In recent years there has been a proliferation of great tools and services in the web development space. Content management systems (CMS) like WordPress, Joomla!, Drupal and so many others, allow business owners to quickly and efficiently build an online presence. Their highly extensible architectures, rich plugins, modules and extension ecosystems have made it easier than ever to get a website up and running without years of learning required.
This is undoubtedly a great thing; however, an unfortunate side effect is that now there are many webmasters who do not understand how to make sure their website is secure, or even understand the importance of securing their website. In this post, I want to share with you the top 10 steps all webmasters and website owners can (and should) take to keep their website secure.
1 – Update, Update, Update!
This is something we cannot stress enough here at Sucuri. Countless websites are compromised every day due to the outdated and insecure software used to run them. It is incredibly important to update your site as soon as a new plugin or CMS version is available. Most hacking these days is entirely automated. Bots are constantly scanning every site they can for exploitation opportunities. It is not good enough to update once a month or even once a week because bots are very likely to find a vulnerability before you patch it. Unless you are running a website firewall, you need to update as soon as updates are released. If running WordPress, I personally recommend the plugin ‘WP Updates Notifier‘. It emails you to let you know when a plugin or WordPress core update is available. You should also follow @sucuri_security on Twitter to get notified about important updates and security warnings.
2 – Passwords
Working on client sites, I often need to log into their site/server using their admin user details and am frequently disturbed by how insecure their root passwords are. It’s scary that I have to say this, but admin/admin is not a secure username and password combination. If your password appears in this list of most common passwords, it is guaranteed that your site will be hacked at some point.
Even if your password is not on that list, there are a lot of misconceptions about “strong” passwords. The lax requirements on most password strength meters are part of the problem. Our friends at WP Engine have put together some interesting research that debunks many of the myths surrounding passwords.
When it comes to choosing a password there are 3 key requirements that should always be followed (CLU – Complex, Long, Unique):
- COMPLEX: Passwords should be random. Do not let someone hack your account just because they could find out your birth date or favorite sports team. Password-cracking programs can guess millions of passwords in minutes. If you have real words in your password, it isn’t random. You might think you are clever for using leetspeak (letters replaced with characters L1K3 TH15) but even these are not as secure as a completely random string of characters. Hackers have compiled some seriously impressive word lists for cracking passwords.
- LONG: Passwords should be 12+ characters long. I know some in the security community would scoff at a 12 character password and insist that passwords should be longer. However, when it comes to online login systems, any system that is following simple security guidelines should limit the number of failed login attempts. If there is a limit on the number of failed login attempts, a 12 character password will easily stop anyone from guessing it in just a few attempts. Having said that, the longer the password, the better.
- UNIQUE: Do not reuse passwords! Every single password you have should be unique. This simple rule dramatically limits the impact of any password being compromised. Having someone find out your FTP password should not enable them to log in to your email or internet banking account. Contrary to popular belief, we are not as unique as we believe ourselves to be; if you can randomly generate the password, even better.
Now I can already hear you ask, “how am I supposed to remember 10 random passwords which are all 12 characters long?” The good news is you don’t need to remember them all, and in fact, you should not even try. The answer is to use a password manager such as “LastPass” (online) and “KeePass 2” (offline). These brilliant tools store all your passwords in an encrypted format and can easily generate random passwords at the click of a button. Password managers make it much easier to use strong passwords than it is to memorize a couple of decent passwords.
Yes, these password managers can present challenges and a possible weak point. Just this week LastPass announced a compromise. Not all compromises are the same though (more on this another time).
3 – One Site = One Container
I understand the temptation. You have an ‘unlimited’ web hosting plan and figure why not host your numerous sites on a single server. Unfortunately, this is one of the worst security practices I commonly see. Hosting many sites in the same location creates a very large attack surface.
