Unfortunately, the internet is not always the safe haven we would like it to be. For whatever reason, there are people out there that write scripts to probe the internet in search of websites with security vulnerabilities. Once a site is compromised, the breach may be used to redirect your visitors to alternative websites, deploy malware, or in worse cases, steal information about your customers. While it easy to simply hope that it never happens to us, as business owners it is always in our best interest to proactively prevent such breaches from occurring, rather than dealing with the consequences afterward. It’s not as difficult as you might think. Here are some of the areas that your IT administrator might want to look at.
Most shared hosting companies provide a web based control panel, common ones are cPanel and Plesk. While it is usually up to the hosting company to make sure that their host is up to date (and this is one thing I would be asking any potential hosting provider), as a customer you can still make sure that the password for the control panel is relatively hard to guess and certainly not left as a default such as ‘password’.
One trick that hackers use is to upload a new page onto your website. If you ask you web host to make the directories on your web site ‘read only’ then it is impossible for hackers to modify your web site or upload malicious code. You may even be able to do this from your control panel or FTP client. If you have a VPS, this can very easily be done from the command line.
Sites that use https:// rather than http:// encrypt all the data that is sent between the web browser and the web site. This is particularly useful for filing in forms where a customer has to log on. Your web browser will issue a security warning if you do not your own SSL certificate, but there are relatively cheap these days, and this is an absolute must if you want to do any sort of online transaction.
Content Delivery Networks have come a long way. Not only do they keep a local copy of parts of your website to speed it up, the more sophisticated ones have value added features that also act like a firewall. This allows them to detect spambots and the like to prevent inappropriate posts to your blog and other malicious attacks. They can also provide a whitelist of IP addresses to restricted parts of your website, such as the administrator pages.
If your website is built around a commonly used Content Management System like Joomla, Drupal or WordPress, it is really important to update the core application as well as its plugins. This is no different from deploying a security update on your PC. Fortunately most of these will self-update at the click of a button from the admin section, but don’t forget to re-enable your file permissions back to read/write while you do this, and then re-secure the site again. While we can never guarantee that a website will never be compromised, taking some (or all) of the initiatives I have mentioned may deter potential hackers to search for easier targets. If you'd like a free assessment of your website security, feel free to get in touch.