Why Website Security Can Be Hacked?
The most important thing to remember with website security is that hackers don’t usually choose which websites to hack.
While certain people may target certain corporate brands or government websites for a challenge or for hacking issues (related to religion, nationalism, anti-globalism, human rights, etc. where publicly available content is tampered with), in most cases websites the web they choose to hack is done randomly.
In almost every case, hackers use scripts that extensively search websites for common vulnerabilities. And, unless they are specifically looking for a challenge, they are more likely to take on the least challenging vulnerabilities to gain quick access.
“Over the past three years, more than 3/4 of the websites scanned contained vulnerabilities that were not watched,” according to a Symantec study, “one in seven (15%) of which were considered critical in 2015.”
When they scan for vulnerabilities, they make no difference between the size or age of the business.
What makes so many small businesses tend to stand out and be targeted, is that small business owners don’t usually make security a priority. They also don’t have the budget to maintain an IT division capable of regularly monitoring or maintaining an updated and secure system, unlike the big corporate brands.
Most hackers look for three things when they attack websites:
- Hijack your SMTP server.
They upload scripts that use your relay server to send spam emails to hundreds of emails every day. Until your hosting provider shuts down the relay server.
- Hijack your website traffic.
They will direct traffic coming from search engines to their money making websites. These sites will be branded with your colors and logo, so visitors think they are in the right place.
- Malware Distribution.
Have you ever visited a website and a message popped up saying you needed to update your Flash player, and when you clicked on it, your computer was infected with a virus? That is one way the virus is transmitted, from a hacked site.
By understanding how security is compromised, and what hackers look for, you can better understand the website security technologies that hosting providers use and what you can do to improve the security of your own website.
How Security is Compromised
Security vulnerabilities are common among web applications, and if you find them obvious, you should check the applications you use to do business, especially those that integrate with your website. Examples of web applications that small business owners use include:
- Web analytics tool
- Writing/grammar apps and plugins
- SEO apps and plugins
- Email integration app
- Third-party social integration apps
- Productivity apps
- Communication applications such as instant messaging (chat) and contact forms
And many more options, each with potential vulnerabilities that could compromise the security of your website.
Here are some of the most common vulnerabilities on websites:
SQL injection – code injection that grants access to or destroys database content, allowing attackers to read, write, or modify data.
Cross Website Scripts – Also known as XSS, this method allows attackers to run scripts in your browser that can hijack browsing sessions, modify website content, and redirect users to selected destinations.
Broken Authentication – Poor session management and broken authentication make it easy for hijackers to take over active user sessions and assume user identities.
Unconfigured Security – When a security misconfiguration occurs, hackers or hijackers can gain access to all kinds of personal data or features up to and including completely compromised websites or networks.
While these are some of the more common vulnerabilities, there is a lot that can happen. Fortunately, there are also many ways leading website hosting companies are actively working to keep your website and hosting servers safe from piracy and intrusion.
Best Server for Website Security and Keeping Data Safe
Although the concept of hosting is simple, but if a company gives you space to store files and data that is publicly displayed as a website, it can get a bit more complicated when you start dealing with the security of your data.
It’s true, hosting companies put a lot of effort into ensuring the security of websites and servers is maintained. However, there is a fine line between where your responsibility for security ends and where the responsibility of the website hosting company begins.
It may change depending on the hosting environment you choose.
Website Security and Shared Hosting
Shared Hosting is the most commonly used hosting platform for many startup websites and small businesses. They are more cost effective and easy to prepare. One of the reasons for the cost savings, is that website hosting companies group a number of websites on a single server.
That’s why it’s called “shared”.
This shared arrangement continues to fuel the myth calling the platform an insecure hosting environment. To be honest, shared hosting is a solid and affordable option for many people who host anything from personal hobby websites to business websites. As long as you work with a reputable host who understands website security, you have nothing to worry about, at least on the host side.
Website Security and Virtual Private Servers (VPS)
VPS environments are often preferred when it comes to security, but if you look closely at those who support VPS, it’s usually the IT crowd, such as professional network administrators. A VPS can be more secure than a shared hosting plan or a self-hosted website… but only if you have the budget to invest in someone with the technical know-how.
