It seems almost every day there’s a story in the news about the latest hacked website. Most think it will never happen to them — until it does. At any given point, hackers could be checking out your website for anything they can compromise to use your site and/or server for their nefarious activities. If you don’t want to fall prey to their tactics, it’s crucial you perform a website security audit.
Before we talk about website security audits, let’s look at how your site can be compromised. This will give you an idea of what you are up against and the importance of monitoring your website.
The 6 most common forms of attack
The most common threat, malware, is an overarching term that covers viruses, worms, Trojan horses, ransomware, spyware and more. Malware can erase all your data, steal customer information, infect your visitors — the possibilities are nearly endless.
Distributed Denial of Service (DDoS)
A DDoS attack can bring down your site by overwhelming it with a flood of automated traffic. And every minute your site is down, you’re losing customers and sales.
This is where an application cycles through every possible password combination until it finds one that works. From there, hackers can access your system, steal sensitive data, and do pretty much whatever they want.
With injection flaws, a hacker sends malicious data as part of a command or query that tricks the site into doing something it shouldn’t, such as giving the hacker your entire customer database.
Commonly abbreviated as XSS, cross-site scripting sends user-supplied data to a web browser without validating it first. Hackers use these flaws to hijack users away from the site or deface it, costing the site owner to lose business.
This is an attack that’s launched as soon as a new vulnerability is discovered, before a patch is made available. While these are impossible to predict, you can invest in a Website Application Firewall (WAF) that will virtually patch your site within moments of a zero-day attack being disclosed.
It’s important be proactive and put a process in place to protect your website.
Many make the incorrect assumption that just because they might not have “data,” they aren’t worth hacking. But that’s not the case. Every website is full of scripts, backed by a server ready to run new scripts that could be uploaded without your knowledge.
By performing a website security audit, you can protect your site by identifying vulnerabilities in danger of being compromised. Much better to nip that in the bud before you notice Google has marked your site in search results as having malware. Gut level panic then sets in as you frantically seek out someone to hire to get your site restored and cleaned.
How to conduct a website security audit
- Update your scripts and applications.
- Ensure your domain and IP are clean.
- Use strong passwords.
- Delete abandoned user accounts.
- Add an SSL.
- Use SSH.
- Run a security scan.
Depending on your setup and infrastructure, a website security audit can get pretty technical. Today, we’re just going to cover the basics you can do yourself to make sure your site doesn’t have a “Welcome” sign hung out for hackers.
1. Update your scripts and applications
Make sure all your scripts and applications, such as WordPress and plugins, are up-to-date and current. For more on WordPress-specific hardening, read “How to secure your WordPress website.” When you receive notices of updates being available, set aside the time to update as soon as possible. Hackers seek out-of-date versions to take advantage of vulnerabilities the latest version corrected.
2. Ensure your domain and IP are clean
Check to see if your domain and IP are clean and not blacklisted. MxToolbox is a great option for quick checks. Since IP blacklists typically aren’t governed by a single source, you might have to contact a few places in order to have the blacklist removed (assuming you are being blocked, that is).
3. Use strong passwords
It might come across as a no-brainer, but strong passwords are a must. For your personal user account, other users’ accounts, hosting dashboard and FTP access — all of them need to be secure. Forget pet and spouse names, and for goodness sake don’t use “password.” The more difficult the better. Consider using a password generator tool to come up with some good ones.
4. Delete abandoned user accounts
Delete any abandoned user accounts, and never share login credentials. Always create logins for new users that you can then rescind when no longer necessary. Here’s how to safely share user access to a WordPress site.
5. Add an SSL
Do you have an SSL in place? If not, why not? An SSL will encrypt the data between site visitor’s browsers and your website. This is especially important if you have user logins and do in fact store sensitive user data. However, an SSL is not just for eCommerce websites — it is now a standard operating procedure for all websites.
6. Use SSH
“The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).”
The last thing you want is for someone to intercept your login credentials and then have their way with your server!
Editor’s note: If you’re using a site builder like GoCentral, then SSH isn’t something you’ll have to worry about. You’re in the clear!
7. Run a security scan
Run a security scan of your website. Sucuri’s SiteCheck scanner will check your website for known malware, blacklisting status, website errors and out-of-date software. Or, you can get a jump on the game and go with GoDaddy’s Website Security for both a scan and removal of malware.
Pretty easy, right? Don’t let other day-to-day business tasks overshadow the importance of running a website security scan. The above are not end-all-be-all tips — just the basics — but if you perform them regularly, your site will be in much safer hands.
An ongoing security solution
Malware doesn’t take a day off. The day after you do a check and get a clean bill of health, your site could get infected. That’s why services such as GoDaddy’s Website Security handles all this for you for a small monthly fee.
Using a service that does all that daily monitoring for you will minimize any potential downtime. With the added benefits of malware prevention and removal, and Google blacklist monitoring and removal, it really is a no-brainer. It also includes:
- Ongoing scanning and removal. GoDaddy will scan your site daily. Not just on the front end where customers could get infected, but also at the server level where infections can cost you valuable resources.
- Advanced security monitoring. Malware isn’t the only thing threatening your site. GoDaddy will monitor related services (DNS, WHOIS, SSL) to ensure visitors aren’t redirected to another site or tricked into giving their private information.
- Malware prevention. Stop malware before it gets a chance to infect your site. GoDaddy’s Web Application Firewall (WAF) intercepts and inspects all incoming data and automatically removes any malicious code.
Whatever you decide to do, make the choice that fits your schedule and leaves your site secure. If you’ve got time to perform regular backups, then great. If not, an automated service might be your best bet. Either way, your business reputation and customers are depending on it!
Also published on Medium.