When you’re setting up a new site, migrating, or upgrading your brand’s existing website, security is likely to be low on your priority list. It’s not uncommon, given everything you’re juggling to get a site online.
The unfortunate truth is that small- to mid-sized businesses, even startups, have every reason to be just as concerned about security as a globally-operating enterprise brand.
You may see headlines focusing on data breaches for brands like Target and Sony, but that’s only because startups and small operations don’t carry enough reach to warrant news coverage. The statistics paint a much different story from the media. In fact, some 43% of cyber attacks are aimed at small businesses, which include everything from network breaches to website code injection, compromised mobile applications, and more.
And when network and website security are breached, it can take most businesses an average of 197 days to detect it.
A lot of damage can be done in that time frame, which is why Cybercrime losses continue to mount. According to data shared by Trustwave, roughly $600 billion is lost each year.
As eCommerce sites typically deal with secure consumer data, the loss from a breach can be significant. Don’t think you’re safe just because you operate a less complex website. Even for a traditional business site you may still be using plugins or applications that handle basic user information including login credentials.
The 2018 Trustwave Global Security report found that 100% of web applications tested displayed at least one security vulnerability, with 11 vulnerabilities as the median number per app.
Why Sites Get Hacked
The most important thing to keep in mind with website security is that hackers typically don’t choose which site they’re going to hack.
While a select few may target a specific enterprise brand or government website for the challenge, or over a matter of hacktivism (related to religion, nationalism, anti-globalism, human rights etc. where public-facing content is defaced), in most cases the websites they choose to hack are done at random.
In virtually every case, hackers use scripts that broadly search websites for common vulnerabilities. And, unless they’re specifically looking for a challenge, they’re more likely to take the least challenging vulnerabilities in order to gain quick access.
“Over the past three years, more than 3/4 of websites scanned contained unpatched vulnerabilities,” according to a Symantec study, “one in seven (15 %) of which were deemed critical in 2015.”
When they scan for vulnerabilities, they aren’t making distinctions between the size or age of the business.
What makes so many small businesses likely to stick out and become targets, is that small business owners don’t typically make security a priority. They also don’t have the budget to maintain an IT division capable of regular monitoring or maintaining updated, secure systems, unlike large enterprise brands.
Most hackers, according to Chris Eggleston, are looking for three things when they attack a website:
- High-jack your SMTP server. They upload a script that uses your relay server to send spam email to hundreds of emails every day. Until your hosting provider shuts down the relay server.
- High-jack your website traffic. They will redirect traffic coming from search engines to their money maker websites. These sites will be branded with your colors and logo, so that visitors think they in the right place.
- Distribute Malware. Have you ever visited a website to have a message pop up that says you need to update your Flash player, and when you click on it, you end up with a virus on your computer? That is one way that the virus gets delivered, from hacked websites.
By understanding how security is compromised, and what hackers are looking for, you can better understand the security technology used by hosting providers and what you can do to improve the security of your own website.
How Security is Typically Compromised
Security vulnerabilities are common among web applications, and if you think you’re in the clear, you should check the apps you’re using to do business – especially those integrated with your website. An example of web applications small business owners use includes:
- Web analytics tools
- Writing and grammar applications and plugins
- SEO plugins and applications
- Email integration apps
- 3rd party social integration applications
- Productivity applications
- Communication applications like chat and contact forms
And a vast selection of others, each with the potential for vulnerabilities that could compromise your website security.
Here are some of the most common vulnerabilities in websites:
SQL Injections – injection of code that grants access to or corrupts database content, allowing the attacker to read, write, or otherwise alter data.
Cross-site scripting – also known as XSS, this method allows attackers to run scripts in your browser that can hijack the browsing session, alter website content, and redirect the user to any chosen destination.
Broken authentication – poor session management and broken authentication makes it easy for hijackers to take over an active user session and assume the identity of the user.
Misconfigured security – when security misconfigurations occur a hacker or hijacker can gain access to all manner of private data or features up to and include a completely compromised website or network.
While these are some of the more common vulnerabilities, there’s a lot more than can happen. Thankfully, there’s also numerous ways reputable website hosting companies actively work to keep your website and the hosting servers safe from hijacking and intrusion.
The Best Servers for Website Security and Keeping Data Safe
While the concept of hosting is simple – a company grants you space in order to store files and data displayed to the public as a website – it can become a bit more complex when you start dealing with the security of your data.
It’s true, hosting companies go to a great deal of effort to ensure servers and websites remain secure. However, there is a fine line between where your responsibility for security ends and where the responsibility of the website hosting company begins.
