Category Archives: Website Security

Website Software Updates for Dummies

Welcome to The Internet, a platform that allows the exchange of information and ideas. Most of the world connects to The Internet, so clearly it’s trusted. But is it safe? Well, the short answer is – it depends. You see, there are countless millions of websites, and many billions of web pages that need constant monitoring to protect them from spam, malware, and the bad guys who look to do harm to these pages. That’s where you come in, the ever vigilant webmaster constantly on the lookout for devilish hackers and armies of bots who just want to tell you about the latest pill. It’s up to webmasters like you to keep your websites safe for anyone who comes across your pages using tools and methods available to you such as software updates.

Take this write up as a utilitarian asset to help you better understand securing your websites by keeping them up to date. You may think you know a lot about this stuff, but stick around. You might learn something new.

Web Hosting Basics

Web hosting is a service which allows individuals and companies to establish a presence on The Internet. Simply put, you’re renting online space on a computer, more commonly known as a server. This online space allows visitors to view your websites in their web browser. With the introduction of control panel software such as cPanel and Plesk, the days of setting up your own server with complex configurations are over. Anyone can have a website up in a matter of minutes.

Web Hosting Terminology

You may want to familiarize yourself with some of the terms commonly mentioned in web hosting. These are important since the way you secure your website would depend on how it’s hosted.

Shared Hosting: The most common form of hosting since it’s the most cost-effective, you’ll usually share a single server with hundreds of other neighboring websites.

Virtual Private Server: Similar to a dedicated server, everyone on this type of service would be running their own operating system and software. Virtual servers offer higher levels of isolation compared to Shared Hosting, but most VPS all share a single dedicated server and generally share a central kernel.

Virtual Dedicated Server: Different hosts use this term interchangeably, but since GlowHost was one of the first hosts if not the first to use this term, I’m going to give you our definition. A VDS is similar to a dedicated server, where everyone on this type of service would be running their own operating system and software and each has it’s own unique kernel for maximum customization. A VDS, sometimes referred to a Virtual Machine (VM) or Virtual Environment (VE), offers the highest levels of isolation compared to Shared Hosting or VPS. Virtual Dedicated Servers from GlowHost are unique in that they live on a cluster of dedicated servers compared to a VPS which lives on just one dedicated server. A VDS will remain online if a single server goes down, in fact, our VDS can sustain multiple down servers without being detected. A simple VPS will be offline if there is a single dedicated server failure or overload.

Dedicated Server: True hardware isolation exists only for dedicated servers. Nobody but yourself will have access to the physical resources of dedicated hosting services.

Collocation: The hardware that you use to host your sites, such as physical servers and firewalls would be supplied by you, then shipped to and racked at a datacenter. You pay for electricity and bandwidth, as well as “remote hands” to make physical changes to your hardware or network that are required to be done on-site.

Now that we’ve covered the basics in hosting terminology, let’s switch gears and jump right into websites and how to keep them safe.

The Problem With Websites

While It may come as no surprise to some webmasters, the ugly truth is websites do get hacked. Regardless of the platform, software, or security tools you use, all web pages accessible to the general public which are powered by PHP or other scripting languages will eventually need updates to keep them secure. This puts webmasters in a difficult position to constantly monitor and maintain their code. Everyone is a target here.

How Websites Get Hacked

Much like an elaborate machine with many moving parts working together, something only works as well as its weakest component. A weak password, outdated PHP file long forgotten, or a public facing page that allows an individual to upload PHP files would all qualify as a weakness in security. These are all targets sought after by would-be hackers. In many cases, detection of these weaknesses are performed by automated scripts or applications (called robots). The robots scour The Internet, and subsequently attempt to exploit a site until they find a way in.

Why Websites Get Hacked

The goal of hackers is to gain unauthorized access to your website or server, and to valuate all data and resources after access is achieved. There are many incentives and reasons why websites get hacked. Each reason would depend on who’s hacking your website, what their intents are, and the type of data they discover. Below are only some examples:

  • Farm user data in order to sell or use for social engineering attempts
  • Gain access to privileged information not available anywhere else
  • Build a powerful botnet that may be leveraged for further attacks
  • Use server resources for cryptocurrency mining
  • Setup phishing pages such as bank account, email, and social network website logins
  • Deface your website, send spam, or build links to other websites
  • Gain bragging rights among their circle of hacker friends

The Solution To Website Hacks

The cause of websites getting hacked are often attributed to negligence or leaving unprotected code accessible to abusive scripts. There is no such thing as a fully secure website, however you can certainly mitigate your risks substantially by having good practices. The guidelines below will help you achieve a moderately high level of security in most circumstances.

