In our previous post, we have discussed why marketers should have a proactive approach to website security. Today we are going to discuss some security tips marketers can put into practice. In the simplest terms, website security means three things here at Sucuri:
- Protecting your website from compromises.
- Monitoring for issues so you can react quickly.
- Having a documented emergency response plan.
Marketers should champion these initiatives so they can be prioritized by their business development team. When working with the IT counterparts within the company, marketers can greatly improve the security posture of the brand.
Monitor and Audit Your Web Properties
As a marketer, you know the importance of logs. You probably spend a lot of time reviewing reports, spreadsheets, and analytics. Google Alerts or social media mentions, in particular, demonstrate how important early detection can be. Now apply these same concepts to your website integrity.
A good first step would be to validate ownership of your domains in search engine tools like Google Search Console, Bing Webmaster Tools, and Yandex Webmaster. These awesome tools are completely free. They alert website owners when crawlers find security issues on your site. They also offer features like security reports and options to request reviews in the event that your site is blacklisted. Keep in mind, these properties are primarily meant to keep search engine users safe–not your website.
Our free tool SiteCheck can scan your website specifically looking for a variety of security issues, but like the search engine crawlers, they don’t have access to your web server and can miss deeply hidden malware. This is why it’s also wise to look into a professional website monitoring and alerting solution.
Another auditing consideration is user account access. All websites and online accounts, even small ones, are targeted by automated bots that scan the internet for accounts and will try various passwords. Do you have a way of knowing if one of your website administrators suddenly logs in from a strange location at 3AM?
Some examples of helpful monitoring tools include Microsoft’s Account Activity log and Google’s suspicious login attempt alerts. However, these tools are not a comprehensive monitoring system. Your website should also have a system to parse server logs and identify login attempts that could be malicious.
If you use WordPress, we offer a free auditing and monitoring plugin that scans your website, logs user behavior, and helps you recover if your site has been hacked.
Protect Your Website from Attacks
There are two ways websites get hacked—by exploiting a software vulnerability or by gaining unauthorized access.
Locking down access means being strict about strong passwords and privileges. Malicious bots can attempt thousands of passwords per second to access your website user accounts. Hackers have collected billions of possible passwords from historical data breaches, dictionaries, and internet content. These lists have been further expanded by creating permutations with character replacement.
For this reason, 2FA (Two-Factor Authentication) also known as MFA (Multi-Factor Authentication) is essential. These features require you to enter a code from your device after entering a password. In other words, an attacker needs to gain access to your mobile phone or tablet to get into your accounts.
The next consideration for account access is assigning the right privileges. Only grant the access required for the duration it is needed. Revoke it as soon as the actions are complete. Not everyone needs admin access, and if they do, it can often be granted temporarily. We have an article that goes into this in further depth.
There is not a lot to say about vulnerability exploitation prevention. Ultimately, applying software updates as soon as possible is the best way to make sure known flaws are patched. This doesn’t help if there are zero-day vulnerabilities. These kind are unknown to the developer or have yet to be patched.
The best way to block malicious bots and hack attempts is activating a website application firewall (WAF). This technology is designed to stay ahead of emerging threats, including zero-day attacks. These services have the added benefit of blocking DDoS attacks, which aim to take down your website by flooding it with traffic.
Modern WAFs also include a content delivery network (CDN) which have the added benefit of speeding up your website. With page speed affecting most marketing metrics, this makes yet another case for marketers getting involved with supporting the security and availability of their websites.
Create an Incident Response Plan
Do you know what you would do if your website was hacked?
If an incident occurs, it’s crucial to have a response plan for brand reputation and business continuity.
We’ve written a blog article on creating an incident response plan you can trust. One of the first things you should ensure is that you have a reliable system for website backups. Your backups should be stored in a secure location and scheduled to be performed automatically, with redundant copies and a proven recovery method.
It’s also important to note that if your website has been hacked, you’ll want to restore a backup from a period before the hack occurred. If you restore a copy that has already been hacked and try to close the original loophole that allowed an attacker in, don’t be surprised if the website gets reinfected. According to our annual report, 71% of hacked websites contain backdoors to allow re-entry.
Of course, you’ll also want to know who you’re going to call. Perhaps someone on your IT team knows how to identify PHP and JavaScript malware, but it takes a lot of time and research to stay up to date with the emerging threats. It’s best to have a professional website malware removal service you can call in the event of an emergency.
If you aren’t in a rush to clean your website, we offer free DIY guides on things like cleaning hacked sites and removing Google blacklist warnings. Depending on the complexity of the malware infection and number of backdoors, it’s usually worth it to partner up with security professionals. As always, Sucuri is here for you!
Conclusion
The application of web-based marketing and security is shaping our internet experience. Security awareness is in high demand and marketers are primed to understand the landscape.
By taking steps to prioritize website security within your organization, you can prevent a potentially catastrophic breach and prove to customers that your website is trustworthy.
I will be hosting a webinar on Website Security Primer for Digital Marketers today. Sign up and participate in the webinar for free.
As we close our contributions to the National Cyber Security Awareness Month, we have compiled a video of tips to improve your website security. Watch it and share with anyone who is interested in making the internet a safer place!