Without a knowledgeable and reliable system administrator (or a well-informed one yourself), you can expose yourself to more vulnerabilities with a VPS.
The advantage of VPS is that they offer far more security options and configuration variations but that is only useful if you know what you are doing.
Shared Responsibilities – How Data Centers Strengthen Website Security
The data center is basically the technology backbone for a web hosting company. These locations exist all over the world, with many companies operating themselves or leasing space in multiple data centers.
Data centers range from small operations with minimal infrastructure and space due to small server requirements (think small companies with private data centers) to large warehouse structures with rows of servers (such as Google data centers and Amazon Web Services).
When you store large amounts of hardware, process and manage the flow of personal and proprietary data, there are certain steps required to keep everything safe and secure.
While the website owner is responsible for the space allotted on the server, the data center goes to great lengths to manage the physical security and security of the server itself. This includes:
- Environmental controls that keep equipment operating at a safe temperature. A room full of electronics will generate significant heat and can damage components.
- A backup power supply that keeps the server running, even when the power grid goes down for some unforeseen reason. This keeps the server running until power is restored.
- Surveillance system (CCTV) to monitor inside and outside the data center as well as the activities of everyone in the location.
- Metal detectors and weight sensors in server access rooms to ensure hardware does not enter or exit without approval.
- The Mantrap Room uses a combination of biometrics, security access, single entrance (one person at a time), guards and surveillance to ensure limited access to the data center. (Google uses similar security and less than 1% of employees have ever seen the inside of a data center)
- Server racks, used in data centers to protect specific servers or servers, separate sensitive data and equipment from non-sensitive data. These server racks are sometimes included in CCTV surveillance for additional monitoring.
- Architectural safety is often considered in construction to strengthen the facility itself which can often include bullet proof glass, resistance to inclement weather, high impact impact barriers and extensive fire suppression systems.
Data centers take physical security seriously to reduce the risk of physical attack, damage and possible on-premises threats. These still raise questions about the most common and obvious threats and vulnerabilities to website security, namely software-based hacks and attacks.
This is how website hosting companies and data centers work together to keep your website secure on the digital front.
Common Website Security Features and Security Issues
When choosing a hosting provider, keep in mind that no single security feature will make your hosting platform more secure than others. Rather, it is the cumulative protection provided by several features that contribute to the highest level of security for your website.
Following are the features that should be offered to you and some of the core security issues that the hosting provider should address.
A firewall is software designed to monitor and filter data activity before it reaches a web server. When configured, a set of rules is created and applied to all incoming and outgoing traffic to protect the system and data.
Firewalls work through one or more methods including filtering (analyzing all data that is passed through the firewall against a set of filters), inspection (checking data coming into the website against database information that is approved to be passed), and proxies (repelling or bad traffic before it goes through). your website).
It is common for a single firewall to be configured to apply to all servers on shared hosting, so that individual hosting accounts have no control over the firewall configuration. It is possible that some hosting plans offer a special firewall, which allows you to create custom rules that determine who can (and cannot) access your website.
Data Backup, Restore Points and Redundant Hardware Backup
Even with carefully managed site content, any kind of incident, including malicious attacks, can lead to data loss. It is ideal to look for a hosting company with a choice of data backup options.
Automatic and manual data backups are standard for almost every hosting company, providing rolling backups of data from the current version of the website. In addition to backups, multiple restore points make it easy for you to switch from one version to the previous one in the event of data corruption.
Redundant hardware backup is the existence of several additional servers which are clones of the current active server version and are integrated with each other, so that in the event of a disruption to the main server, traffic can be directly redirected to the redundant server to avoid downtime and minimal loss.
Performing any website updates or maintenance can leave your entire website vulnerable to attack, especially if you are installing and testing new applications or making adjustments to scripts. The sandbox or developer environment provides you with a secure way to test all changes to the system in real time but in a separate environment that is not publicly accessible. This is better than making direct changes to files that are publicly accessible and potentially attacked by hackers.