Stay Updated: When your website is running open source PHP scripts such as WordPress and Drupal, you will have to update your website regularly as new modules and plugins are released. Many (like the ones mentioned) will automatically update, or give you a simple interface to perform essential security updates within a few clicks. If a webmaster simply misses an update, they would be prone to threats such as zero-day exploits or other attacks due to old code.

Protect Passwords: An obvious rule here, but one that cannot be stressed enough. Storing passwords in plain text files, unencrypted in the database, or even on a piece of paper and dropping it in some public space would open you to threats far worse than what some automated bots could do.

Encrypt Traffic: Ask your host about SSL since many web hosts already provide this essential service. Not only will SSL secure data sent to and from the server your website is housed on, but it will also build trust among your visitors. Not to mention, Google will bump you up in search results since Google now considers website security as part of their ranking algorithms.

Install Security Plugins: Specifically, we mean plugins/modules from open source scripts such as anti-spam tools, brute force login protection, and managed blacklists. If your web host supports the script you’re running, it’s likely the plugins you find and install will work without any issues. Be conservative here as many plugins could be developed that do the same thing. Conflicts are easy to encounter in this area, and many plugins are poorly coded which can make your web site slow to a crawl.

Webmaster Responsibilities

Regardless of how you secure your website, you should always bear in mind that your web hosting provider is not responsible for maintaining your website’s code. They already take care of the complex items behind the scenes such as patching the server’s kernel, isolating customer accounts on shared services, managing mod_security rules, maintaining an elaborate firewall, and the list goes on. You are responsible for keeping up to date with your website updates.

Even with the responsibility falling on your shoulders to maintain your website’s security, you’re not in this fight alone. Your web host will still provide you with the best tools in the industry to deal with these challenges. Such tools may include applications like Softaculous which may help keep your website up to date automatically (some scripts), regular backups (a definite must have), and a support team which should always be standing by to help you with any questions you may have.

Questions To Ask

Up to this point, you might feel like you’re alone and would otherwise have to contract third-party help to secure your website. That’s not always the case, and your web host may offer other services beyond hosting. Here are some questions you should ask your web host if you’re ever in a position where you need help:

  • I’ve been hacked, do you have backups available?
  • Do you offer a website maintenance plan to keep my website up to date?
  • Could you help me repair a hacked website?
  • I need help securing my website.
  • Do you offer deals on third-party security services such as Sucuri?
  • Can you explain how I can set up CloudFlare?
  • What security measures are in place for the server I’m on?

There are many questions you could ask, but this should serve as a good quick-starter.

Test Your Website’s Security

As a measure of good practice, once you’re all secured and ready to take on The Internet, run some security audits. There are an infinite amount of ways to hack a website. Fortunately, that leaves another infinite number of ways to test a website’s security. The simplest approach here is to leverage a third-party scanning service such as Sucuri.

For A Safer Internet

By following good practices explained in this article, you will be helping to create a safer Internet for everyone. Your web host will already have taken the security measures at the server levels, so be sure to take charge of your website updates at the script level.

Talk to a professional

We have a team of security professionals available to help with any questions or concerns you might have regarding your website/business’ security.  Call us today for a free consultation at 1-888-293-HOST (4678).

memorable passwords

Memorable passwords can be secure, contrary to popular belief.

One of the first and best rules of practicing good web site security is to make sure passwords are secure. The good news is secure passwords do not have to be impossible to remember, and memorable passwords can still be secure.

So, What is The Problem?

The other day a customer came to me and revealed the password he was using to maintain one of his web sites.  It was a password I have seen hundreds of times before from other customers. Now, if I have seen that password that many times, you can guarantee the bad guys have it in their password lists that they use to try to gain access to a typical web site.

Password lists are files which contain strings of common usernames and passwords.  They then import this list into a specialized application which is programmed to look for web sites to hack. A modern way of doing this is with a large number of previously infected private computers called “bot nets.” These bot nets are remote controlled by a single hacker. The bot nets are able to attack a single site from lots of different IP addresses (the hacked computers), reducing the chances of it being discovered and blocked by the server’s firewall. Conversely, a single IP address that continuously fails to login, would be easily to discover and would be blocked fairly quickly. Continue reading