That can change depending on the hosting environment you choose.
Website Security and Shared Hosting
Shared hosting is the most common, frequently used hosting platform for many startup websites and small businesses. They’re more cost effective and easy to setup. One reason for the cost savings, is the website hosting company grouping a number of websites on a single server.
Hence the name “shared.”
This shared setup has continued to fuel myths calling out the platform as an insecure hosting environment. Truthfully, shared hosting is a solid and affordable option for many people hosting anything from personal hobby sites to business websites. As long as you work with a reputable host that understands website security, you have little to worry about – at least on the side of the host.
You’re still responsible for what you do within your hosted space, including the applications you install, scripts you run, and some basic configuration.
Website Security and Virtual Private Servers (VPS)
VPS environments are often favored when it comes to security, but if you look closely at those in favor of VPS, it’s typically the IT crowd, like professional network administrators. VPS can be more secure than a typical shared hosting plan or self-hosted website… but only if you have the budget to invest into someone with the technical knowledge.
Without a knowledgeable, reliable system administrator (or a good working knowledge of your own) you can open yourself up to a lot more vulnerabilities with a VPS.
The benefit of VPS is that they offer far more security options and variations in configuration – but that’s only useful if you know what you’re doing.
Shared Responsibility – How Data Centers Reinforce Website Security
Data Centers are essentially the technology backbone for web hosting companies. These locations exist throughout the world, with many companies operating their own or leasing space within multiple data centers.
Data centers can range from small operations with minimal infrastructure and space due to small server needs (think small enterprise with a private data center) to massive warehouse structures with rows of servers (Google’s data centers and Amazon Web Services come to mind.)
And when you store a significant quantity of hardware, processing and managing a perpetual flow of personal and proprietary business data, there are certain steps necessary to keep everything safe and secure.
While the website owner is responsible for their designated space within a server, the data center goes to great lengths to manage the physical (and digital) security and safety of the servers themselves. This includes:
- Environment controls that keep equipment operating at a safe temperature. A room full of electronics will generate a significant amount of heat which can damage components if they’re not kept cool.
- Backup power supplies that keep servers operating, even when the power grid goes down for unexpected reasons. These keep servers running and guarantee uptime until power is restored.
- Surveillance systems for monitoring the interior and exterior of the data center as well the activity of everyone on site.
- Metal detectors and weight monitors in server access rooms to ensure hardware doesn’t enter or exit without approval.
- Mantrap rooms that use a combination of biometrics, security access, single-entry doors (one person at a time), guards, and surveillance to ensure access is limited to the data center. (Google uses similar security and fewer than 1% of employees ever see the inside of the data center)
- Server cages are used within data centers to enclose and protect specific servers or groups of servers, segregating sensitive data and equipment from non-sensitive data. These cages sometimes include CCTV surveillance for additional monitoring.
- Architectural security is often considered in construction to reinforce the facility itself which can often include bulletproof glass, severe weatherproofing, vehicle-restricted buffer zones, high-impact crash barriers, and extensive fire suppression systems.
Data centers take physical security seriously to dramatically mitigate the risk of physical attack, damage, and possible threats on site. But that still leaves the question of the most common and obvious threats and vulnerabilities to website security: hacking and software-based attacks.
Here’s how website hosting companies and data centers work to keep you safe on the digital front.
Common Website Security Features and Security Concerns
When choosing a hosting provider, keep in mind that no single security feature will make your hosting platform any more secure than the next. Instead, it’s the cumulative protection provided by a wealth of features that contributes to the highest level of security for your website.
These are the features you ideally want offered and some core security concerns that should be addressed by the hosting provider.
Firewalls are software designed to monitor and filter activity before it reaches the web server. When configured, a set of rules is created and applied to all incoming and outgoing traffic in order to protect the systems and data.
Firewalls work through one or more methods including filtering (analyzing all data being passed through the firewall against a set of filters), inspection (inspecting incoming data to a site against a database of trusted information where approved data passes), and proxy (captures unapproved or bad traffic before it hits your site).
It’s common for a single firewall to be configured to apply to an entire server with shared hosting, so individual hosting accounts have virtually no control over firewall configuration. It’s possible with some hosting plans to upgrade to a dedicated firewall, which would let you create specific rules dictating who can (and cannot) access your website.
Data Backup, restore points, and redundant hardware backups
Even with carefully managed site content, any manner of incidents, including a malicious attack, could lead to a loss of data. It’s ideal to find a website hosting company with a selection of options when it comes to backups.
