'Secure' Website - by Patrick Taylor
We live in a brave new world of online opportunites and threats, hackers, phishers and DDoS attacks. Here are some tips to help you protect your website and improve business continuity.
They say that the best security is ‘by design’, but what does that mean? The internet seems to be an overwhelming labyrinth of technology, stolen identity, riches, opportunity, billions of people, and evil people.
How can we enjoy the benefits of having a great website, without suffering the consequences of some stupid mistake.
What this article is not
This article is not an exhaustive review of security plugins, providers, best antivirus software, or platform comparison. Here at Netistrar, our team has provided mission-critical Corporate Hosting solutions for over 15 years. We’ve dealt with big websites, tiny websites, and we now manage tens of thousands of domain names and related services.
We’ve encountered the lot, spambots, Russian attacks, DDoS, human error, poor plugin updates - any of which could potentially destroy a client’s website. We tried umpteen security fixes, and different approaches to security. This article focuses on the easy fixes based upon things we have learnt, and the common causes of error.
What do we mean by Website Security?
Dictionary definitions of ‘security’ include ‘freedom from danger’ and ‘risk’ as expected, but also ‘freedom from care, anxiety, or doubt’. Website Security is a basically the things you need to do when you are hosting, managing or operating a website, that will reduce the anxiety and threat of an attack.
Before we delve into our 10 Tips, I would like to share some of the things we’ve learned here at Netistrar in our efforts to maintain good website security. These are the big principles behind our Tips and advice, our overriding objectives, the things we bear in mind, the things we are trying to achieve.
Reduce the white noise
This comes back to security ‘by design’. We love sleep-easy systems. A website that needs lots of patching, hosted on a server that needs lots of attention, and administered by a crowd of editors with few IT skills, is noisy. The more we can reduce the white noise, the better.
It is important to separate the occurrence of a real ‘attack’ from administrative error (white noise). Administrative errors are easier to mitigate than external attacks.
Further, if we are attacked by a bunch of determined hackers, that’s bad luck, but our ability to recover comfortably from an attack will increase our sense of safety and security - ie. our worry about how we might recover from such an attack, is more white noise.
Outsource what you can
What are your key skills? Writing? Programming? Editing? Security? Administration? If you can reasonably afford to outsource some of the numerous skills required to maintain a secure website, do so. You will increase the amount of time you can spend practising your key skills, and your website will be more secure.
Your client may be the biggest threat
This makes me groan writing it. We love clients. We’ll do their shopping for them, celebrate their child’s school results, walk their dog. And of course, I’m now talking about clients past, not clients present. Honestly.
Clients don’t give too hoots about security, until things go wrong. They won’t pay for security, or testing, or tolerate delaying a website launch to make it more secure.
They believe that security is your problem, is part of the service, or worse, may pressurise you into compromising their website security to give them more power or an easier life.
A mark of your professionalism is how well you can resist such pressure without compromising on security, or losing a client.
Our Top 10 Tips
Here are our 10 Tips to improve your Website Security, to reduce the white noise, and make your life freer from care and anxiety.
1. Renew your domain name
This is the Number 1 cause of website outages encountered by most of our customers, usually because of problems relating to Tip 2 and Tip 3, as follows.
Now, you may not think that this is a security threat, but when it happens it sure as hell feels like one. We argue that anything that increases the white noise or affects business continuity, is a security threat. The website goes white screen, your customers go somewhere else, and the panic starts to kick in.
The domain name is critical for brand recognition and traffic routing - without it you have no website. As companies become more dependent upon the income generated from e-commerce, they are recognising the critical importance of domain names in the supply chain and investing more in high quality domain name management and secure administration.
If a domain name doesn’t get renewed, it stops routing, you lose all the traffic.
Renew your domain name.
At Netistrar you have 3 options to help with domain name renewal: 1. set a big alarm in your calendar to prompt you once a year and renew the domain name in advance (you don’t lose any unused days); 2. pay for multiple years in advance, or 3. click ‘auto-renew’ on your domain name dashboard.
2. Update your domain name contact information
What - I thought this was all about Website Security? It is. Under ICANN Rules, all Registrants are required to maintain accurate contact information, and that’s for a good reason. If something bad is happening to your website, we will need to contact you. If something evil is emanating from your website - spam, criminal activity, the cops may need to contact you. It is the domain name owner who is responsible for the use of a domain name, including website hosting.
