What is Web Security?

(Article 4 of 15): This wiki is part of an expert series that discusses important web security standards to weigh before selecting a web hosting provider and which steps to take to protect a website from hackers.  We’re talking ‘Web Security for Dummies 101,’ written for beginners who can’t imagine stomaching a training course, books on the advantages of security testing, or articles about a subject as boring (but important!) as this.  For a condensed version of these tips from a whitehat perspective, download our handbook: Ultimate Guide: 15 Ways to Intelligently Host Your Site Like a Pro.

Hosting on the Internet without web site security is like criticizing the PR department of a Mexican drug cartel. It’s just not a good idea. What else is not a good idea? Pretending your site’s security is someone else’s responsibility until the day you wake up to discover your website is down, hackers have stolen your customer’s passwords and personally identifiable information (PII), a non-compliance fine is imminent, your reputation is hopelessly tarnished, and all of your hard work is achingly gone. Prep the typewriter … because your next excruciating move is to send out the bad news to your loyal customers.

It’s bizarre, but despite the growing threats including ransomware viruses like WannaCry and Petya, most small business owners don’t have a site security management plan when it comes to implementing best practices to protect their most treasured assets: their website and their customers.  Nor do they have the foresight to determine if they’re in good hands by having clear visibility into their web host’s security strategy (or, as it turns out, lack thereof).

So let us consider a checklist of all the powerful fundamentals and guidelines for how to quickly and easily get educated and perform an analysis before this unspeakable tragedy happens to you (and, sadly, it happens all the time).

Website Security Unsafe Web Sites

#1 – Passwords on Steroids

Don’t Be Lazy
Stop conforming with the masses and go strengthen your passwords right now. They probably suck. 60% of the top 10 most popular passwords contain some variation on the sequential usage of numbers from 1 through 9.  So if your password is “123456,” or uber-popular choices like “qwerty,” “qazwsx,” or the #32 most-popular and oh so cleverly derived “f*cky*u,” you’re recklessly playing with fire.

Website Security Passwords

Get a CLU
What makes your password resilient to the flirtatious advances of remote hackers lounging in the depths of their mother’s basements?  Consider adopting the CLU strategy (because they sure as heck won’t):

  • Complex: Use a combination of numbers, letters (both uppercase and lowercase), and symbols.
  • Long: Use a minimum of 8 characters. The longer the better.
  • Unique: Using your birthday as your password everywhere you go is not a good idea.  Take a walk on the wild side and mix it up. Try a different password everywhere.

But Your Brain Hurts
How are you supposed to remember all of those passwords (you plead desperately with a waver in your voice)?  One easy-to-remember technique is to use the same combination of digits in conjunction with the company/service name requesting the password.  All you have to do is remember the combination of digits.  Of course, if anyone discovers this, you’re doomed.  Otherwise, take advantage of the available services that securely store passwords like LastPass and KeepPass.

Multi-Factor Authentication
This is also a slick way to quickly add some sturdy bars to those breakable storefront windows.  Sometimes the settings for your applications allow you to enable this as supplemental security, in turn asking you for one piece of information that only you can provide.

Web Security Multi-factor Authentication

Customer Password Encryption
Have your developer encrypt your customer’s sensitive information with a hashing algorithm like SHA.  And add a pinch of salt (they’ll know what I mean).

What About Your Web Host?
A tell-tale sign of a web host’s philosophical stance on implementing web security standards is detectable the moment you sign up for a new account. If they don’t force legitimately strong passwords (defined as those you’ll forget unless you write them down), that’s a red flag – particularly if you are hosting in a shared environment. This is because passwords, like a chain, are only as strong as the weakest link. The compromise of one customer’s account due to a poorly structured password can lead to heartburn for everyone sharing the same server.

So, Now You Want to Be a Hacker?
That sparkle in your eye says to me that you’re curious about how these l33t hax0rz (translation: elite hackers) crack passwords in the first place.  Well, I’m not going to perpetuate the problem by aiding this segment of the gene pool, but I’ll offer a wee little hint.  Hackers use a number of techniques with the most popular being “dictionary” and “brute force” attacks carried out by a persistent legion of bots that spend endless hours attempting to guess your passwords. Web hosts who are on the ball will automatically detect cleverly disguised botnets scattered across multiple IPs and swat them like the annoying flies they are.

And while you’re at it, change your router’s password, too.  It’s about time your neighbors pay for their own Internet access.

#2 – Application Vulnerabilities

It’s really in your best interest to patch up what might otherwise be a sinking boat with you at the helm.  The longer you wait to do this, the harder it can be to accomplish later and the worse the security risk becomes – like a growing avalanche of suffocating misery. Like a British car, outdated applications can suddenly cease to function.  As the application’s functional environment evolves around it and old code becomes deprecated (ie. put out to pasture), your application stagnates to the point of becoming as unreliable as someone buying furniture from you on CraigsList.

