Website security settings are increasingly important today, and in the article, we will look into why it is important for you - a website owner to be informed about cyber security and some of the best practices (in fact, the must-have practices) when it comes to basic website security that you can implement on your website without breaking the bank.
In general, website security impacts the web development process in two main ways:
1) Data Privacy and Security
In Europe, you have GDPR - General Data Protection Regulation. In Singapore, we call it PDPA - Personal Data Protection Act 2012. Data privacy is no longer a luxury these days, but a necessity and not only a basic user expectation when it comes to using your website, but also something that is regulated by law in most cities today.
Hacking and cyber attacks are prevalent today - the biggest known data breach incident locally occurred in 2018 and affected 1.5 million users - and is known as the SingHealth data breach, where according to the inquiry report released, the breach was due to a combination of bad system management, lack of incident reporting protocol, poor training, knowledge of staff amongst other factors.
Now, your website may not be of SingHealth scale where you serve millions of users and hold a lot of sensitive data, and hence be targeted by high level sophisticated hackers. However, cybercrime statistics show that even your simple corporate or e-Commerce website is at risk.
How prevalent and common are cyber attacks - or in simpler terms - how common is it for a website to be hacked?
First - let us look at some real statistics taken from existing Oangle clients - we will use 3 actual websites (without naming them of course) as case study:
- Website 1 is a simple corporate website with not more than 10 pages, no contact form, no e-Commerce, no login system for users.
- Website 2 is a more complex e-Commerce user membership website, with quite a lot of different features, including payment gateways for various different types of products, and a lot of subscription-only content.
- Website 3 has a great deal of content, and a lot of admin / editor users, but no login system for frontend users, and no e-Commerce.
Let's take a look at their firewall blocking stats in the past month (Oct 2020):
Note: This chart is not a list of how many times these websites have been hacked - but a list of the number of attempts / attacks on their website. All these recorded attempts listed above have been discovered and blocked in advance by monitoring systems set up on the application side (we will discuss more about application vs server side later).
A few insights from this chart:
- Even a basic corporate site with not many views will be targeted by attackers
- The more features your site has, the more opportunities for attackers to attack your site
- The more security features you set up, the harder it is for attackers to even be able to attack your site - notice how, for Website C, even though it has a lot more content and a lot more traffic than Website B, the average attacks it receives is significantly lower than Website B. This can be attributed to two main reasons: (a) Website C has more stringent server side security settings than Website B; and (b) Website C does not have as many features to exploit as Website B.
Also, while these stats are real case studies from Oangle's clients, note that they do not represent all websites, and are only picked as case studies in this article as an illustration.
Let us first understand the difference between complex attacks (which range from a variety of higher level attacks), versus the plain old brute force attacks:
Brute force attacks are the simplest forms of cyber attacks - the easiest way to hack into a website - via brute force. This is when an attacker or a malicious bot (sent by an attacker) repeatedly tries different combinations until they are able to enter your website. As can be seen from the chart above, even if you are just a simple corporate website, you website can still be attacked. Oangle has glass doors in our office. I've always used this analogy to explain this idea to clients - although we keep our main doors locked; however, if somebody takes a sledgehammer and swings at our glass door, perhaps they won't break the glass at the first try, perhaps they won't break the glass at the tenth try, but if they keep at it, it may not take them 100 swings, or even 20 swings, to be able to successfully break into our office (this is where our CCTV camera, office insurance, and a simple policy of not leaving anything precious - digital or physical - in office comes in handy). This, is brute force attack.
Complex attacks, however, are basically higher-level targeted attacks that specifically exploit a vulnerability in a site. There are many ways how this can be done, and we won't be going into the specifics in this article. Even though these are more complex and can vary greatly in the way they are done, there are still basic ways to be able to prevent and block them.
At this point, let us look at another case study - Website 4:
Website 4 is a website with forms and a lot of content, but no e-Commerce, and not as much content as website C, and a lot more traffic. What is notable is this - website 4 went through very expensive penetration testing, and as a result, a lot of application side and server side security settings were done up.
Notice the impact: in the last 7 days, there were almost zero attacks to the website. This is consistent in our statistics across the past 3 months, except for one day in the past 30 days where there were 4000 over complex attacks made on the site. That was a targeted attack, which saw a series of responses from host side and application side to block and prevent it, resulting in a series of patches to the website after that.
The underlining point is this:
- it is important to have security settings in place to prevent an attacker from being able to find and attack your site.