In reality, the main reason we may need to contact, is to remind you about Tip 1 above, ie. your domain name needs renewing. If you don’t keep your contact email information up to date, you may miss that reminder, the domain stops routing, and website goes down. You think you might have been hacked. More white noise.
3. Never let one guy manage your crown jewels
We get many support requests from clients who have lost control of their business website because the guy who used to manage the domain name has left the organisation and doesn’t want to talk to anybody anymore. Of course, we can help, but it takes time. We can’t just give anybody access to someone’s domain name account - we might be giving away an entire business! We have a process to help you if you end up in this situation, but better still is to not get into this in the first place.
Think of your domain name as one of your crown jewels. You might already have your website in your business continuity plan, with multiple managers, and multiple administrators, but make sure that your domain name is also included in that plan. A domain name is a more powerful weapon than a website. If somebody steals your website, bad luck. But in the worst case you can launch a temporary website (or an apology page) within a matter of hours if you have control of the domain name. If somebody takes away control of your domain name, it could take weeks.
Losing control of your domain name also means that you will lose control of other critical services, such as email.
4. Renew your certificate
The requirement to have a website certificate, ie. the ability to serve traffic on https is now pretty much mandatory. If you don’t have a certificate, Google will flag your website as potentially dangerous and will display a frightening message for your visitors. If your certificate is out of date, Google will show similar messages.
Netistrar’s FREE DNS includes a FREE certificate, currently provided by Cloudflare*.
If you manage your own certificate, take care to renew it each year (or other period) before it expires.
5. Update your payment information
Again, probably the main cause of failed certificates, hosting provision and domain name routing is because a credit/debit card has expired and payments cannot be collected. This coupled with Tip 2. (ie. out of date contact information) leaves the vendor unable to contact you, to tell you that a service has been suspended due to payment failure, and your website goes down.
The first that you get to hear about this outage, is when a customer reports they are not able to get to your website.
Your customer was hoping to buy something, but now they’re not sure, you don’t seem very professional. You panic, blame the vendor, think you’ve been hacked … you get the picture.
Take another source of white noise and anxiety out of the picture, maintain up to date payment information.
6. Reduce the threat landscape
This is the most technical part of our security advice, the most strategic, not really a ‘Tip’ as such, more of a long-term approach to website security management. However, my ‘tip’ is that you adopt this mindset, today.
If you run a complex website, perhaps hosted on a Content Management System such as Joomla, Drupal, Wordpress you are opening up a vast landscape of security threats:
- domain names,
- payment information
- contact information
- user operations
- administration functions
- user permissions
- third party plugins
- content management system software
- server platform software
As we discussed, this article makes no attempt to dissect the various merits of competing systems and hardware - neither does it make recommendations for effective anti-virus or patching regimes to make your systems less vulnerable to threat.
It is your job, to recognise as a website manager that you either have the skills to maintain and manage your own website security or that you don’t and to select a provider to assist you with that job.
Either way, if you make every effort to reduce the threat landscape, your system will be easier for you or your provider to manage, and therefore it will be more secure.
Our experience with Wordpress
Let’s illustrate this with an example. A client once asked us to maintain a secure website service ‘at all costs’. They paid a premium for us to manage a corporate website with enhanced security, huge server capacity, alarms and monitoring and periodic patching and updates. We also created a staging system and a workflow preventing any theme developers from directly accessing production services via a ‘devops’ work flows to push new themes from staging services to production services with automated tests.
Needless to say, the client felt locked out of the system, won a battle to manage their own plugins and eventually took down the system with some bad plugin updates.
The threat landscape of Wordpress is vast. If you need a simple blog, can tolerate some outages, and are happy to fix and patch things frequently, you get a lot for your money (the software is free for self-hosters).
However, if you are building a corporate website, think about the value of such a complex system and balance that against your real requirements.
More secure Content Management
Wordpress is a very popular Content Management System, but in the wake of security threats and particularly those reported that were emanating from compromised Wordpress systems and plugins, people are looking at alternative solutions for Content Management.
It’s helpful to ask yourself some questions about your website requirements and balance those against your current practice.
Do you have more than one website editor who needs to edit website content in a live environment, or do you in fact only have one website editor / techie, who quite likes HTML?
