Every once in a while I get questions about securing websites against attack. Since I haven’t addressed this question publicly before, now might be as good a time as any to devote a few paragraphs to it.
I should make it clear at the outset that this article does not address the needs of people who host their own Web servers — that’s an entirely different level of complexity. What follows is aimed solely at individual Webmasters who pay a Web hosting company to host their website for them.
Know also that, for a very good reason. I won’t be going into any fine detail. Your website might be hosted on a Web server running any of a number of different operating systems, and with an almost infinite number of possible facilities available and restrictions enforced.
What I hope to achieve with this article is to get you thinking about the security of your website, point out a few things you should be doing and, if what you need to do isn’t obvious, get you talking to your Web host support people. You have every right to ask them for details of what safeguards and policies they have in place to protect you from a worst-case disaster. A Web host who will not discuss your website security concerns with you in detail is not a Web host you should be trusting your business to.
Now, it’s important to understand that security of a website is essentially security of a computer that you don’t have any control over, so in effect you have to rely on the competence of the people who control the Web server.
As a customer who is hiring space on someone else’s computer, about the only control you have is to take the time and do the research so you select a provider who can demonstrate the necessary competence and professionalism, and whose support technicians suffer from a healthy degree of paranoia.
Someone else addressing this topic might want to talk about the importance of not running unsafe scripts on your website and stuff like that. But such things shouldn’t really be your concern. There is just far too much fairly complex stuff that you need to know in order to be able to sort such things out yourself, and thus lock up a Web server to the point where there is an acceptable balance between safety and usability. All that stuff should be left to the server technicians. It is they who should have policies and mechanisms in place that determine what their customers can and cannot do/run, in the best interests of all concerned.
Frankly, I wouldn’t want to give my business to any hosting company that gave me a lot of control over the Web server. The more control there is in the hands of the customer the more vulnerable the server is to malicious interference.
So in short, from your perspective, website security comes down to researching and choosing the right host.
But one thing you can and must do for yourself is be responsible for backups. You should not rely on the Web service provider for backups of your own websites. Make your own backups on a regular basis and keep at least several versions of the backup over time. It’s not unusual to see website owners taking regular backups of their site by overwriting the previous backup. It doesn’t take much reflection to realise how silly and self-defeating that policy is.
Many hosting companies provide an easy way for you to initiate your own backups from their servers, and download the resulting file to your local computer. Storing a copy locally is very important; after all, if the server gets nuked so do any backup copies stored on it! Depending on the value you place on your website, you may want to go one step further and burn each website backup to CD/DVD, and ideally store that media in a place remote from your computer — preferably off-site altogether.
Another way to backup a website is to use an FTP program. Just using straight FTP file transfer you may be able to download a copy of the entire site to a folder on your local computer. I say “may be able to” because with garden-variety file transfer it’s always possible that you may run into file-in-use problems. That is, a file can’t be copied from the server to your local PC because it is currently open on the server. Whether this can happen or not depends on many factors, but suffice it to say it is a possibility under certain conditions.
A better alternative with many FTP programs is to use an inbuilt backup function. My FTP program of choice, CuteFTP Professional, offers such a backup feature through the menu options: Tools -> Folder Tools -> Backup Remote Folders. Similarly, Backup Local to Remote from the same menu sequence can be used to restore a backup to the server.
Webmasters whose sites are hosted on Linux servers should ensure they are familiar with the operation of cPanel, which also offers backup features, including the backup of any mySQL databases that the site may be using. For example, all blogs based on the WordPress platform use a mySQL database, as do many custom-built “conventional” websites. CPanel is probably the safest way to ensure that you have a backup of the database component of your website.
Finally on the topic of website security, there are the specialist companies offering a variety of Web security services, but fair warning: owners of non-commercial websites, or even of smaller commercial sites, may be driven off by the price of many of these services.
I’m not in a position to make any recommendations as far as the professional services are concerned; you’ll have to make your own assessment as to their value and efficacy. However, there is a wealth of material available via the search engines — search terms such as “website security” and “hacker safe” (without the quotes) should give you plenty to think about. As well as visiting their websites, you might also do searches on the names of the services listed towards the end of this article, to see what other people are saying about them, instead of just what they’re saying about themselves.
Apart from their value (or otherwise) in enhancing website security, another consideration is the perceived value of such services in the eyes of a customer or prospect visiting your website. Invariably the implementation of one of these services on a website is indicated by a distinctive logo. It is an old and endless debate among Webmasters as to whether or not the prominent display of one of these protected-website logos has a positive effect on buyer confidence. If you believe it does, then the cost may be justified on those grounds alone, quite apart from any Security enhancement. My own opinion is that any effect on your website visitors is going to be website- and market-dependent. Testing is really the only way to get a definitive answer for your particular situation.
Of course the biggest advantage of using one of these services is that they constantly monitor your website and can report anything “funny” they might find, or any changes made. In the absence of such a convenience, the onus is on you to regularly check the integrity of your website manually.
In no particular order, here are just a few of the better-known providers of website security services:
So I hope I’ve made it clear that the most important factors in maintaining the security of your website are:
- Choose your Web host carefully;
- Pay close attention to regular backups.
- Review your website regularly to make sure there’s nothing “funny” going on. This is where the commercial services mentioned above can make your life a lot easier.
{ 4 comments… read them below or add one }
not enough detail
Hi Bill:
Thanks for providing another thought-provoking “Bill Hely” article! Web security is indeed a topic that gets my attention. I know you’re using WordPress at present, but how do you feel about Joomla (my preferred platform)?
I guess, we could agree to differ, yet I think the 3 “important factors” you’ve included at the end of your article are certainly bang on target.
Nevertheless, I would add one more to your list: be careful of any add-ons you may install, since any that have been coded badly can provide an open door to trouble.
The core code that drives web content management systems like WordPress or Joomla can, with the latest updates installed, be as secure as possible. Yet all you need is one add-on that isn’t so robust and trouble can follow.
One final thought, I would say a website is only as secure or strong as its weakest link, so a bad or weak script can offer a way in to hac*kers.
Makes me go all nostalgic for the old days of “simple” HTML (if there ever was such a thing
Thanks for the info. I would also be interested in information in securing blogs that use wordpress. It seems like I read all the time about someone’s blog being hacked due to some sort of exploit that has nothing to do with the host, but rather wordpress itself. Even upgrading doesn’t stop it completely.
I’m looking at purchasing a couple of guides that explain what types of changes to make to your blog to minimize the chance of getting hacked. If you have (or will be making in the near future) something that covers this, I will also consider your product. Thanks!
Lance
Although sparse on specific detail, this article is useful and important for the reason that the big majority of Web site owners aren’t aware that they should be taking any security precautions at all on their own behalf.
If the article jogs Webmasters into realising the possibilities then it has served its purpose.
@mick deacy: The author explained in the article why he wasn’t going into fine detail. There are just too many variables involved. While HTML/PHP coding in Apache on Linux is doubtless the most popular website platform, it’s far from being in universal use. For example there are millions of websites hosted on Windows Server alone, and that’s not even considering all the different programming languages that can be used. The how of applying security to a Web server depends on the nature of the individual server itself and, again as was stated in the article, very little of the server configuration is accessible by the average website owner/customer of the web hosting company.
{ 2 trackbacks }