For example, a server containing one site might have a single WordPress install with a theme and 10 plugins that can be potentially targeted by an attacker. If you host 5 sites on a single server now an attacker might have three WordPress installs, two Joomla installs, five themes and 50 plugins that can be potential targets. To make matters worse, once an attacker has found an exploit on one site, the infection can spread very easily.
Not only can this result in all your sites being hacked at the same time, it also makes the cleanup process much more time consuming and difficult; the infected sites can continue to reinfect one another in an endless loop.
After the cleanup is successful, you now have a much larger task when it comes to resetting your passwords. Instead of just one site, you have a number of them. Every single password associated with every website on the server must be changed after the infection is gone: all of your Content Management System (CMS), database, and File Transfer Protocol (FTP) users for all of those websites. If you skip this step, the websites could all be reinfected again and you are back to square one.
4 – Sensible User Access
This rule only applies to sites that have multiple logins. It’s important that every user has the appropriate permission they require to do their job. If they require escalated permissions momentarily, grant it, then reduce it once the job is complete. This is a concept known as Least Privileged.
For example, if you have a friend that wants to write a guest blog post for you, make sure their account does not have full administrator privileges. Your friend’s account should only be able to create new posts and edit their own posts because there is no need for them to be able to change website settings.
Having carefully defined access will limit any mistakes that can be made. It reduces the fallout of compromised accounts and can protect against the damage done by ‘rogue’ users. This is a frequently overlooked part of user management: accountability and monitoring. If people share a user account and an unwanted change is made by that user, how do you find out which person on your team was responsible?
Once you have separate user accounts for every user, you can keep an eye on user behavior by reviewing logs and knowing the usual behavior (when and where they normally access the website) so you can spot anomalies and confirm with the person that their account hasn’t been compromised.
5 – Change the Default CMS Settings!
Today’s CMS applications, although easy to use, are horrible from a security perspective for the end users. By far the most common attacks against websites are entirely automated, and many of these attacks rely on the default settings being used. This means that you can avoid a large number of attacks simply by changing the default settings when installing your CMS of choice.
For example, some CMS applications are writeable by the user – allowing a user to install whatever extensions they want. There are settings that you may want to adjust to control comments, users, and the visibility of your user information. The file permissions, which we discuss later, are another example of a default setting that can be hardened.
It is usually easiest to change these default details when installing your CMS, but they can be changed later.
6 – Extension Selection
One of the beautiful things about today’s CMS applications is its extensibility. What most don’t realize however is that that same extensibility is the biggest weakness. There are a massive number of plugins, add-ons, and extensions providing virtually any functionality you can imagine. However, the reality is that at times the massive number of extensions can be a double-edged sword. Often there are multiple extensions offering similar functionality, so how do you know which one to install? Here are the things I always look at when deciding which extensions to use.
The first thing I look for is when the extension was last updated. If the last update was more than a year ago, I get concerned that the author has stopped work on it. I much prefer to use extensions that are actively being developed because it indicates that the author would at least be willing to implement a fix if any security issues are discovered or reported. Furthermore, if an extension is not supported by the author, then it makes little sense to use it for your website as it may stop working at any time.
I also like to look at the age of the extension and the number of installs. An extension developed by an established author that has numerous installs is much more trustworthy than one that has 100 installs and has been released by a first-time developer. Not only is the experienced developer much more likely to have a good idea about best security practices, but they are far less likely to damage their reputation by inserting malicious code into their extension. More importantly, the larger the user base, the more incentive attackers have to invest in trying to break it.
It is incredibly important that you download all your extensions and themes from legitimate sources. There are many sites that offer ‘free’ versions that are normally premium and require payment to download. These ‘free’ versions are pirated and frequently infected with malware. The websites offering these ‘free’ versions are setup with only one goal: to infect as many websites as possible with their malware.
7 – Backups
Like anything in the digital world, it can all be lost in a catastrophic event. We often don’t back up enough, but you will thank yourself if you take some time to consider the best website backup solutions for your website.