- However, when an attack does happen, it is important to have security settings in place to block the attack so that the website is not compromised.
- It is important to setup monitoring system in order to be aware of the status of the site's security, and if attackers are trying to overwhelm the site
- In the case where the website is compromised, there should be incident reporting frameworks in place to identify the compromise, patch and restore the site.
Who is responsible for what, and what are the ways an attacker can attack a site?
In summary, we need to understand the differences between server side, application side and client side. Without going into too much technical jargon, we just need to understand that attacks can come from multiple ways:
- Server side - this is when the host server gets compromised, and attackers overwhelm and crash the server or hack into the server, thus gaining entry into your website and databases. Most host servers have basic and decent security and monitoring system to circumvent this. If you are unsure, you can speak to your host to find out what are they doing for security.
- Application side - this is from web development, and includes all applications on the website, including the admin login panel to the CMS, all frontend forms, and the way the application connects to different databases or third-party scripts/sources. This is where usage of security plugins on application level is critical.
- Client side - around 80% of website attacks are caused by negligent password practices. At Oangle, an overwhelming majority of the hack cases that we have seen in our clients in the past few years can also be attributed to poor password practices. Refer to 'Howcan you protect your website" section point 1 for tips on best practices for password protection.
In summary, everybody has a part to play in keeping your website secure, including you - the website owner. Do not think that you can leave the responsibility purely to your host or web developer - especially if your web developer is not on a maintenance contract to upkeep your website for you.
Why would attackers target your website?
Perhaps your website is a simple, corporate website, with only 5 static pages and not even a contact form - i.e. no personal data in the database. You may therefore feel entitled to think that your website will not be a target of malicious cyber attacks. This, however, is an illusion. Here at Oangle, we have seen numerous simple, corporate and branding websites being compromised (as shown in the case studies above).
We have seen websites being hacked by hobbyist hackers - who after hacking a simple site, was 'kind' enough to send our clients an email to notify them that 'hey, I hacked into your website, do something about it!' It is also very common to see injection of malicious codes, viruses, trojans into your website - eg, instead of downloading your pdf when users click on 'download now', they may be downloading an extra trojan or virus into their computers. Or, instead of going to your home page when users arrive at your domain, they get redirected to a pornography site, or a phishing/scam site.
Compromise of data is of course, a huge reason as well - especially for e-Commerce sites - we have also seen cases of companies hiring hackers to hack into into their competitors' website in order to retrieve personal data of the customers in the industry, or hackers changing the payment gateway to their own account.
In short, there are many reasons why your website may be targeted - in fact, sometimes, there simply isn't a reason - attackers do not need a reason in order to hack your website, especially when you do not have the basic security settings in place - it is tremendously easy for even for novice hackers to attack into a website without proper security settings.
What are the potential implications of your website being compromised?
This depends on the kind of website you have.
- Loss of Personal data of customers, which may result in a hefty fine
- Leaking of confidential company data
- Damage to Company's brand image - Compromised websites can cause malicious code or content injections that affect the brand image of the website
- Crime - malicious codes may be injected into your website to cause it to be part of phishing or scam or fraud cases, and this may even cause you to be involved in police investigations
- Loss of legitimate ecommerce sales
- Drop in search engine rankings, or even being blacklisted by search engines, especially if your website becomes regarded as phishing websites
We have gone a bit off-tangent from data security and privacy, but today, it is one of the areas with the greatest impact when it comes to website security, and understanding how common attacks on websites are, and the implications of a security compromise will serve you well. Next up, we will look at another key area of impact to web development when it comes to website security.
2) Code base, using latest and updated codes or plugins to build the site
A lot of security practices are implemented by the web developer or web designer (if designing and building the website using a platform like WordPress). We will elaborate on some of these best practices later on in this article.
How can you protect your website?
