Hack prevention through hardened security!
"An ounce of prevention is worth a pound of cure!" used to be a common phrase but can you remember the last time you heard someone use it? Around here the spirit of this statement is ingrained in our every habit and action. Every line of code we write, every website we build, everything we do for our clients is done with an eye toward hack prevention.
The unfortunate truth is that website hacks happen every day. The exact number changes depending on where you get your information but all of the security sources we follow seem to agree that the number is well into the many thousands per day at minimum. This means that it's not a question of if someone has hacked, or tried to hack, your website. It's an inevitability that, like a thief in the night, at some point someone will attack your site.
Will you be ready?
Some General Observations
From what we've seen, the largest percentage of the websites that get hacked are found, and sometimes hacked, by automated bots that troll the internet looking for websites with specific vulnerabilities. Essentially these automated programs crawl websites or use advanced Google-Fu techniques to "shake trees" and find the low hanging fruit. The best defense to this is to make sure you and your website are not low hanging fruit.
If you have already been breached, just removing hacked, corrupted, and malicious files from your website will not protect you from future attacks. In addition to cleaning up the mess, proactive measures to secure, mitigate, and remove all vulnerabilities are essential to help ensure your website is resistant to attack. This will, in most cases, make hackers move on. Most attackers want easy targets. To those attackers, if you're not easy prey you're not prey at all.
Your website is your company's digital face. It is the first thing your clients and potential clients see. It is something you have spent both your time and money building. Just like you take steps to protect your brick and mortar storefront to deter bad guys and protect your business, you must also take steps to protect your digital storefront to deter bad guys and protect your business and your reputation.
Would you leave your front door open when you are closed?
It's pretty likely that securing websites against intrusion is not what you do, why would you be reading this if it was? Even if you are tech savvy, in our experience most business owners simply don't have the time or desire to handle hardening their website against attack on their own.
The good news is, you don't have to. We will handle everything for you while you focus on building and managing your business.
If you want to protect your website, business, and reputation, we're here to help. You can reach us to schedule a complimentary 30 minute consultation to discuss your web security by filling out the contact information form below or by calling us at (657) 205-7377.
How to Harden Your Website Security
Start with hardening the hosting environment and server.
If the server and/or hosting environment your website is hosted on is not secure, then your website security will not matter. You must ensure, to the best of your ability, that the hardware your website is on is hardened against attack. If you cannot verify the security of your hosting environment personally, call your hosting company and ask questions.
Some questions you could ask:
- Is your server secure?
- Is your server kept up to date?
- What are your update policies?
- How do you test and verify the security of your hardware and network?
- How can I verify the security of the server/network my website is hosted on?
- ... anything else you can think to ask ...
In addition to verifying that the server hosting your website is secure, you need to harden your hosting environment where possible. This can usually be done through configuration files like .htaccess for Apache, and web.config on IIS. The parameters needed in these files are always different client to client due to differences between websites, servers, needs, and implementation.
If you are trying to do this on your own, clear your schedule and break out your Google-Fu. Depending on your knowledge and experience you may need to do some searching on your webserver and how it works before you start making it more secure. Whether you need in-depth info or just refreshed info, Google is your friend for this part. Your main search focus will be looking for ways to configure and harden your hosting environment based on your situation and specific needs and the requirements of your CMS (WordPress, Joomla, etc.).
If you want some help working through this on your own or would rather hand this off to someone who does this every day, we're here to help. To get some help fill out the contact information form below or call us at (657) 205-7377.
Configure the Interpreter's Settings.
There are several common scripting languages used to generate web pages. If your website is a static HTML website then this section is not relevant to you. If you are using a CMS like WordPress or Joomla!, or most any other infrastructure that accesses a database to function, then you should keep reading.
While there are other languages used to build websites, the most widely used scripting language for creating websites is PHP so that is where we will focus. PHP, like other scripting languages, is written in human readable text or source code, as opposed to bytecode, hex, or binary, and is generally followable. You may not understand what the text is saying but you can read the words and follow along through the source code, at least for the most part.
Scripting languages like PHP are parsed (read and processed) by an interpreter that converts the human readable text in to bytecode to be run by the server. The interpreter can usually be configured in your local hosting account through config files. For PHP these could be php.ini, .user.ini, or in the web server config file directly (like .htaccess for Apache) depending on how your server is configured by your host. Your host should be able to provide all the info you need to adjust these config files to your needs.
Just as before, if you are trying to do this on your own, clear your schedule and break out your Google-Fu. Depending on your knowledge and experience you may need to do some research on the language used to power your website and how it works before moving forward. In any case, whatever your situation or skill level, Google is your friend for this part. Your main search focus will be looking for ways to configure and secure PHP while still enabling the services you need for your website or CMS (WordPress, Joomla, etc.).
Whether you want just a little help working through this on your own or would rather hand this off to a programmer who does this every day, we're here to help. Fill out the contact information form below or call us at (657) 205-7377 and we'll get you the help you need.
Harden your source code.
"Is it safe? Is it secure?" are two questions that should be asked and then verified regularly.
If you are using an open-source CMS like WordPress or Joomla! there really isn't much you can do to the source code that would be permanent. Every time you updated the CMS your changes would likely be lost so your best option here is to make sure you update your CMS completely and often.
If you have a custom coded website then you should make sure your programmer employs proper coding practices to ensure security, and you should also employ a process that enables you to make sure that the code that is produced for your website is actually secure. This could be done by having another programmer periodically audit the source code of your website or by employing a third party to actively scan and test your website for vulnerabilities. Both options are good. We actually recommend that you use them both in an alternating and overlapping way.
If you would like some help in vetting your source code all you need to do is contact us using the contact form below or call us at (657) 205-7377. We'll help you put together a plan to secure your website.
Other ways to increase your website security.
There are lots of ways you can go beyond the items mentioned above. Here are some for you to consider:
- Software Firewall
- Restrict admin access by IP
- Ensure proper error handling
- Install appropriate security plug-ins
There are many ways to secure your website against attack. Not all will be right for you and your business. Remember, if you have questions or need help, we're here for you.
Hopefully the information above has helped you along the process of securing and hardening your website against attack from hackers. If you feel that you may benefit from a 30 minute consultation, please contact us using the contact form below or call us at (657) 205-7377. We'll help you review your website and go over something you can do to be prepared when a hacker comes calling.