Keep Your Data Secure
Experience True Peace of Mind & Learn About the Security Services We Offer
Web sites are unfortunately prone to security risks. And so are any networks to which web servers are connected. Setting aside risks created by employee use or misuse of network resources, your web server and the site it hosts present your most serious sources of security risk. Real website security means protection from the inside out as well as the outside in. We have the technology to do it all — daily scanning, automatic malware removal, web app firewall, a global CDN for a blazingly fast website and our support team is here for you 24/7.
Web security is a major issue, and most organizations are under protecting their systems. Distributed Denial of Service attacks, authentication, authorization and IT security governance are major issues needing attention on a daily basis.
Web servers and the sites they host are the most vulnerable security risk for many companies. Today’s complex programs all have some “weaknesses.” Each web server has dozens, or in some cases hundreds of settings, the website code always has issues and the applications running on the IT infrastructure can also have issues.
Web application attacks make up 35% of all breaches, so no matter where your data lives, at your site or in the cloud, security measures are necessary to protect your data from attacks. Next generation attacks could be particularly disruptive and may consist of:
- Long duration compromises
- Traditional on-premises threats are now also moving to the cloud
- Targeted recon
- Social engineering
- Multi-vector approach
- Advanced attack technologies
We know two-thirds of organizations find out from a third party they have been compromised. Sometimes organizations take months to figure out they have been compromised in some way. Continuous monitoring is now a requirement to prevent any breaches. Even with “cloud services” each organization has security responsibilities.
TH Web offers a suite of tools designed for complete website security, including:
– Malware & Hack Cleanup.
– Blacklist Detection & Removal.
– DDoS Protection.
– Malware & Hack Prevention.
– Continuous Security Monitoring.
Website Security Checklist
1. Keep all your software up to date.
The first step is one of the easiest, but one that makes a big difference. A lot of software updates are designed specifically to reduce security vulnerabilities. Software designers and cyber security experts are in a constant battle with hackers to thwart every new effort they come up with.
Most of those software updates you seem to get constant reminders for are part of that battle. Even if it feels like an annoyance, don’t dilly-dally on completing those updates. Regularly check for updates to your plug-ins, your CMS, your ecommerce software, and any other software related to how your website runs. Taking this simple step will immediately reduce your vulnerability.
2. Use secure passwords and update frequently.
A surprising number of people still use basic passwords like “password” or “123456.” Don’t be one of those people.
Make sure the password you use to access your website has a mix of numbers, letters, and special characters. Also avoid using something an acquaintance could guess at in your password – your kid’s name or year of birth is too easy for someone to figure out. Get creative, make sure you use something different for your website than you use for your other logins, and make sure anyone else in the company that has access to the website does the same.
And then do it all over again in six months. Set a reminder on your calendar so you remember to update your password with some frequency.
3. Backup regularly.
In the case that anything does happen, you don’t want to be stuck building your website over again from scratch. Make sure you back it up regularly, just like you do your own computer (you do backup your computer regularly, right?).
Setting up automatic backups for your website is as easy and it not only makes backing up completely effortless since everything is automated, but restoring your site if the need ever arises is a simple process as well.
4. Invest in a malware detector.
Malware’s extremely common, and not just on the website’s you’d expect. Hackers have an interest in infecting any website that people are likely to visit. That means your website could be felled by malware, or (arguably) worse, it could be the means by which malware infects your customers’ computers.
Your best move to avoid both scenarios is a strong malware detector. Anti-malware programs can spot malware fast and help you get rid of it before it has the chance to do much damage. They’re relatively inexpensive when you consider the risks malware poses, and they’re not all that difficult to implement. Your web hosting platform might even offer one, which makes adding it to your web hosting plan and activating it especially easy to do.
5. Be careful about your permissions.
How many people have access to your website? Most businesses, even many on the smaller side, need to provide at least a couple of people with the means to access the website to make changes. Medium-sized and larger businesses will often have far more people accessing the website on a regular basis.
The more people you have in there making changes to the website, the more vulnerabilities you have. Chances are, not every person using your website needs the same level of access. By using your permissions wisely, you can limit the potential damage a thoughtless or malicious act by one of your employees or contractors can have.
6. Set up SSL.
If you have an ecommerce websites, purchasing an SSL certificate is not optional. Your customers need to know that your website is secure before they hand over sensitive information. An SSL certificate is the way you provide them that security.
An SSL certificate isn’t terribly expensive and ensures your websites shows a green HTTPS in the browser bar, which is what consumers look for to see that a website can be trusted. It adds an extra level of protection to ensure the details customers share with you are properly encrypted and can’t be easily snatched up by cyber thieves.
7. Use AVS and CVV.
When you add an address verification system (AVS) and credit card verification value (CVV) field for all credit card checkouts, fraud attempts are far less likely to slip through. You have a chance to check the information a customer provides against the information their credit card company knows so people that have stolen credit card numbers alone won’t get past your confirmation process.
8. Reduce XSS vulnerabilities.
This step gets really technical and you may want to consult with your webmaster or a cyber security consultant rather than try to handle this one on your own. XSS (cross site scripting) vulnerabilities are weaknesses in the code you write that allow hackers to add code to your website that infects your visitors’ devices.
To reduce XSS vulnerabilities, you need to validate and sanitize your data as described at the link above. You may also be able to insert this string onto your webpages to reduce your vulnerability: echo htmlentities($string, ENT_QUOTES | ENT_HTML5, ‘UTF-8’); But that will only work for you if you’re not using HTML. If you are using HTML, running your code through the HTML purifier is your best alternative.
9. Reduce SQL injection vulnerabilities.
As with step 8, this step is probably more the job of a webmaster than a business owner, so ask for help if you find the suggestions confusing. SQL injection vulnerabilities aren’t as common as XSS vulnerabilities, but they’re still cause for concern. They allow hackers to get ahold of the sensitive data stored in your database – which often includes information like your customers’ credit card numbers.
The main five defenses against SQL injections are:
Using parameterized queries to help your database distinguish the difference between code and data.
Using stored procedures that are clearly defined within the database and provided to users, rather than letting them enter their own.
Escaping user supplied input (which is only recommended in some cases), so the database knows to recognize any information users supply as different from SQL code written by the developer.
Enacting least privilege – which relates back to step 5 – to make sure users only have as much permission as they need and no more.
Employ white list input validation, which allows the database to detect any unauthorized input before processing it.
If your eyes just glazed over, you’re not alone. If you don’t understand this stuff, it’s better to bring in someone who does so it gets done right.
10. Use a DDoS mitigation service.
Distributed denial of service (DDoS) attacks occur when a hacker sets a large number of compromised systems to flood the bandwidth of a website all at once. The server gets overwhelmed and starts to reject all visitors.
Having a web hosting provider that’s put protective measures into place is the first line of defense, but with how common DDoS attacks have become, making an additional investment in a DDoS mitigation service can further reduce your risk.
Hackers are constantly working to create new methods to get around these protections. In addition to putting these ten tips into effect, take some time throughout the year to read up on new security threats and best practices.
The stakes here are high – you need your customers to trust you and your website to consistently do its job. Make sure you treat website security as the priority it should be.
Security Disclaimer: Our security will dramatically decrease the chance that your site will be hacked or infected with malware. However, it is important to mention that there is unfortunately no way for any website to have a 100% protection guarantee. This is why we always include a solid backup and recovery solution, just in case.