PRACTICES:

Website security nearly always comes down to two things: (1) Someone gains login access that they shouldn’t; (2) The code has loopholes allowing people to access things they shouldn’t. 

Login Access

Every website is hosted somewhere (a web server), and someone has access to the server for behind-the scenes management. If you are using a CMS, you will have a login for the site software itself, and depending on the system, other users with different levels of permissions may be added.

{Example: This site has admins and users, and there is also a login for the server account where the site is hosted that controls installing the software, email boxes, etc..}

There are two main ways to prevent unwanted access: don’t use default master user names (like “admin”); and have complex passwords.

Passwords

Passwords that are short or just made up of English words can be instantly cracked if there is no limit on attempts. If you use combinations that have birthdays or names related to your personal life, people who know you may be more likely to guess, but almost all attempts will be by nameless hackers on the other side of the planet. The important thing is if the login will give someone a lot of access (to install or modify code), you should have at least one special character (such as an underscore or exclamation mark), numbers, and both upper and lower case characters.

Some systems demand you have a password that is rated “hard”. Don’t turn off this feature if you allow other users to manage their own passwords.

Firewalls and Other Software

A firewall is simply a program (and sometimes associated with particular hardware) that controls traffic between computers, letting in the good and not the bad. A web server (where a site is hosted) naturally has its own firewall and you can configure it if you have that level of access to your hosting account. Keep in mind that if you ware hosted on a server with a company’s other clients, they can only configure certain things specific to your account and may not make changes that would affect their other clients’ sites.

Attacks generally are either to gain access or block the pipes with too much traffic (DDOS Attack). Either way, the main way this is thwarted is by limiting the number of times another computer (automated or on behalf of someone surfing the web) can request pages to view or trying to log in. For example, if a computer with a certain IP Address tries to log in unsuccessfully ten times in ten seconds, they can be blocked.

Changing the address of the login page (usually for a CMS) from the default may help, but smart bad-guy software can often find it anyway. You won’t need to do this with a strategy of not using the default usernames, have good passwords, and limit the number of attempts.

Patching Holes / Updating Software

If your site is custom, it’s up to you and you alone to:

  • Be ready for every new threat;
  • Not leave holes in code where visitors can insert executable script into form fields;
  • Lock down file permissions on files and directories where necessary and possible

You should also make sure your server is up to date with software patches. You either have to trust your hosting provider, or do it yourself with some diligence.

If you are using a CMS, core files, themes / templates, and plugins / modules / add-ons should always be updated, as soon as, updates are available. Many updates address specific exploits that have been recently found. Remember, threats evolve and adjust with the good guys. Don’t put off protecting your site.

Additional Software + Hardware

There is almost an infinite number of wares that you may employ in your security portfolio; way to many to even consider an attempt to review – especially since servers, CMS’s, and even hard coded sites all have nuances to add in the “flavor” of what would work for a given sites specific scenario. Suffice to say – you should be able to easily find a comfortable mix of hardware and software security products and services and PRACTICES, that work for your specific circumstance.

0 Comments

Trackbacks/Pingbacks

  1. CMS – Content Management System | Digital Square Club of New York - […] Website Security […]