You protect your every office computer with an antivirus. You install firewalls to prevent unwanted access to your network. But what do you do to secure your website? And what can happen if it’s not secured?
This article is aimed at website owners that are not experts in website security or web application security – especially at small businesses. We will explain what steps you can take to build a good security policy for your website and how to avoid security threats. We’ll also talk about common misconceptions.
Website security involves the right procedures, the right people, as well as the right tools and applications. It often goes beyond just the website and includes web host/web server (for example, Apache/IIS/Nginx) and hosting provider security as well.
- Cause a data breach and steal sensitive data/sensitive information (for example, passwords or credit card numbers from e-commerce sites)
- Escalate to attack your other systems (for example, to install a backdoor or ransomware)
- Use your existing website functionality to attack others (for example, send phishing emails that include your website URL)
- Deface your website, making you lose reputation.
- An SSL/TLS certificate will protect your website from man-in-the-middle attacks. Nobody will be able to listen in on the communication between the web browser and your web server if the connection is secure.
- An SSL/TLS certificate will not stop cybercriminals from exploiting a vulnerability in your website code or in your web server configuration.
Strong passwords help you protect your sensitive areas – those that require you to log in to access functionality or information that should not be publicly available. A strong password helps you avoid both brute force and dictionary attacks. However, most computer users have a lot of misconceptions about what is a strong password – in short, length and uniqueness (no reuse in different places) are more important than special characters or regular changes.
These common threats let an attacker either access information that they should not have access to or let the attacker include their own malicious code. This malicious code is then run by the web server or by your website visitors.
- Send special data to your website to see how the website code reacts to such data
- If they find a vulnerability, they report it (in the case of Acunetix, including proof that the vulnerability is real and information on how to fix the error)
However, automated software will never be able to find every possible vulnerability. That is why it is a good idea to perform periodic penetration testing. If you do not hire security experts, you can hire an external security contractor to do it.
Web application firewalls are useful to protect your website until you can fix a vulnerability. A web application firewall checks the data that is being sent by users and looks for patterns that may be a sign of an attack. If such a pattern is found on the WAF blacklist, the data never reaches the server.
The problem with using WAFs is that it’s like fixing your car with duct tape. It keeps the parts together but does not fix the problem. If an attacker is smart enough and manages to send data that is not recognized by the web application firewall, but still contains malicious code, they can still attack your website.
SQL injections and cross-site scripting (XSS) are the two best-known types of vulnerabilities in websites. They have been around for a long time, more than 20 years. However, they are still present in the code of many websites and web applications. The 2021 Acunetix Web Application Vulnerability Report shows that SQL injections are still present in 7% of sites and cross-site scripting is still present in 25% of sites. There is a big chance that your website has one of those vulnerabilities.
Such vulnerabilities are common even for very big web companies like Google. For example, independent researchers used Acunetix to find an XSS vulnerability in Google and a major IT security provider, Sophos, was found to have an SQL injection.
SQL injections and XSS vulnerabilities are very serious and may have very serious consequences. SQL injection attacks may let the attacker access your database, and even your web hosting operating system. Cross-site scripting lets cybercriminals attack and impersonate your users.
Malware more often attacks desktop computers, but an attacker who compromises a website may place malicious scripts on that website. Such malicious scripts may help the cybercriminals attack the users of your website.
Professional web security scanners like Acunetix protect you from this threat, too. Acunetix downloads all scripts from the websites that it analyzes and checks them for malware. However, no software can help you with malware removal from your server – you will have to handle that manually.
Some DDoS attacks are possible because of vulnerabilities (for example, the Slowloris vulnerability). Vulnerability scanners often protect you against such attacks.
However, most DDoS attacks, performed with tools such as Low-Orbit Ion Cannon (LOIC) or High-Orbit Ion Cannon (HOIC), are indistinguishable from regular user requests. The easiest way to protect against them is to have a very powerful server with dedicated anti-DoS solutions.
Luckily, most business websites today are hosted on such servers. Large hosting companies such as Akamai can handle so many requests that DDoS attacks are much less of a threat. They also have special mechanisms in place that protect websites.
WordPress is the most common content management system and it is also the one that is known to have the most security problems. However, most problems with WordPress are not caused by the core software but by plugins and themes.
- Always use the latest version of WordPress. Install software updates (especially security patches) immediately.
- Use only necessary plugins and themes. The fewer of them you have, the more secure you are. Use only well-known plugins and themes and avoid those that are less popular.
- Regularly scan your WordPress site with a vulnerability scanner for security validation. For example, Acunetix has many WordPress-specific checks but can also discover other generic vulnerabilities.