Posts

, ,

8 Ways to Secure your Business Website

In this article we will be discussing the importance of securing your website, to protect it from hackers and cyber criminals. First we will discuss why you might be prone to a cyberattack, why you need to be secure, and then we will discuss the methods to prevent and secure your business website.

Reasons to attack

The main purposes that cyber criminals might attack your website can vary but it might be just to prove their power and your business’s weakness. If your business website has valuable information or monetary value, such as an online shop, they might want to gain power over it to steal information or win your sales for themselves. If your brand has enemies, beware, maybe they are trying to get back to you for revenge. Whatever the reason, you should try to find the holes in your brand and first of all secure your business website.

Why you need Security

When your website is hacked, the first thing you will lose is a reputation and your business revenue. If you have user information in your website, your customers will lose trust in you, as hackers can steal their information too. Also, your domain might become blacklisted, which means it will take a lot of time and energy to clean up. So just how you might protect your physical business office, with CCTV and other types of theft protection, you should act for securing your business website too.

How to Secure

1-      Web Hosting

One of the most important ways to secure your website is to have it based in a secure hosting. In case of WordPress CMSs, we recommend using a WP-Managed hosting like Siteground. For a normal business website, the GrowBig plan is a great place to start. It includes automatic WordPress core updates and plugin updates. Also, the PHP server and MySQL database is also always up-to-date. This plan also offers security scans, as explained in point 7 of the article. Not using a secure hosting is like placing your wallet on the sidewalk for passer-by’s to pick up if they need it. The hosting service provider acts as the main container and security wall of where your website is placed. So no further comments, think twice when you want to purchase your business hosting.

2-      Admin Area

Nowadays technology has advanced so much that you can tell the platform of a website by just installing a plugin like Wappalyzer. So if anyone can tell your website technology through such plugins or through the structure of your website URL, then they can access the backend URL as well. Hackers will know the backend URL of a Joomla website is /administrator as a default, or a WP website will be /wp-admin, or for a Drupal 8 is /user/login. In order to secure your business website, you can change your backend admin area URL to another phrase that cybercriminals can’t guess easily. To take extra measures, you can disable directory and file browsing through your .htaccess file as well.

3-      Passwords

Careful what kind of passwords you use for your backend admin. In order to truly secure your business website, you should use passwords with over 8 characters, and usage of both small and capital letters, and numbers and symbols all combined. You can use online password generators like this one or this one to create strong passwords. Also, note to not use the default “admin” as your username.

4-      Login Attempts

Limit the login attempts of your website backend so if cybercriminals are using the brute force method, they won’t be able to infiltrate. Brute force attacks are a trial and error method to find your username/password by applications used to decode your encrypted data. You can always limit login attempts with plugins like Login LockDown for WP.

5-      Backups

If you have a great hosting like Siteground, as I mentioned in the first point, it will get automatic backups for you and preserve them for up to 30 days. You can always get manual backups from your website using backup plugins like Duplicator or WP-DB-Backup for WordPress CMS. Remember to store your backups in 2 locations, one on the cloud and one locally to reduce any risks.

6-      Use SSL

SSL stands for Secure Sockets Layer. As a default, a web browser uses HTTP to communicate to a web server and show you the information of a website. Now if you are entering data in a form, such as an online shop, or any other kind of information such as logins, contact info, this information is at risk. So, SSL provides a secure channel between these two devices and creates an encrypted protocol on this communication. HTTP on its own will be insecure and subject to eavesdropping attacks as the data being transferred will be plain text between the two endpoints. But SSL secures the information by encrypting it and securing it from interception. You can tell if a website is using SSL if there is HTTPS in the URL, instead of HTTP. Also you will see a padlock on the address bar.

7-      Scanners

If you’re using a WP website or another CMS, there are security scanner plugins, such as the Sucuri Security Scanner which belongs to a global security firm, Sucuri Inc. with specialization in WP Security. This plugin will offer security activity auditing, file integrity monitoring, remote malware scanning, blacklist monitoring, effective security hardening, and much more.

8-      Extra measures with WAF

WAF stands for Web Application Firewall (WAF) which is setting up a firewall to control traffic before the malicious traffic hits your website. A WAF will monitor, filter and block data packets that can cause harm to your website. It can be network-based, host-based or cloud based. Sucuri has a WAF/IPS plan offered here, which can be a layer of extra security on your website, protecting you from evolving threats, DDoS attacks, and other forms of hacking.

Let’s Recap

I hope this article gives you a scope of what you need to do to secure your website. In case you have a WP website, this article is also a great reference to read more. Let us know in case you have any questions or need to secure your business website.

Password may soon be Passé

Read the new article written by Ben Dickson:
Read the whole article here …

The early January theft of more than 320,000 user emails and passwords from cable giant Time Warner gave validation to the argument that simple password authentication is becoming less and less reliable.