Making backups of your website is very important, but storing these backups on your web server is a major security risk. These backups invariably contain unpatched versions of your CMS and extensions which are publicly available, giving hackers easy access to your server.
If you’re interested in learning how to make reliable and secure backups of your website, I recommend you read my website backup strategy guide.
8 – Server Configuration Files
You should really get to know your web server configuration files. Apache web servers use the .htaccess file, Nginx servers use nginx.conf, and Microsoft IIS servers use web.config. Most often found in the root web directory, these files are very powerful. These files allow you to execute server rules, including directives that improve your website security.
If you aren’t sure which web server you use, you can run your website through Sitecheck and click the Website Details tab.
Here are a few rules that I recommend you research and add for your particular web server:
- Prevent directory browsing: This prevents malicious users from viewing the contents of every directory on the website. Limiting the information available to attackers is always a useful security precaution.
- Prevent image hotlinking: While this isn’t strictly a security improvement, it does prevent other websites from displaying the images hosted on your web server. If people start hotlinking images from your server, the bandwidth allowance of your hosting plan might quickly get eaten up displaying images for someone else’s site.
- Protect sensitive files: You can set rules to protect certain files and folders. CMS configuration files are one of the most sensitive files stored on the web server as they contain the database login details in plain text. There may be other locations that can be locked down such as admin areas. You can also restrict PHP execution in directories that hold images or allow uploads.
There are many more rules and options that you can look into for your web server configuration file. You can search for the name of your CMS, your web server and “security” but make sure to confirm your findings are legitimate before implementing anything. Some people post bad information online with malicious intent.
9 – Install SSL
I’m actually of two minds as to whether or not to include this point because there have been so many articles incorrectly stating that installing SSL will solve all your security issues. SSL does nothing to protect your site against any malicious attacks, or stop it from distributing malware. SSL encrypts communications between Point A and Point B – the website server and browser. This encryption is important for one specific reason: it prevents anyone from being able to intercept that traffic, known as a Man in the Middle (MITM) attack.
SSL is especially important for E-Commerce website security and any website that accepts form submissions with sensitive user data or Personally Identifiable Information (PII). The SSL certificate protects your visitor’s information in transit, which in turn protects you from the fines that come along with being found noncompliant with PCI DSS.
10 – File Permissions
File permissions define who can do what to a file.
Each file has 3 permissions available and each permission is represented by a number:
- ‘Read‘ (4): View the file contents.
- ‘Write‘ (2): Change the file contents.
- ‘Execute‘ (1): Run the program file or script.
If you want to allow multiple permissions you just need to add the numbers together, e.g. to allow read (4) and write (2) you set the user permission to 6. If you want to allow a user to read (4), write (2) and execute (1) then you set the user permission to 7.
There are also 3 user types:
- Owner – Usually the creator of the file, but this can be changed. Only one user can be the owner.
- Group – Each file is assigned a group, and any user who is part of that group will get these permissions.
- Public – Everyone else.
So, if you want the owner to have read & write access, the group to have only-read access, and public to have no access, the file’s permissions settings should be:
When you view the file permissions this will be shown as 640.
Folders also have the same permissions structure; the only difference being that the ‘execute’ flag allows you to make the directory your working directory (so you usually want it on).
Most CMS installs have all the permissions correctly configured by default, so why did I just spend so much time explaining how permissions work? When searching for solutions to permissions errors, all over the web you will find people advising you to change file permissions to 666 or folder permissions to 777. This advice will usually fix any permissions errors, but it is terrible advice from a security perspective. If you set a file permission to 666 or folder permission to 777 you have just allowed *anyone* to insert malicious code or delete your files!
So there you have it! The top 10 relatively simple steps you can take to dramatically increase the security of your website. While these steps alone will not guarantee that your site is never hacked, following them will stop the vast majority of automated attacks, reducing your overall risk posture.
Being aware of these issues and understanding them will provide you with valuable insight into how the underlying technology works and help to make you a better webmaster/site operator.