Email Notifications
First off, do you already get notifications of updates for your applications?  If yes, quit ignoring the peace of mind they provide and follow their instructions to patch your outdated applications. If not, determine if you have a control panel for your web site (like cPanel).  Sign into it and find the application installer (eg. Installatron, Softaculous) to gain access to your list of installed applications (eg. WordPress, Drupal).  It’s there that you can configure these instances to either automatically update themselves (and their plugins) or notify you by email when new releases become available.

Website Security Automatic Email Notification Updates

There are also plugins that will help send along email notifications like WP Updates Notifier (note: this plugin hasn’t been updated in awhile).

Avoid Applications Susceptible to Vulnerabilities

If you’re keenly interested in how to protect a WordPress website from hackers, users of plugin-heavy blogging/CMS platforms (eg. WordPress, Joomla, Drupal) must pay close attention not only to the number and quality of reviews for the plugins they choose to install, but how many people are using the plugin, when it was last updated, and whether its compatible with their current version of the installed application.

Web Security WP Plugins

What About Your Web Host?
Quality web hosting services will absolutely take security issues seriously and not only keep their own infrastructure patched and up to date, but proactively ensure you do as well.  There are a couple quick ways to tell how seriously your web hosting service takes application vulnerabilities:

  • Control Panel Version: Find the version of your control panel (usually somewhere in footer or header) – or the public demo if you’re considering a new host – and compare it to the latest stable release available from the creator’s website. (Example: cPanel’s latest stable release)
  • Email Notifications: Your host should either notify you by email when there are available updates for applications installed on your account (eg. WordPress, Drupal, etc.), or allow those services to automatically update themselves as described above.

Advanced Tools
For those that like to get their hands dirty, there are tools that can monitor application dependencies and alert you about updates and vulnerabilities.  Try Gemnasium for auto notifications, Composer to manage dependencies in PHP, and npm for Javascript. RubyGems is a gem hosting service for Ruby on Rails.

#3 – HTTPS

You’ve probably noticed this by now, but for those who have locked themselves in the bathroom for the last twenty years, this is how all data is transferred between websites and its visitors.  HTTP (HyperText Transfer Protocol), while still very much in use, has become as passé as paper.  Speaking of which, HTTP is unsecured and akin to a website writing down its contents on a piece of paper, folding it into a paper airplane, and chucking it at your head from the roof of a high-rise building. On the other hand, HTTPS translates the data into ultra-complicated Pig Latin, locks the paper in a metal briefcase knowing only you have the key, handcuffs it to a super cool spy-like fellow, and has him deliver it to you.

Like, Google Totally Likes You Liking HTTPS
In 2014, Google announced that websites embracing HTTPS would be rewarded by making HTTPS usage a positive ranking signal.  As of January 2017, Google’s Chrome started marking non-HTTPS sites that collect sensitive information, like passwords and credit cards, as non-secure.

Web Security Google Chrome HTTPS Non-Secure Warning

Man In The Middle Attacks
Other than sounding like a creepy human sandwich laden with testosterone, HTTPS prevents MITM attacks where an unwanted individual snoops in on the conversation by intercepting data between your site and its clients.  As a business owner, leaking data that may include personally identifiable information (PII) can open you to fines for being non-compliant with PCI DSS.

How to Go All Clandestine With Your Data
Quite simply, you need an SSL (Secure Socket Layer) website security certificate installed in order for your website to leverage encryption and communicate securely over HTTPS.  This is an absolute architectural requirement if you run an e-commerce website and plan on collecting sensitive information from your customers.

Similar to domain names, SSL certificates are generally renewed on an annual basis. However, there are free alternatives you should be aware of.  While SSL certificates are often something that are installed manually following the instructions offered by the certificate provider, your web hosting company may offer options within your control panel (eg. cPanel):

  1. Let’s Encrypt / Comodo SSL: When activated from within your control panel, these services automatically install an auto-renewable SSL certificate for your site for a limited number of variations (minimally www.*, mail.*, and the version with no subdomain).  When available, this is by far the easiest option, helps to secure your email delivery (more on that later), and makes storing and managing an SSL certificate both a non-issue and affordable (free).
  2. Wildcard SSL: This purchasable certificate is necessary if you have many subdomains where you wish to encrypt data communications (*.yourdomain.tld).

Redirecting to HTTPS
Once you have the certificate installed, force all inbound traffic to redirect from HTTP (port 80) to HTTPS (port 443).  Check to see if your blogging/CMS platform has a setting to enable this, or make the following change to the .htaccess file in your web root directory (eg. /home/youraccount/public_html(or www)/.htaccess):

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

Force all browsers to communicate with your website over HTTPS by including a HSTS response header as part of your web security policy, making it impossible for shadow-lurking attackers to read or modify data being transmitted from your site.  This only works after the first visit unless you implement HSTS preloading which is a method for communicating to major browsers that your site requires communications over HTTPS.  A HSTS header looks something like this:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Warning: Do not add this header unless you intend to stick with HTTPS.  Removing this line will leave visitors, whose browsers previously processed this header, unable to access your site until the max-age parameter has expired.