User Access Control and Password
It is common for hosting platforms to use software such as cPanel to offer different levels of user access control and password management. Since these user accounts provide different levels of access to your website’s core files, they should be reserved for members of your team.
Depending on the characteristics of your website, you may also have user access settings for subscribers, and guest authors each with their own personal password to gain access. Because user access can vary from simple content posting rights to unlimited file access. You can set the minimum required permissions for a specific role of each user.
It is a good rule of thumb to create a password policy depending on the type of account you are creating and the number of other users. For example, an account that can have a much greater impact on the operation and appearance of your website, must have much stricter rules and much more complex password requirements.
You might consider using a password manager application for all user accounts to increase website security, especially if you work with multiple employees or contractors with access to your website. Password managers eliminate manual password generation, which often causes employees to choose weak passwords or reuse the same password across platforms and accounts.
The main benefit of a password manager application is the ability to generate strong and complex passwords and also store them in an encrypted vault.
Your website hosting company can provide or recommend a password manager application. Otherwise, there are several trusted apps available that are secure and don’t store password data in the cloud.
User access and passwords are the responsibility of the client, so careful and regular monitoring of user accounts is as important as initial configuration.
SSL certificates are an essential part of eCommerce and, after the latest update to the Google Chrome browser, a much larger part of browsing will be secure overall.
These certificates are small data files that are registered and tied to domains and organizational details. When enabled and configured the website will enable the https protocol (as opposed to http) which allows a secure connection to be established between the server and the user’s browser.
Through that secure connection all data is encrypted, especially sensitive information such as consumer credit card data, personal contact information, proprietary files, and more. While an SSL certificate is not required for most websites, Google’s Chrome browser has started displaying a message that a site is not secure if a website displays a form to submit data without a valid SSL certificate.
For eCommerce sites, SSL is a necessary security component. It not only ensures the encryption of sensitive information, but is also required for PCI standards, a requirement for companies to process buying and selling transactions on the internet such as accepting credit card payments online.
Google has stated that a secure website with proper encryption (SSL certificate) is now a factor for ranking a website. That means part of Google’s core algorithm used to determine your website’s visibility in searches including whether your website has a valid certificate or not. Without these features, maybe your competitor’s website that is equipped with SSL features can outperform you on the Google search engine.
DDoS, or Distributed Denial of Service, is a method used to send large volumes of traffic/data to websites in the shortest possible time span. This data overload prevents the server from processing incoming traffic and can take an unprotected website or server offline.
A reputable and reliable hosting provider will provide documented DDoS protection. With this protection, the server can monitor and filter the DDoS traffic so that, all subsequent hits from the DDoS attack are caught and rejected from the server while other legitimate traffic is allowed to pass normally.
Content Delivery Networks
Content Delivery Networks (CDN) are the invisible backbone of the web and are used to deliver content at much faster speeds, particularly across long distances. For example, if you have a website that is hosted on a server located in the US, it will take more time for users in Indonesia to access your website because the data traffic crosses the ocean compared to users in the US, which is only a few cities or states away. .
Content Delivery Networks are regulated worldwide, cache website content and offer a number of benefits to website owners, including:
- Much better page load times especially for international traffic;
- Improved processing load as traffic is shared between CDNs instead of all traffic going to the main server;
- Localized coverage in other countries with no additional hosting fees;
Reduced bandwidth consumption thanks to improved load processing.
Further to website security, CDNs also provide an additional layer of protection against DDoS attacks. Your website hosting provider may provide CDN services in partnership with other providers and you also have the option to set up your own CDN access directly with a third party CDN.
Brute Force Detection
A brute force attack is a method that hackers use in an attempt to gain access to a server through an authentic login with legitimate access. Instead of trying to find vulnerabilities, attackers will use automated software that runs multiple guesses in succession (a combination of username and password) in an attempt to gain access.
Hosting providers usually offer brute force detection to monitor the fast delivery of this username/password combination. There are also steps you can take at the user level to help prevent brute force attacks, particularly through better password control.
A strong, long password with a high variety of letters and numbers can be very helpful.
