Website security, the fundamentals

Website security is a broad topic so there's lots to cover. However there are some basic fundamentals that can be ticked off quite easily which should be in place on every website and which will really help batten down the hatches to keep things a little more secure.

If these things sound obvious then it's mostly because they are. However I come across websites all the time that don't have these in place. The most basic things often get overlooked by website managers – but you can pretty much guarantee that malicious users will start with these basics when enumerating your site so please take the time to note the main points in this article and use them as a quick checklist for your website.

If you have any questions on the below then please ask. I'll be more than happy to help.

Keep your software updated

When vulnerabilities are discovered in platforms such as WordPress, Magento, and their extensions, developers fix these vulnerabilities and release updates. Once these updates are released the vulnerabilities are often disclosed. Malicious users can then read up on these vulnerabilities, scan the internet for sites that don't have the updates in place, and download proof-of-concepts (POCs) and ready-made tools to quickly take advantage of them. If you haven't updated your website then it's vulnerable, it's really that simple. You might think that they won't know that your site is vulnerable but they will, and why take that risk?

Create a custom admin path

Most platforms have known admin paths. For example WordPress' is /wp-admin, Magento's is /admin. This knowledge is exploited by malicious users who use tools to try to "brute force" guess your username and password. As most people use weak usernames and passwords this is often successful. Once they have access to your website's admin area it's downhill from here. You might think that this isn't important but if it's a business site and you collect PII from your customers then you could be fined up to 4% of your annual turnover or up to €20 million by the ICO. You might even think that you don't collect PII but it might even be as simple as allowing users to comment on your blog. If you allow that then you collect user's email addresses. So create a custom admin path, something like "/ux93u5nvkay3ntjg" and bookmark it. You can even go a step further and only allow access to this from your IP address if it's a fixed one. Hide it, lock it down, keep people out.

Usernames and passwords

As a developer I'm often shocked at how bad client usernames and passwords are (sorry, it's true). Not only for the website admin but for FTP, server access, the lot. It's pure madness. Don't use the same password across different sites and do not use your company name! Use complex passwords which include lower and uppercase characters, numbers and special characters, and make them really long. Save them in a password manager such as 1Password so that you don't have to remember them. You can also reset them periodically such as every 90 days – set a reminder and keep to it. This goes for usernames as well. Remember the brute force tools mentioned above? Well think of it this way, a malicious user knows that you have a WordPress site. They look at the footer of that website and see something like "Website design by John Smith". Chances are there is an admin panel at /wp-admin, and there is an admin user called "john", now it's just down to brute force guessing the password which, if it's weak, will be a breeze and can often be cracked in less than 1 second. Obscure (and limit access to) the admin path, treat your username the same as a password, and make both that and the password really strong. Save them in a password manager.

If possible you should also enable multi-factor/2-factor authentication (MFA/2FA). There are plenty of plugins available for WordPress, Magento etc., which enable this. Do a search and if you have to pay for it it's money well spent. The way this works is that to log in, a user needs to know the username and password, as well as a one-time-passcode such as one that's sent as an SMS to your phone or, better still, one that's generated using an authenticator app on your phone. There are also hardware keys (eg Yubikey) that can help with this but we're getting a bit beyond the basics there and I want to keep this as easy for people as possible.

Manage your users

Again, I sometimes speak to clients who don't know who all of the admin users are on their websites or, more often, have admin users enabled who've not worked on the site for many years. This may be past developers or an old office helper that's no longer working for the company. As a website owner you should know every one of your users, assign the appropriate permissions where possible (EG someone who just writes the odd blog post doesn't need to be able to install plugins), ensure that users don't share accounts (helps with log monitoring and forensics if required), and monitor for unusual activity such as new plugins being installed, someone logging in from a different country etc. Finally, remove users who no longer require access. If you have a developer who works on the site every now and again then you can simply disable the account until you need them to have access.

Here's a post about some key identifiers to help discover if your website has been compromised.

Disable anything that you are not using, secure everything that you are using

This is kind of related to the above. It's quite common to enable plugins to add new features to a website. However, it's less common to disable those plugins when those features are no longer required or if the plugins no longer receive active updates. These can become a weak point in any website so a quick fix is to disable any plugins that you are no longer using. If you don't need it, switch it off.

Whilst we're on the topic of plugins, when you search for a plugin it's wise to do a quick audit on the quality of it before installing it. Be sceptical of anything that you install on your website because, and again this sounds obvious but... (!), you are installing code that will be executed on your web server. If that code has malicious intent, then you are practically handing over the keys. Do a quick background check on the developer(s), read the reviews, check how many times its been installed and if it's actively maintained. None of these are guaranteed solutions but just be mindful of what you install and opt for simple plugins where possible.

This also applies to web server services such as (S)FTP and remote MySQL access. If they aren't being used then disable them. If they are being used then, where possible, limit access to known IP addresses. Finally, always opt for secure services such as SFTP over FTP because any network eavesdroppers will be able to catch plaintext passwords over FTP where as SFTP traffic is encrypted. It's an easy fix so why not?

Monitor website activity

This is mostly an on-going process, and can be complex to configure, but it can really help you keep on top of things, catch intrusions quickly if they happen, and if the worse does happen it can help incident response and forensics teams remediate a hack. Store as many logs as you can (access logs, crash logs etc) and feed them into a SIEM for ease of access (if possible). This can help detect vulnerabilities and help you defend your website. Monitor for logins, either successful or unsuccessful. Run regular scans for malware and credit card data. Monitor for file changes (if a malicious users gets access and uploads a backdoor then you should know about it right away). Hire a company to carry out penetration tests so that you can address any issues before they are found by malicious users. Ok I know this one is a little tricky to set up but a developer can help you with this and it really is worth it.

If you are managing a WordPress site then I'd really recommend installing WordFence. Enable its firewall, file-change monitoring, file scanning, 2FA for all admin logins, and install an admin audit tool so that there's always a record of every action that an admin user carries out. If you are managing any other sites then FGX-Web from Foregenix is brilliant. I can offer discounted prices on FGX-Web and help you get set up with WordFence.

These are some of the fundamentals that should be carried out on every website, especially an ecommerce store. Most, if not all, can be achieved with just a little bit of time spent and at very little cost. Basic security doesn't need to be expensive.

Finally, and I know it's been a long article, remember the principle of defence-in-depth. If you only rely on one security method and that gets compromised then you are vulnerable. Add multiple layers of security so that when one fails, there are others still in place.

If you have any questions then please get in touch for free advice. If you have any requests for future topics then let me know and I'll do my best to cover them where I can.