Automated and manual data backups are standard for virtually every web hosting company, providing a rolling backup of the current version of the site. In addition to those backups, a string of restore points gives you a point of jumping back to a prior version well before a breach occurred – useful if it’s been some time since an intrusion.
Redundant hardware backups are extra server banks carrying a mirror of the current versions of live servers and are integrated so, that in the event of a server failure the traffic can be instantly routed to a redundant backup to avoid downtime and minimal data loss.
Performing any kind of update or site maintenance can leave your entire website vulnerable to attack, especially if you’re installing and testing new applications or making adjustments to a script. A sandbox or dev environment gives you a safe way to test all changes in a live (but not public facing) environment rather than making changes directly to the files accessible to the public (and potential hijackers/bots).
User access and password controls
It’s common for hosting platforms using software like cPanel to offer various levels of user access control and password management. Since these user accounts give various levels of access to the core files of your website, they should be reserved for members of your team.
Depending on the nature of your site, you may also have user access setup for customers, subscribers, and guest authors each with their own private passwords to gain access. Since user access can vary from simple content posting rights to unrestricted file access, you’ll want to set the bare minimum permissions required for any specific role.
It’s a good rule of thumb to create a password policy depending on the types of accounts you create and the number of other users. For example, accounts that can have far more impact on the operation and public-facing appearance of your site should have far stricter guidelines and much more complex password requirements.
You should consider using a password manager for all user accounts to improve website security, especially if you’re working with multiple employees or contractors with access to your website. A password manager eliminates manual password creation, which can often result in employees choosing weak passwords or reusing passwords across multiple platforms and accounts.
The primary benefit of a password manager is the ability to generate strong, complex passwords while also storing those passwords in an encrypted vault.
Your website hosting company may provide or recommend a password manager. If not, there are several trusted applications available that are secure and won’t store password data in the cloud.
User access and passwords are the client’s responsibility, so careful and regular monitoring of user accounts is as important as the initial configuration.
These certificates are small data files that are registered and bound to a domain and the organization’s details. When activated and configured on a website, it activates the https protocol (as opposed to http) which allows a secure connection to be established between the server and the user’s browser.
Through that secure connection all data is encrypted, especially sensitive information like consumer credit card data, personal contact information, proprietary files, and more. While SSL certificates aren’t required for most websites, Google’s Chrome browser has begun displaying messages that a site is not secure if the website includes any kind of form to submit data without a legitimate SSL certificate.
For eCommerce sites, SSL is a necessary security component. Not only does it ensure the encryption of sensitive information, it’s also required for PCI compliance, a requirement of merchant processing companies if you want to accept credit card payments online.
Google has stated that a secure website with appropriate encryption (an SSL certificate) is now a ranking signal. That means part of Google’s core algorithm used to determine the visibility of your website in search includes whether or not your site has a valid certificate. Without one, it’s possible for a website with an SSL (like a competitor website) to outrank you in the search engines.
DDoS, or Distributed Denial of Service, is a method used to send an overwhelming volume of traffic/data to a website in the shortest span of time possible. This data overload prevents the server from processing incoming traffic and can take an unprotected website or server offline.
A reputable and reliable hosting provider will provide documented DDoS protection. With this protection in place, the server can monitor and filter DDoS traffic so, that all subsequent hits from the DDoS attack are captured and rejected from the server while other legitimate traffic is allowed to pass through normally.
Content Delivery Networks
Content Delivery Networks (CDN) are the invisible backbone of the web and are used to deliver content at much faster rates, particularly across large distances. For example, if you have a website hosted on a server stationed in the U.S., it would take significantly more time for a user in the UK to load your website clear across the Atlantic compared to another U.S. consumer just a few cities or states away.
Content Delivery Networks are set up around the world, caching website content and offering a volume of benefits to website owners, including:
- Greatly improved page load times especially for international traffic;
- Improved load processing since traffic is split among the CDN rather than all traffic hitting the main server;
- Localized coverage in other countries without additional hosting costs;
- Reduced bandwidth consumptions thanks to improved load processing.
As far as website security, CDNs also provide an additional layer of protection against DDoS attacks. Your website hosting provider may provide CDN services in partnership with other providers and you also have the option of setting up your own CDN access directly with 3rd party CDNs.
Brute force detection
A brute force attack is a method hackers use in an effort to gain access to a server through an authentic login with legitimate access. Rather than try to locate vulnerabilities, the attackers will use automated software that runs through a massive number of consecutive guesses (username and password combinations) in an attempt to gain access.