Is your website a brochure, or an e-commerce store?
Could you split the website up into static parts (changing less frequently), and blog parts (changing more frequently)?
Do you need one uber-theme that looks the same throughout the site, or would you in fact prefer a different theme for different parts of your website, help section, terms, etc.?
Are you fairly relaxed about the features and functionality of a particular plugin, or would you prefer to have complete control your customers’ experience of your website.
If you have found any of the latter parts of these questions to be true, then you may be interested in finding out more about alternative, more secure website solutions (such as static websites), with smaller threat landscapes, and less complexity - no live database, no server, no public facing software to hack.
7. Passwords and 2-Factor authentication
It goes without saying, if someone evil gets their hands on your password they can own your website, domain name and take down your business. If you’ve implemented 2-Factor Authentication, then they will also need to steal your mobile device to get into your account. Your mobile device should also be protected by some security - passcode or face recognition.
Keep your password stored in a safe place. We recommend Lastpass as a good password vault.
8. Put some heavies between yourself and the bad guys
Broadly speaking, a determined hacker is either:
trying to compromise your backend security, server, or administration area of your website to own your server or website to do bad things, or;
trying to overwhelm your server with traffic, to deny your customer’s services, ruin your business and possibly hold you to ransom, or;
grabbing your domain name through your own poor administration to hijack your brand and also hold you to ransom.
They typically do this by bombarding your website with traffic or repeatedly attacking your login page to ‘guess’ your password or running ‘scripts’ against the site seeking to exploit known vulnerabilities. The resources they employ to do this require considerable strength to resist, more than any normal business can justify or afford. You need some big guys to stand between you and the bad guys.
One such provider is Cloudflare which has specialist services in Distributed Denial of Service DDoS protection, and also application firewall software to protect Wordpress and other platforms before the traffic hits your server. They offer free and paid plans with different levels of support.
Google has free ‘Captcha’ technology which developers can use to protect web forms from repeated attack.
Netistrar can provide specialist assistance with point 3. (follow the Tips so far!).
9. Lock your domain name
A ‘lock’ is a status on the system that prevents the domain name from being transferred or deleted. Under ICANN rules, in certain circumstances domain names must be locked for a period of 60 days, for example following a transfer, or changes to ownership information.
This lock status is also passed up the chain, to the Top Level Domain Registry (eg. the manager of .COM, .UK etc.) preventing potential changes from outside the system.
We recommend that you maintain the locked status at all times, and we set this by default.
Netistrar Dashboard Domain Name Security Settings
10. Work on resilience as much as prevention
Whatever your chosen technology, you should think about threats to website security as something inevitable. Even if you have carefully followed all the Tips above, the internet is a place full of opportunism, bounty and bounty hunters.
You don’t know how tomorrow’s ‘clever’ hack will emerge - but it will. Or another example, you may have successfully built a virtual fortress around your website, and then someone in your office posts a short movie that includes a shot of your keyboard as you type in your password!
How you manage to recover from such an event is the acid test of your website security. If you build ‘resilience’ into your business continuity thinking and planning, the process is invaluable for website security.
Here are some sub-Tips to get you started:
- Ensure you have backups.
- Consider how would you build your service from scratch, from the latest backup.
- Store your software in an off-site version control system. There are some great cloud providers, for example, GitHub and Bitbucket who can store your software safely and offer great version control features.
- If a server is compromised is there another to take over (hot standby) or will another take over automatically (cluster and load balancer)?
- Is there anything in your physical office that you might need to get your system up and running if you were to suffer a complete system outage, for example your server, your passwords. What if you can’t get into your office? Get things off-site.
Finally, don’t be overanxious about security. Admit what you don’t know and get help. Don’t take on too much, there are some great hosting packages available that are both cost-effective and secure. It’s a question of balance, if your website is simply a brochure then it shouldn’t take much to make it secure, protect the domain name, and keep some backups. If you are earning a fortune from online trading, then invest some of that back, into security.
*Subject to your domain being accepted by Cloudflare. FREE HTTPS is not always available under our FREE DNS plans.
Lucien is a Founder of Netistrar. Following a successful career as an actor, he then went on to work as a security expert, engineer and marketer in the domain name industry for over 20 years.
Published: , 2834 words.