Written on July 9, 2019
Website security is a broad topic so there’s lots to cover. However there are some basic fundamentals that can be ticked off quite easily which should be in place on every website and which will really help batten down the hatches to keep things a little more secure. If these things sound obvious then it’s mostly because they are. However I come across websites all the time that don’t have these in place. The most basic things often get overlooked by developers and website managers – but you can pretty much guarantee that malicious users will start with these basics when enumerating your site.
A lot of this comes from a recent webinar by security and forensics company, Foregenix. Foregenix offer a free website scanning tool as well as a more in-depth internal scanner which can really help address some of the more complex monitoring services on your website. If you have any questions on the below then you can ask either myself or contact Foregenix who will be more than happy to help.
When vulnerabilities are discovered in platforms such as WordPress, Magento, and their extensions, developers fix these vulnerabilities and release updates. Once these updates are released the vulnerabilities are often disclosed. Malicious users can then read up on these vulnerabilities, scan the internet for sites that don’t have the updates in place, and download POCs (proof of concepts) to quickly take advantage of them. If you haven’t updated your website then it’s vulnerable, it’s really that simple. You might think that they won’t know that your site is vulnerable but they will, and why take that risk?
Most platforms have known admin paths. For example WordPress’ is /wp-admin, Magento’s is /admin. This knowledge is exploited by malicious users who use tools to try to “brute force” guess your username and password. As most people use weak usernames and passwords this is often successful. Once they have access to your website’s admin area it’s downhill from here. You might think that this isn’t important but if it’s a business site and you collect PII from your users then you could be fined a hefty amount of money by the ICO. You might even think that you don’t collect PII but it might even be as simple as allowing users to comment on your blog. If you allow that then you collect user’s email addresses. So create a custom admin path, something like www.example.com/ux93u5nvkay3ntjg and bookmark it. You can even go a step further and only allow access to this from your IP address if it’s a fixed one. Hide it, lock it down, keep people out.
As a developer I’m often shocked at how bad client usernames and passwords are. Not only for the website admin but for FTP, server access, the lot. It’s pure madness. Don’t use the same password across different sites. Use complex passwords which include lower and uppercase characters, numbers and special characters, and make them really long. Save them in a password manager such as 1Password so that you don’t have to remember them. You can also reset them periodically such as every 90 days – set a reminder and keep to it. This goes for usernames as well. Remember the brute force tools mentioned above? Well think of it this way, a malicious user knows that you have a WordPress site. They look at the footer of that website and see something like “Website design by John Smith”. Chances are there is an admin panel at /wp-admin, and there is an admin user called “john”, now it’s just down to brute force guessing the password which, if it’s weak, will be a breeze and can often be cracked in less than 1 second. Obscure (and limit access to) the admin path, treat your username the same as a password, and make both that and the password really strong. Save them in a password manager.
If possible you should also enable MFA (multi-factor authentication). There are plenty of plugins available for WordPress, Magento etc., which enable this. Do a search and if you have to pay for it it’s money well spent. The way this works is that to log in, a user needs to know the username and password, as well as a one-time-passcode such as one that’s sent as an SMS to your phone or, better still, one that’s generated using an authenticator app on your phone. There are also hardware keys (eg Yubikey) that can help with this but we’re getting a bit beyond the basics there and I want to keep this as easy for people as possible.
Again, I sometimes speak to clients who don’t know who all of the admin users are on their websites or, more often, have admin users enabled who’ve not worked on the site for many years. This may be past developers or an old office helper that’s no longer working for the company. As a website owner you should know every one of your users, assign the appropriate permissions where possible (EG someone who just writes the odd blog post doesn’t need to be able to install plugins), ensure that users don’t share accounts (helps with log monitoring and forensics if required), and monitor for unusual activity such as new plugins being installed, someone logging in from a different country etc. Finally, remove users who no longer require access. If you have a developer who works on the site every now and again then you can simply disable the account until you need them to have access.
This is mostly an on-going process but can really help you to keep on top of things, catch intrusions quickly if they happen, and if the worse does happen it can help incident response and forensics teams remediate a hack. Store as many logs as you can (access logs, crash logs etc) and feed them into a SIEM for ease of access. This can help detect vulnerabilities and help you defend your website. Monitor for logins, either successful or unsuccessful. Run regular scans for malware and credit card data. Monitor for file changes (if a malicious users gets access and uploads a backdoor then you should know about it right away). Hire a company to carry out penetration tests so that you can address any issues before they are found by malicious users.
These are some of the fundamentals that should be carried out on every website, especially an ecommerce store. Most, if not all, can be achieved with just a little bit of time spent and at very little cost. Basic security doesn’t need to be expensive.
Contact me if you have any queries and I’d be happy to help.