There are also apps or plugins that can be installed into content management systems like WordPress that limit the number of login attempts allowed. Other precautions that may be available beyond detection include:
- Locked after several times entering the wrong password;
- Increase the amount of time the account is locked;
- Lock individual user accounts;
- Prevent your website from showing when username is valid in login error;
- Automatically blocks attempts to register or log in as a specific username if it doesn’t exist, such as ‘admin’ or ‘info’.
Multifactor authentication is the process of increasing the steps required for login, where those additional steps involve a tightly controlled application for verification. In an ideal setup, only the original account owner for a given username has access to second-level authentication.
For example, the website administrator has two-factor authentication configured on the site. Whenever they try to log in with their username and password, the system will generate a text message that is sent to the phone as a note for that user. That administrator then needs to provide the unique passcode generated for that session just to gain access to the administration dashboard.
A web server works similarly to a home PC; both take advantage of the operating system to run. And just like home PCs, web servers (sites/files on the server) are vulnerable to attacks from viruses and malware. Some viruses or malware are harmless, but most viruses and malware are developed for malicious purposes and are designed to spread far and fast.
Fortunately, antivirus and malware scans have become standard for most website hosting companies. Ideally, you should look for a hosting provider that performs daily/regular antivirus scans along with active monitoring. If possible, find out if the scan can be run manually and if infected files are found, what are the next steps to get rid of them. Your hosting provider may offer a support plan that involves removing malware, although cleaning infected files may be the responsibility of the site owner (you).
Maintaining Website Security
While your web hosting and data center provider goes to great lengths and costs to keep your data safe, it’s clear that some responsibility rests with you to ensure your data (and your customers’ personal data) is safe.
1. Software Updates – Whether you have a dedicated site or a content management system like WordPress, you need to update all scripts and software. Patches often address website security issues found in older versions and if you fail to update, you leave your website security vulnerable to attack. Ensure that plugins, extensions, apps, shopping carts and even templates are included in regular updates and site maintenance to reduce vulnerabilities.
2. Create a Password Policy – Configuring strong passwords is key to avoiding intrusion from brute force attacks. Your policy should address a number of factors including password length and complexity (10 characters, letters and numbers, special characters, uppercase letters), how often passwords are changed/updated (i.e. every 90 days), how passwords are stored (especially with mobile devices), etc. Ensure this password policy is strictly maintained throughout your system.
3. Use Domain Privacy – While domain privacy may not seem important for website security issues, the less information an attacker has, the better. Domain privacy masks a website’s whois data, including personal contact information and location data, all of which can be used for malicious purposes.
4. Install Anti-Virus Software – Your local computers should all be equipped with anti-virus software to protect your data and website. This software can prevent malicious programs such as keyloggers and trojans from giving hackers access to your system.
5. Audit Your Site For Vulnerabilities – Since websites often display special code in various forms, it’s a good idea to do regular audits of your website. This does not need to be done manually. There are many software and online tools that can be used to scan your website for vulnerabilities. Keep in mind that no tool is 100% reliable, the best approach to a security audit is to work with a professional who can provide a detailed review of your website and explain the steps you need to take to secure your website.
6. Perform Manual Backups – Leading hosting companies provide automatic backups, but never trust a system to keep your data safe. Create a schedule for regular manual backups of your site data including databases. Your hosting provider should offer an option in your hosting control panel to create backups manually. Once you’ve created a schedule, make sure to stick to it consistently.
7. Use AVS and CVV – For an eCommerce website, you’ll want to take every extra step to maximize security, especially when it comes to consumer data. Be sure to include the Address Verification System (AVS) and Credit Verification Value (CVV) fields on your checkout page. With AVS and CVV, fraudulent attempts are much less likely to succeed, as the buyer must have full address information as well as the code on the back of the credit card to complete the purchase.
Just because you operate a small website, doesn’t mean you don’t have to worry about hacking, piracy, or intrusion. The traffic to your website, customer data, and your connections to other users are all valuable to hackers and it is imperative that your website is secure so that it doesn’t become a potential target.
Choosing a hosting provider that offers a robust set of security features in combination with proactively securing your website and data is the best way to reduce risk, close vulnerabilities and protect your business website.
Do you keep your website secure? What precautions did you take?