Once you’ve added this, use this online HSTS testing tool to see that the header is functioning properly.

#4 – File Permissions

This is not a perfect analogy by any means, but imagine your high school-aged daughter is dating and you’re settling in for an evening introduction. File permissions decide who gets the pat on the back with a curt nod toward a 11pm curfew … and who gets some pump-action from the 12-gauge.

If that wasn’t clear enough, file permissions declare who can and cannot touch your files.  Applied individually to both directories and files, permissions can be assigned to three groups: Owners, Groups, Public (or “Other”).  It’s the last group that should concern you most.  For if your permissions are set improperly, that punk kid from down the street can touch and modify your files without your knowledge.  Grr.

Permissions can be set either in SSH (Secure Shell) using the chmod command (Linux), or via your FTP client, typically by right clicking on a directory/file.  Most directories can be set to read and execute for the public (rwxr-xr-x, or 755), whereas files can be set to just read (rwxr–r–, or 644).  The files to watch out for are those that allow read, write, and execute (rwxrwxrwx, or 777).

Web Security File Permissions

A word to the wise: setting your file permissions incorrectly can cause some applications to stop working.  If all else fails, get the advice from a web developer, network security administrator, or leave a comment so I or someone else can help.

Here’s a good primer for better understanding how file permissions work.

#5 – File Uploads

Man, I love analogies.  Here’s another terrible one.  If you’re a guard at a prison and it’s visiting hours, are you or are you not going to check that slimy guy’s subway sandwich before he hands it over to his incarcerated granny?  She ain’t busy filing her nails for her health, ya know..

The point is that pesky hackers like to embed malicious surprises in otherwise innocuous looking files.  For example, a file uploaded to your message board might look like an innocent enough image, but only when it’s executed do we find out that it’s some dangerous script masquerading as a picture of someone’s aloof Mexican Hairless cat.

Now most modern applications account for this sort of thing and put the necessary precautions in place, but it demonstrates that you should be certain your applications limit the types of files that can be uploaded.  As a rule of thumb, the type of files your nerdy uncle taught you to never open in your email is the same sort of thing you don’t want on your server.

Shutting Down Uploads in PHP
Your website’s control panel may offer you the ability to manage your PHP integration.  If your applications function in PHP and you have no reason to except uploaded files from your visitors, disable their ability to do so.

In cPanel, select Software > MultiPHP INI Editor > Basic Mode tab > Select your website in the drop down. Scroll down and make sure file_uploads is set to disabled.

Web Security File Uploads

#6 – Backups

In and of themselves, backups are a great thing … unless they’re the sort that sit on the bench (little pun for my sports bros).  Of course you and/or your web hosting services provider should be backing up your website on a regular basis to ensure data integrity.  But so far as web security concepts and procedures are concerned, backups can contain outdated applications with vulnerabilities.

To that end, make sure your backup(s) are stored outside of the web accessible (public) area of your website’s file structure.  Let’s look at example directories where your web site is accessible from the Internet:

/home/your_account/www/   or   /home/your_account/public_html/   or   /home/your_account/www/backups/

Everything within /www/* (or /public_html/*) is accessible to the web.  So your backups should be stored one level below:

/home/your_account/   or   /home/your_account/backups/

Better yet, your backups should be stored locally on your own computer, at a cloud storage site like Dropbox, or handled automatically by your web host company and stored somewhere else entirely which alleviates this concern.

#7 – SQL Injections (SQLi)

No, this isn’t about veterinarians and their penchant for poking tree-dwelling rodents with rabies shots.

SQL (pronounced sequel, not squirrel) injections are one of the oldest, most prevalent, and destructive application vulnerabilities where hackers hijack and piggyback poorly written code (typically in a web form or URL parameter).  This method of attack allows hackers to inject their rogue code and wreck all sorts of havoc on websites leveraging SQL-based databases.  When compromised, an intruder can do any number of things including:

  • bypass authentication
  • login as an administrator
  • impersonate another user
  • access, manipulate, and remove sensitive data
  • (given the right conditions) attack an internal network behind a web security firewall from the database server with operating system commands

Web Security Application Vulnerabilities

If you’re not a programmer who keeps a trusty SQL Injection Cheat Sheet handy, now you know better and can broach the subject with your developers and ensure they are preventing this from happening through the use of parameterized queries.  In the very least, you can see why its important to keep your applications updated so newly discovered vulnerabilities can be fixed and removed from the equation that formulates your greater peace of mind.

#8 – Cross-site Scripting (XSS) Attacks

Similar in some ways to SQL injections, XSS attacks are accomplished by hackers embedding malicious payloads into your website’s JavaScript code.  But the website is not the direct target of the attack.  Instead, the