You may be like most of the clients we meet at Oangle - you do not have your own dedicated IT / cyber security team; you do not have the budget to hire a VAPT team (who use enterprise level cyber security softwares which has enterprise level pricing) to audit your website security; and you do not have the ability to spend extra money to implement higher level security and systems. However, there are still plenty of things you can do to make it a lot harder for attackers to target your website - they are free and doable in most websites, so you have no excuse not to do it. Here is an non-exhaustive list:
1) Ensure that your admin password is secure
At Oangle, we handle tens of thousands of user credentials and passwords - in a single project, we can easily have more than 20 sets of credentials. To manage this and to ensure that our credentials are kept secure, we use a password manager software called Keeper to store and protect our passwords. Keeper is a premium software, however there are many of free alternatives out there. Having a password manager is crucial as it frees you from being bound to the numerous bad habits of keeping passwords:
- creating an easy to remember password - understand that easy to remember = easy to hack
- using the same password for multiple purposes / accounts
- always clicking on 'remember me'
- never changing out of your default password
- using the same password for years without changing it
- writing your passwords down in a notepad or an insecure place in your phone or computer
- setting the password to your admin account as 'password' - believe it or not, for numerous instances of hack cases we've seen in the past few years, we eventually discovered that the password of the admin user account was set by client to 'password'. This is akin to leaving your key in the door knob and wondering how the thief got in.
2) Ensure that you have a valid SSL certificate
In the current day and age, where there are SSL certificates freely available - CPanel, for example, allows you a one-click 'Auto-SSL' button to set up valid SSL for your websites - you really have no excuse not to own an SSL certificate. If you do not understand what is an SSL - it refers to secure socket layer, and basically establishes an encrypted connection between client and server - i.e. necessitating a form of authentication. To see whether your website has an ssl, just try typing your url with 'https://' instead of 'http://' and see if your website loads properly. In fact, if you type 'http://', your site should redirect to 'https://' as best practice. There are many benefits to having an SSL - including SEO reasons, but we will not be diving into that in this article.
3) Ensure that you have a valid monitoring system for your site's security
Even banks and national public systems can be hacked, so even if you are very confident of your site's security, a monitoring system has to be in place, because majority of the cyber attacks that occur can be prevented if they were stopped when they were discovered. If you use WordPress, install a security plugin like Wordfence to help you monitor your site's security. We recommend going through your Wordfence settings for rate limiting and login security to tighten your security as well - if you need help with this, feel free to contact us! It's just a 5 minute job!
4) Ensure your site is backed up regularly
Most hosting plans have some kind of scheduled backup available, and a back up will be very crucial in case your site was compromised. If your hosting plan does not provide a suitable backup system, you can do your own manual backups, or use a plugin like Updraft Plus to support you in this.
5) Ensure your site is updated and patched regularly
While your newly built site is usually updated, web technology and browsers are so regularly improved and updated that your website gets outdated pretty quickly. Outdated code presents an inherent vulnerability, and hence websites should be maintained properly in a technical sense to prevent loopholes from outdated codes. If you are using WordPress, it is critical to ensure that your WordPress version and all your plugins and themes are updated.
6) Ensure that you have sufficient login security and rate limiting setup
A tool like Wordfence for WordPress websites can easily help you set this up, and this includes, but is not limited to:
- 2FA (two-factor authentication) for logins
- Not revealing information about whether the username exists in your login error notifications
- Block users who try to login too many times (we typically limit this to 5 tries)
- Block users who try to reset passwords too many times
- Enforce complex passwords and disallow simple passwords from being used
- hide the admin login page
- do not use obvious admin usernames like 'administrator' or 'admin' or your own company name/shortname
- block users who login with invalid usernames
- throttle or block users or bots who attempt too many views/hit too many error pages
6) Higher level actions:
Some of the points in this list are a lot more technical, and may not be easily implemented by a non-technical person. If you have the budget to do so, it is always good to ensure that you have a team to look into these for you.
- Set up proper HTTP Security headers
- Protect against DDoS and DoS attacks, eg using cloudflare
- Ensure that information about the web application is not exposed
- Disabling XML-RPC
- Remove permissions to edit any files from application side
- Have a team ready to consistently keep your website updated and backed up
- Schedule regular VAPT tests
No matter what kind of website you own, you can be attacked. No matter how good your security is today, your website can be attacked. It is important to never be too confident in your own website's security, so that you are always vigilant and have the necessary steps in place to react to attacks, when they happen. Your site will never be 100% secure - the attacks won't stop - the hackers and bots won't stop trying. Even as technology improves, hackers improve as well. Therefore, web security is a never ending process. But as long as you are conscientious about it and keep yourself updated with cyber security and know what to do when you face attacks, you do not need to fear attacks.
We understand that to the lay website owner, a lot of these website security knowledge are difficult to grasp, and not easy to keep up with. At Oangle, we will be able to advise you on the necessary steps to take for your website's security, so that the data of your customers and the confidential information about your own business are not compromised.