joomla whose themes and modules come with a series of security measures implemented and are protected from most known vulnerabilities, there are a few types of attacks that can occur if non-deployment methods are implemented. additional protection. The security of the website is endangered in the following ways:
- Cross-site Scripting (XSS) – Occurs when a malicious person injects malicious code into the website. Usually, this type of attack is applied to the contact forms, the authentication page or the search box. Any field in which the user can write text is vulnerable and prone to this type of attack.
- Cross-Site Request Forgery (CSRF) – Portions of code are inserted and executed from the URL of the website.
- Brute Force – Represents attempts to guess the password for managing the platform by trying variants until the correct one is found.
- Denial of Service (DoS) – Attempting to overload server resources through a constant stream of access from a dedicated server. The number of requests per second being very high, the website becomes inoperative for the rest of the users.
- Distributed Denial of Service (DDoS) – Similar to DoS attack, the difference is that the attacker sends traffic from multiple sources such as computers, servers or infected routers. The traffic coming from a different IP address every time it accesses, it becomes very difficult to block.
- Open Redirect – Occurs by exploiting a vulnerability and involves redirecting users to a website chosen by the hacker. It is often malicious and contains malicious code.
- Phishing – A website created by a hacker looks and behaves the same as the original website, but is used to steal data from visitors or trick users authorized to enter their authentication data into the website fake.
- Malware – A malicious program or code that aims to infect the website or server host.
- Local File Inclusion (LFI) – An attacker can control which file is executed at a certain time by the website platform.
- Removing authentication – A breach in website security that allows an unauthorized person to have access to the platform’s control panel without first authenticating.
- Full Path Disclosure (FPD) – When the path to the root directory of the server is discovered and directories, files and errors are exposed.
- User Listing – When an attacker has the ability to determine an accredited username and can use it in Brute Force attacks to find out the password. This attack occurs by adding parameters at the end of a website address (usually WordPress) to request the user ID with which the username can be requested.
- XML External Entity (XXE) – Occurs when an XML data stream is accessed from an external source and used to exploit the vulnerabilities of the XML processor.
- Security clearance – Similar to removing authentication, with the exception that the hacker jumps over an existing security system to gain access to portions of the website.
- Remote Code Execution (RCE) – An unauthorized person has the ability to execute code on the host server from another source such as a server or website.
- Remote File Inclusion (RFI) – Exploiting a reference to a piece of code that is retrieved from an external source in order to upload viruses to the website from a completely different source.
- Server Side Request Forgery (SSRF) – When a hacker takes control of a partial or full server and uses it to execute remote code.
- Directory Traversal – Cases where the HTTP protocol can be exploited to access website directories and execute code outside of the server root directory.
How to Strengthen Website Security
The list of vulnerabilities is very long and changes frequently. There is no 100% website! Securizing is an ongoing battle that takes place within the Monthly Maintenance process. If we listed the problems, then we should list the solutions. We will not string lines of code and technical elements but just concepts that are easy to understand and apply by anyone.
Make backups as often as possible. Backups are copies of your website. You restore them when there has been a breach in website security or just a malfunction. Store copies in a secure location, possibly in a cloud system such as Dropbox. Copy the files of the website weekly and the database every evening.
Updates platforms and technologies. Whether you are using a CMS or a custom platform, themes, modules and technologies need to be constantly updated. These updates come with solutions for new vulnerabilities, security deployments and plugs for security breaches.
Use a Firewall system. This system can be implemented at application or server level. Helps identify compromised sections and Brute-Force and DoS / DDoS attacks. An advanced system can strengthen website security even against malicious code execution.
Hide the platform version. Valid only for CMS solutions such as WordPress. Because there is a short period of time between the discovery of a vulnerability and the release of a security update, malicious people first try to get the platform version to launch specialized attacks. Hiding versions greatly hinders attackers’ attempts to create security breaches.
It does not allow access to the directories of the website. When there is no index.html or index.php file, the browser displays the file structure of the website.
Configure the server correctly. The most dangerous vulnerabilities can only be solved by configuring the server. It stops access to important files and does not allow code execution in sensitive areas such as image directories or uploads.
Use a SSL certificate. It is both an SEO requirement and a website security requirement. SSL encryption does not allow anyone to intercept data sent by visitors to your website. These can be very important such as bank cards, passwords, CNP, etc. Without a valid SSL certificate, many browsers will block your website from 2020.
Use a strong user and password. Do not use admin username. It is obvious and greatly facilitates the process of breaking the password. Passwords must be complex and long. Use symbols, diacritics, numbers, small and large letters. It is recommended to change the password at the latest 90 days.
Use a captcha system for forms. These systems block robots from the start.
Choose a good hosting. The big danger when you have a shared hosting subscription is that if one of the websites hosted on that server gets infected, it can be yours too. over 40% of the recent attacks occurred due to a security breach at the hosting provider.
These are just part of the solutions for website security. The rest requiring advanced programming and development knowledge.
How do I know if the website has been compromised
A broken website is quite easy to identify. It has one or more features such as:
- Content changed.
- Redirects to other websites.
- It has many SPAM comments with links.
- Download files when accessed.
- Loading too hard.
- It has ads you didn’t know about.
- It has dubious popups.
- It doesn’t work anymore.
- You can no longer log in or edit it anymore.
If you have read this article and do not feel safe, we invite you to a discussion. We identify and solve all your website security issues even if it has been compromised.