Success! You’ve secured your website with the latest and best antivirus software on the market. Then the unthinkable happens; your website is breached! Hackers have stolen passwords and user information, they’ve installed malicious malware that could affect your users and worst of all, the hackers are demanding a ransomware! The worrying fact is that this is happening to thousands of websites worldwide on a daily basis.
While it’s great that website and CMS platforms, like WordPress, Magento and Drupal, have made it easy for anyone to create a website, on the down side security is often lacking and the threat of being attacked is very real.
Currently, Google reported that they blacklist more than 10,000 websites daily for malware and approximately 50,000 weekly for phishing. In January 2019, 1.76 billion records were leaked; the Cybersecurity Business Report found that the cost of ransomware damages to businesses so far in 2019 reached $11.6 billion; IBM and Ponemon’s Institute’s Cost of a Data Breach Study discovered that 48% of data breaches were the result of malicious or criminal attacks. Astonishing numbers.
InfoSec professionals say that “78% of attacks are against the application” and most of them aren’t highly technical, and don’t take an army of people to accomplish. The reality is that if your website hasn’t been attacked yet, watch out because it may well be in the future.
Top 5 most common attacks on websites
Here are some of the common attacks you should be wary of:
also known as web scraping, bots are programmed to carry out automated tasks, such as search engine bots, but sometimes not all bots are friendly. Imperva’s research shows that a third of traffic on the Internet is created by unfriendly bots. Hackers are able to use botnets connected to digital devices to launch DDoS cyberattacks. Then there are spambots which will collect email addresses from different sources, sending spam or junk emails.
DDoS, or Distributed Denial of Service, attacks start from multiple devices, or computers, and will leave more than one or two compromised systems that will send large amounts of traffic to targeted systems. There are three forms of DDoS attack:
- Volumetric attacks – these include ICMP and UDP floods.
- Protocol attacks – which include SYN floods, ping of death, fragmented packet attacks and Smurf DDoS.
- Application layer attacks – these include low-and-slow barrages, application-saturating attacks which can target vulnerabilities in systems such as Windows, Apache or OpenBSD, as well as NTP amplification, HTTP food and zero-day DDoS attacks and Slowloris.
XXS, or Cross-Site Scripting
attackers will take a non-validated vulnerability and inject an SQL command via a website’s back end database applications. These attacks are usually successful when there are gaps in software or applications.
probably the most well-known attack is malware that is distributed via social channels and exploits vulnerability in the system, usually via the website or server. Once the malware is installed, the attacker has access to sensitive and confidential areas of an application and can change the system’s configurations as well as enable file executions. The most common types of malware include ransomware, spyware, adware, Trojans, worms and rootkits.
Whatever the size of the website, it can be a target for malware, DDoS, spam and other attacks and if it’s breached, will have a far-reaching impact on the business. Keeping it secure is extremely important and there are several steps that can be implemented to ensure that it remains safe.
Install a firewall
The Internet isn’t necessarily the most trusted environment. Leaving the website, and in particular the web hosting, without a firewall opens it up to the threat of virus and malware attacks. There are two forms of firewall, hardware and software. Familiar software firewalls will monitor download rates and transfer times, as well as IP addresses, and blocks software that isn’t in the firewall’s remit, thereby preventing damage to the website.
Hardware firewalls will be between the Internet and the server, and work by tagging packets from the server to find out where the data’s source is. The firewall will be able to work out the transfers that are trustworthy and block the transfers that aren’t trusted. The best firewall is a combination of software and hardware firewalls that will monitor traffic flow in and out of your website.
Protect against DDoS attacks
Whilst a firewall will spot a DDoS attack via IP addresses because they are all unique, it won’t spot a botnet. Firewalls are not built to be able to track an increase in website traffic. DDoS attacks are designed to significantly increase the flow of information to a website resulting in the web server crashing. But using a solution dedicated to break up the traffic, such as Cloudflare, will help to mitigate a DDoS attack. The DDoS protection software re-routes the extra traffic to allow the legitimate users to continue, avoiding any downtime.
Use an SSL or TLS certificate
An easy and practical way of protecting your website, as well as the users, is by installing an SSL – Secure Sockets Layer – certificate. If the website is an online or ecommerce store, using an SSL certificate is essential to protect users’ personal information, such as names, addresses and credit card details. Not only that, without an SSL certificate, it is highly likely that Google will blacklist the website which isn’t good for business. An SSL certificate works by connecting users to a secure TLS connection that will automatically encrypt the data travelling between the user and the website.
When SSL certificates are installed, website platforms can be HTTPS encrypted as well which will need to renewed on a yearly basis.
A slight drawback of SSL certificates is that they can slow down website transactions, usually due to the layers of security. The majority of web hosts today include SSL certificates in the ecommerce web packages and it is well worth considering them.
Don’t forget to act on that update!
Not every update received from website hosts and software providers are for adding new features or increasing performance, often they are issued to fix a discovered gap, or vulnerability. It’s for this reason that it’s important any updates are acted upon immediately.
This is very much true for WordPress websites principally due to the number of plugins that are usually incorporated into a website build, and each one is a potential threat on security.
But a word of warning; it’s not always a good idea with WordPress plugin updates to carry them out immediately as there is a possibility that the updated plugin is compatible with other plugins used with the website. Make sure backups of the website are done regularly in case of this situation.
Passwords – change them regularly
Any platform that is used to build a website will require a username and a password. Avoid using the same password for the web server and the web hosting, particularly if you do have more than one website on the same server. Using a password manager, for example LastPass or KeePass 2, will ensure secure passwords are generated to fight against security attacks using malicious applications and bad files being downloaded to the database. Passwords should be unique, using random letters, numbers and symbols of twelve characters or more, different for every stage in the website chain and must not be reused.
Some web hosting platforms offer two-factor authentication and adds an additional layer of security to unique passwords.
Pay more attention to site security
Get into the habit of monitoring the security on the website constantly; note increases in website traffic, spam and any suspicious behaviour. Jetpack and Akismet Anti-Spam are good solutions for monitoring WordPress plugins. Choose a web server that includes security measures and try to avoid shared hosting as hosting multiple websites on one server attracts security attacks.
Make sure local computers are regularly scanned; whilst installing the best antivirus solution you can is important, it is also wise to run deep scans on laptops, desktop computers and other devices regularly, particularly if files are downloaded from those devices.
The last thing any business wants is a hacked website. It can have a serious impact on the business in terms of revenue and reputation.