Hosting providers typically offer brute force detection to monitor for these types of rapid username/password combination submissions. There are also steps you can take at the user level to help prevent brute force attacks, mainly through better password control.
Strong, lengthy passwords with a high variation in letters and numbers can be extremely helpful.
There are also applications or plugins that can be installed into content management systems like WordPress that limit the number of login attempts permitted. Other precautions that may be available beyond detection include:
- Lockouts after forgotten password attempts;
- Increasing the amount of time an account is locked out;
- Locking individual user accounts;
- Preventing your site from revealing when a username is valid in login errors;
- Automatically block attempts to register or login as specific usernames if they don’t exist, like ‘admin’ or ‘info’.
Multifactor authentication is the process of increasing the steps required to log in, where those additional steps involve tightly controlled applications for verification. In the ideal setup, only the original account owner for a specific username would have access to the second level of authentication.
For example, a website administrator has two-factor authentication configured on a site. Any time they attempt to login with their username and password, the system will generate a text message sent to the mobile phone on record for that user. That administrator then needs to provide the unique access code generated for that session only to gain access to the administrative dashboard.
Web servers work similarly to a home PC; both utilize an operating system to run. And just like a home PC, a web server (and the sites/files on the server) are susceptible to attack from viruses and malware. While some can be relatively harmless, most viruses and malware are developed for malicious intent and designed to spread far and fast.
Thankfully, antivirus and malware scanning has become standard for most website hosting companies. Ideally, you want a hosting provider who performs daily/regular antivirus scans along with active monitoring. If possible, find out if scans can be run manually and, if infected files are found, what are the next steps in removal. Your hosting provider may offer a support plan that involves removing malware, though cleaning infected files may fall on the responsibility of the site owner (you).
Keeping your website secure
While your web hosting provider and data centers put in a great deal of effort and expense to keep your data secure, it’s clear that some of the responsibility falls on you to ensure your data (and the private data for your customers) remains secure.
Recapping the above, once you’ve chosen the best website host for your site, here’s a rundown of what you should do to improve protection:
Patch outdated software – Whether you have a custom site or a content management system like WordPress, you need to keep all scripts and software up to date. Patches often address security concerns found in older versions and if you fail to update, you leave your site vulnerable to attack. Make sure plugins, extensions, applications, shopping carts, and even templates are included in regular updates and site maintenance to reduce vulnerabilities.
Create a password policy – A strong password policy is the key to avoiding intrusion from brute force attacks. Your policy should address a number of factors including the length and complexity of passwords (10 characters, letters and numbers, special characters, caps), how often passwords are changed/updated (i.e. every 90 days), how passwords are stored (especially with mobile devices), etc. Make sure this password policy is strictly maintained throughout your business.
Use domain privacy – While domain privacy may not seem like a critical security issue, the less information an attacker has the better. Domain privacy masks the whois data for a website, including personal contact information and location data, all of which could be used maliciously.
Install anti-virus software – Your local computers should all be equipped with anti-virus software in order to protect your data and your website. This software can prevent malicious programs like keyloggers and trojans from giving hackers access to your business systems where proprietary information is stored.
Audit your site for vulnerabilities – Since websites often feature custom code in various forms, it’s a good idea to perform regular audits on your site. This doesn’t need to be done manually. There’s no shortage of software and tools online that can be used to scan your website for vulnerabilities. Keep in mind that no tool is 100% reliable; the best approach to security audits is to work with a professional who can provide a detailed review of your site and explain the steps you need to take to secure your website.
Do manual backups – Reputable website hosting companies provide automated backups, but never trust in the system to keep your data secure. Create a schedule for regular manual backups of your site data including databases. Your hosting provider should offer an option within your hosting control panel to create manual backups. Once you have a schedule created be sure to stick to it.
Use AVS and CVV – For eCommerce websites, you want to take every extra step to maximize security, especially when it comes to consumer data. Be sure to include an Address Verification System (AVS) and Credit Verification Value (CVV) fields in your checkout. With AVS and CVV, fraudulent attempts are far less likely to succeed, since the purchaser will need to have complete address information as well as the code on the backside of credit cards in order to complete the purchase.
Just because you operate a small website, doesn’t mean you won’t have to worry about hacks, hijacks, or intrusion. The traffic to your website, customer data, and your connection to other users are all valuable to hackers – and that makes any website a potential target.
Choosing the right hosting provider offering a robust suite of security features in combination with proactively securing your website and data, are the best ways to mitigate risk, close vulnerabilities, and protect your business website.
Do you keep your website secure? What kind of precautions do you take?