In recent years there has been a proliferation of great tools and
services in the web development space. Content management systems (CMS)
like WordPress, Joomla!, Drupal and so many other allow business owners
to quickly and efficiently build their online presences. Their highly
extensible architectures, rich plugin, module, extension ecosystem have
made it easier than ever to get a website up and running without years
of learning required.
This is undoubtedly a great thing; however, an unfortunate side
effect is that now there are many webmasters who do not understand how
to make sure their website is secure, or even understand the importance
of securing their website. In this post I want to share with you the top
10 steps all webmasters, website owners, can, and should, take to keep
their website secure.
1 – Update, Update, Update!
This is something we cannot stress enough here at Sucuri. Countless
websites are compromised every day due to the outdated and insecure
software used to run them. It is incredibly important to update your
site as soon as a new plugin or CMS version is available. Most hacking
these days is entirely automated, with bots constantly scanning every
site they can looking for exploitation opportunities. It is not good
enough to update once a month or even once a week because bots are very
likely to find a vulnerability before you patch it. Unless you are
running a website firewall like CloudProxy, you need to update as soon as updates are released. If running WordPress, I personally recommend the plugin ‘WP Updates Notifier‘ – it emails you to let you know when a plugin or WordPress core update is available. You should also follow @sucuri_security on Twitter to get notified about important updates and security warnings.
2 – Passwords
Working on client sites, I often need to log in to their site/server
using their admin user details. I am frequently disturbed by how
insecure their root passwords are. It is a little scary that I have to
say this, but admin/admin is not a secure username and password
combination. If your password appears in this list of most common passwords, it is guaranteed that your site will be hacked at some point.
Even if your password is not in that list, there are a lot of
misconceptions about “strong” passwords. The lax requirements on most
password strength meters are part of the problem. Our friends at WP
Engine have put together some interesting research that debunks many of the myths surrounding passwords.
When it comes to choosing a password there are 3 key requirements that should always be followed (CLU – Complex, Long, Unique):
- COMPLEX: Passwords should be random. Do not let
someone hack your account just because they could find out your birth
date or favorite sports team. Password-cracking programs can guess
millions of passwords in minutes. If you have real words in your
password, it isn’t random. You might think you are clever for using
leetspeak (letters replaced with characters L1K3 TH15) but even these
are not as secure as a completely random string of characters. Hackers
have compiled some seriously impressive word lists for cracking passwords.
- LONG: Passwords should be 12+ characters long. I
know some in the security community would scoff at an 12 character
password and insist that passwords should be longer. However, when it
comes to online login systems, any system that is following simple
security guide lines should limit the number of failed login attempts.
If there is a limit on the number of failed login attempts, an 12
character password will easily stop anyone from guessing it in just a
few attempts. Having said that, the longer the password, the better.
- UNIQUE: Do not reuse passwords! Every single
password you have should be unique. This simple rule dramatically limits
the impact of any password being compromised. Having someone find out
your FTP password should not enable them to log in to your email or
internet banking account. Contrary to popular belief, we are not as
unique as we believe ourselves to be; if you can randomly generate the
password, even better.
Now I can already hear you ask, “how am I supposed to remember 10
random passwords which are all 12 characters long?” The good news is you
don’t need to remember them all, and in fact you should not even try.
The answer is to use a password manager such as “LastPass” (online) and “KeePass 2″
(offline). These brilliant tools store all your passwords in an
encrypted format and can easily generate random passwords at the click
of a button. Password managers make it much easier to use strong
passwords than it is to memorize a couple of decent passwords.
Yes, these password managers can present challenges and a possible
weak point; just this week LastPass announced a compromise. Not all
compromises are the same though, more on this another time.
3 – One Site = One Container
I understand the temptation. You have an ‘unlimited’ web hosting plan
and figure why not host your numerous sites on a single server.
Unfortunately this is one of the worst security practices I commonly
see. Hosting many sites in the same location creates a very large attack
surface.
For example, a server containing one site might have a single
WordPress install with a theme and 10 plugins that can be potentially
targeted by an attacker. If you host 5 sites on a single server now an
attacker might have three WordPress installs, two Joomla installs, five
themes and 50 plugins that can be potential targets. To make matters
worse, once an attacker has found an exploit on one site, the infection can spread very easily.
Not only can this result in all your sites being hacked at the same
time, it also makes the cleanup process much more time consuming and
difficult. The infected sites can continue to reinfect one another in an
endless loop.
After the cleanup is successful, you now have a much larger task when
it comes to resetting your passwords. Instead of just one site, you
have a number of them. Every single password associated with every website on the server must be changed after the infection is gone: all of your Content Management System (CMS), database, and File Transfer Protocol (FTP) users for all of those websites. If you skip this step, the websites could all be reinfected again and you are back to square one.
4 – Sensible User Access
This rule only applies to sites that have multiple logins. It’s
important that every user has the appropriate permission they require to
do their job; if they require escalated permissions momentarily, grant
it, then reduce it once the job is complete. This is a concept known as Least Privileged.
For example, if you have a friend that wants to write a guest blog
post for you, make sure their account does not have full administrator
privileges. Your friend’s account should only be able to create new
posts and edit their own posts because there is no need for them to be
able to change website settings.
Having carefully defined access will limit any mistakes that can be
made, it reduces the fallout of compromised accounts, and can protect
against the damage done by ‘rogue’ users. This is a frequently
overlooked part of user management: accountability and monitoring.
