Web Strategy 101 for Creatives (Part 4) – Website Security

DIMi recently was hacked. It was an interesting experience, and, as always, we learned a lot from the experience.

Hacking of sites is on the rise and there is reportedly a substantial increase in recent times, which is likely to continue. As NASA, various governments and large corporations have discovered, there is no such thing as a completely secure website. If it is visible, it is vulnerable.

Site security is a complex topic. However, there are some obvious security risks:

• Simple passwords and using the same password for several things;
• Lax SQL security if your site uses a database, such as not checking form fields properly;
• Code embedded in JPEG files;
• Admin pages in known and standard locations;
• Server vulnerabilities;
• A vulnerable site on shared hosting opening up possible damage to other hosted accounts, including yours.

It is worth doing a security audit of your site(s) or getting a knowledgeable person to do it for you (you get what you pay for). There are two common ways that people build websites: using standard software and writing it yourself.

Standard software includes using various open source programs, like WordPress and Gallery2, as well as solutions you must pay for. These programs provide the content management system for large and complex sites. They work well and have the huge benefit of many programmers working on them to tighten up the security. They have the disadvantage that lots of people know how they work, and so vulnerabilities will be found. Provided you keep the installation up to date, these usually get closed very quickly. However, many hosting companies do not always have the latest version available in a form for easy install or they fail to provide new upgrades, quickly enough. I have seen hosting companies offering several versions back of open source software for months after the latest is released. This means you need to keep on top of what the latest versions are (you can often sign up to be notified by email) and install them.

Custom sites are used for very simple sites and often for more complex ones. You may be tempted to do it yourself, perhaps following a book for reference. Be careful. A quick survey of web design books shows that most will leave you with a vulnerable site if you use something like MySQL, because few tell you about the security steps that must be taken. Static websites, which only contain HTML pages and do no data collection, offer fewer vulnerabilities to exploit beyond server software vulnerabilities and weak ftp passwords.

There are many steps that can be taken to make your site more secure. Some of these are:

• Ensure passwords are long and use a random mix of letters (lower and upper case), numbers and characters like @#$%^&*(){}[];’/|, etc. Also do not use the same password for several things;
• If the site uses database technology, ensure all additions are parsed to remove SQL commands. This means validating any entry fields in forms to ensure they do not contain SQL code;
• Use non-obvious user IDs for administration accounts, not the often default user id of “admin”;
• Move and/or add additional password protection to admin areas from the defaults;
• Work with your hosting company on security matters and make sure that, for shared hosting accounts, they have in place appropriate security measures. One possible area is to have them turn off capabilities that your site does not need, but which may add a potential point of vulnerability;
• Ensure you are running the latest version of any programs, such as WordPress, and check for updates frequently;
• Thoroughly check the Internet for discussion of security issues with any software you are thinking of installing, before you do so;
• Add optional security plug-ins to such software, if they support it, and if they are well regarded by the user community. Again, work with your hosting company to get them to add features that will make for a more secure site. Most will be willing since it not only assists you but also their other clients;
• Immediately after installing any software on the site, modify it from the default install state to tighten up security. Do not install the software and leave it in the default state for days or weeks before you get around to working on it;
• Do regular backups and get them offline. Do not assume that your hosting company will have a good backup, as these can be corrupted or may contain hacked files if you have not caught it soon enough. Make sure you keep at least enough backups readily available to get the site back to the state before the intrusion was done;
• If possible, turn on additional logging methods so that you have more hope of determining how an intrusion was made and thus what you need to tighten up further;
• Before adding any new features to the site, determine if there are any security implications and make sure they are addressed before you go ahead.

Check your site regularly, so you can catch any issue early.

So we live and learn. Website security is not a given and it is up to you to ensure your site is as secure as possible.