But the Time Warner Cable hack is far from being the worst case of identity theft.
In fact, it’s quite insignificant compared to some of the more severe cases we’ve seen in the past year, including the five million user records stolen from toy manufacturer VTech, the 21 million federal employee records stolen from the Office of Personnel Management and the 80 million customer records stolen from healthcare service provider Anthem.
When it comes to stealing identities, hackers seem to have an unlimited stash of weapons, including brute-force attacks, dictionary attacks, phishing, social engineering, man-in-the-middle, key-loggers, password resets from recovery emails and wholesale theft of passwords from databases.
And when hackers gain access to our credentials, they can virtually ruin our entire lives by stealing our information or money, or by defaming us through doxing our secrets or posting profanity and obscenities in our names.
On the other hand, when it comes to protecting passwords, there seems to be no end to the pitfalls that one has to avoid, including weak passwords, shared passwords, unchanged passwords, default passwords… And even if you stay true to all the security best practices, some things remain out of your control, including how committed your provider is to encrypt and protect your credentials on its server.

Don’t Panic Over The Rise In Personal Data Theft

As internet and mobile services continue to rise in power and prominence in our personal and professional lives, so do the dangers and dragons lurking in the darkness of their shadows.

And while yesterday’s science-fiction has become today’s reality, there is cause to be concerned that about every aspect of our lives can be discovered and used in dishonest and malicious ways at the whim of cybercriminals.

Perhaps the most tragic case was that of the recent hacking of Ashley Madison, in which private lives ­– and affairs – were caught in the crossfire between a disgruntled employee and the company. The trove of data that spilled across the internet led to the suicide of several victims, and the resignation of the company’s CEO, and the episode continues to make headlines in its aftermath.

The massive cyberintrusion in the Office of Personnel Management (OPM) earlier this year taught us that even government-class security gear can fail to prevent information theft. In the attack, sensitive information belonging to more than 20 million U.S. government employees was stolen by hackers with alleged ties to the Chinese government.

The data breach at health insurance giant Blue Cross Blue Shield, which leaked the personal information of more than 10 million people, revealed the darker side of electronic health services, which have otherwise helped revolutionize the health and health service industry.

While Advanced Persistent Threats (APTs) tend to go after corporate and governmental targets, there are also new trends in hackers targeting small businesses and even personal computers and devices rather than going after the big players.

Mobile devices, which have become an inherent part of our lives, are being increasingly targeted by cyber-attacks, and malicious hackers are constantly finding new ways to remotely steal data from phones, listen to calls, take pictures, record voice, or even steal fingerprints. Or they can simply opt to hijack target devices altogether and use them for their own evil ends. And the worst part is that much of it can be done without the victim ever finding out.

And with the advent of Remote Access Trojans, even your bedroom can no longer be considered a private sanctuary, for hackers can take ownership of your webcam and start recording your most intimate activities, which will certainly be used against you in the future.

When they can’t run off with your sensitive information, hackers can target you with crypto-ransomware and encrypt your files and data beyond your reach, either to spite you or to extort you out of your bucks.

Recent research has proven that even antivirus software can be compromised and exploited by hackers, and the simple installation of antivirus programs does not guarantee full immunity against threats.

And while the Internet of Things (IoT)  promises to be the next big thing, it will surely trail behind it a host of threats and new attacks. Don’t be surprised if you read about fridges and microwaves turning against their owners very soon.

The spike in attacks against government and corporate networks has turned cyber-security into a vital part of every country’s defense strategy, and officials and agencies are scrambling to shore up their networks against zero-day threats exploited by hackers, domestic and foreign.

Presently, the question is: Should we panic? Should we smash our computers and mobiles to pieces, incinerate the remains, throw the ashes in the sea, and run in the opposite direction to live the rest of our lives as hermits in a clandestine jungle where mankind has never set foot?

The answer is no. Fact of the matter is, the bright side of technological advances are far greater than the evil that trails behind it. The internet and mobile industry have allowed humanity to take leaps in the fields of medicine, science, disaster recovery, democracy and freedom of expression, among others.

Therefore, instead of freaking out and retracing our steps, we must take the necessary precautions to save our personal and corporate lives.

Perhaps the silver lining in all these attacks is that it has raised awareness among companies and governments, and many countries are considering passing laws that bind service providers to protect user data.

Surprisingly, most successful attacks on individuals result from lack of caution from the part of the victim. Adopting the following basic set of technical best practices can help protect your devices from most threats and vulnerabilities:

  • Regularly change your account passwords, use strong passwords. and avoid using obvious, guessable passwords
  • Keep your operating system and software constantly patched and updated.
  • Invest in a reliable anti-malware program, both on your PC and your mobile devices.
  • Avoid downloading programs from unreliable sources, or clicking on links in emails coming from unknown senders.
  • If you’re going to store information in the cloud, consider using an encryption solution that will ensure your data remains safe even if the provider is compromised.

Author:  Ben Dickson, Software engineer and CTO at Comelite IT Solutions.Contributor to TechCrunch, AppsZoom and CanadaFreePress.

Published by: TechCrunch