If people share a user account and an unwanted change is made by that
user, how do you find out which person on your team was responsible?
Once you have separate user accounts for every user, you can keep an
eye on user behavior by reviewing logs and knowing the usual behavior
(when and where they normally access the website) so you can spot
anomalies and confirm with the person that their account hasn’t been
compromised.
5 – Change the Default CMS Settings!
Today’s CMS applications, although easy to use, are horrible from a
security perspective for the end users. By far the most common attacks
against websites are entirely automated, and many of these attacks rely
on the default settings being used. This means that you can avoid a
large number of attacks simply by changing the default settings when
installing your CMS of choice.
For example some CMS applications are writeable by the user –
allowing a user to install whatever extensions they want. There are
settings that you may want to adjust to control comments, users, and the
visibility of your user information. The file permissions, which we
discuss later, are another example of a default setting that can be
hardened.
It is usually easiest to change these default details when installing your CMS, but they can be changed later.
6 – Extension Selection
One of the beautiful things about today’s CMS applications is it’s
extensibility. What most don’t realize however is that, that same
extensibility is it’s biggest weakness. There are a massive number of
plugins, add-ons, and extensions providing virtually any functionality
you can imagine. However the reality is that at times the massive number
of extensions can be a double edged sword. Often there are multiple
extensions offering similar functionality, so how do you know which one
to install? Here are the things I always look at when deciding which
extensions to use.
The first thing I look for is when the extension was last updated.
If the last update was more than a year ago I get concerned that the
author has stopped work on it. I much prefer to use extensions that are
actively being developed because it indicates that the author would at
least be willing to implement a fix if any security issues are
discovered or reported. Furthermore if an extension is not supported by
the author, then it makes little sense to use it for your website as it
may stop working at any time.
I also like to look at the age of the extension and the number of installs.
An extension developed by an established author that has numerous
installs is much more trustworthy than one that has 100 installs and has
been released by a first-time developer. Not only is the experienced
developer much more likely to have a good idea about best security
practices, but they are far less likely to damage their reputation by
inserting malicious code into their extension. More importantly, the
larger the user base, the more incentive attackers have to invest in
trying to break it.
It is incredibly important that you download all your extensions and themes from legitimate sources. There are many sites that offer ‘free’ versions that are normally premium and require payment to download. These ‘free’ versions are pirated and frequently infected with malware.
The websites offering these ‘free’ versions are setup with only one
goal: to infect as many websites as possible with their malware.
7 – Backups
Like anything in the digital world, it can all be lost in a
catastrophic event. We often don’t back up enough, but you will thank
yourself if you take some time to consider the best website backup solutions for your website.
Making backups of your website is very important, but storing these
backups on your web server is a major security risk. These backups
invariably contain unpatched versions of your CMS and extensions which
are publicly available, giving hackers easy access to your server.
If you’re interested in learning how to make reliable and secure backups of your website, I recommend you read my website backup strategy guide.
8 – Server Configuration Files
You should really get to know your web server configuration files. Apache web servers use the .htaccess file, Nginx servers use nginx.conf, and Microsoft IIS servers use web.config.
Most often found in the root web directory, these files are very
powerful. These files allows you to execute server rules, including
directives that improve your website security.
If you aren’t sure which web server you use, you can run your website through Sitecheck and click the Website Details tab.
Here are a few rules that I recommend you research and add for your particular web server:
- Prevent directory browsing: This prevents malicious
users from viewing the contents of every directory on the website.
Limiting the information available to attackers is always a useful
security precaution.
- Prevent image hotlinking: While this isn’t strictly
a security improvement, it does prevent other websites from displaying
the images hosted on your web server. If people start hotlinking images
from your server, the bandwidth allowance of your hosting plan might
quickly get eaten up displaying images for someone else’s site.
- Protect sensitive files: You can set rules to
protect certain files and folders. CMS configuration files are one of
the most sensitive files stored on the web server as they contain the
database login details in plain text. There may be other locations that
can be locked down such as admin areas. You can also restrict PHP
execution in directories that hold images or allow uploads.
There are many more rules and options that you can look into for your
web server configuration file. You can search for the name of your CMS,
your web server and “security” but make sure to confirm your findings
are legitimate before implementing anything. Some people post bad
information online with malicious intent.
9 – Install SSL
I’m actually of two minds as to whether or not to include this point
because there have been so many articles incorrectly stating that
installing SSL will solve all your security issues. SSL does nothing to protect your site against any malicious attacks, or stop it from distributing malware. SSL
encrypts communications between Point A and Point B – the website
server and browser. This encryption is important for one specific
reason: it prevents anyone from being able to intercept that traffic,
known as a Man in the Middle (MITM) attack.
SSL is especially important for E-Commerce website security
and any website that accepts form submissions with sensitive user data
or Personally Identifiable Information (PII). The SSL certificate
protects your visitors information in transit, which in turn protects
you from the fines that come along with being found non-compliant with
PCI DSS.
10 – File Permissions
File permissions define who can do what to a file.
Each file has 3 permissions available and each permission is represented by a number:
- ‘Read‘ (4): View the file contents.
- ‘Write‘ (2): Change the file contents.
- ‘Execute‘ (1): Run the program file or script.
If you want to allow multiple permissions you just need to add the numbers together,
e.g. to allow read (4) and write (2) you set the user permission to 6.
If you want to allow a user to read (4), write (2) and execute (1) then
you set the user permission to 7.