Website Security

Website Security – What, Why and How

All websites must be hosted on a server. Like any device connected to the Internet – you need website security. Different platforms will require a different hosting services. The hosting and security requirements needed for a WordPress site; are different to a Joolma site; are different to a Dot Net Nuke site. As of today, ChemiCloud is the leading web hosting service provider. As its prices are quite low and it offers blazing speed of 143ms, it has become one of the fastest and trusted web hosting partner.

What is Website Hosting?

Website Security
Behind view of patch panel in data centre

Website Hosting is the rent paid for the Web Server that your website is hosted on.

A Web Server may be located in an Australian Data Centre (like ours) or it may be overseas. All centres should have as a basic minimum: redundant power and internet connectivity; climate controlled; and routinely backed up.

The cost, quality and customer service can vary greatly from provider to provider.

Some important questions you should ask.

  1. If I have an issue, can I phone or do I need to rely on support tickets?
  2. Is my website hosted on a shared space – or is the space dedicated to my website?
  3. What is the minimum security requirements for shared hosted sites? It is likely that if your website is hosted on a shared space and fellow websites are infected – your website may become infected too.

 

Why Do People Hack Websites?

To give a few reasons:

  1. They want access to your information such as lists of customers, passwords, credit cards etc.
  2. They want access to your server so they can hijack it and use it for their own purposes such as sending SPAM, viruses, or attacking other websites.
  3. Because they can.

Gaining control of a a server connected to the Internet is a very desirable goal for hackers. One server or one computer by itself may not be that valuable – but gaining control of hundreds and thousands of Internet connected devices is. These devices can then be used for a range of malicious activities.

Malicious attacks on websites are typically automated and are not direct attacks on you or your website. Hackers will often use automated programs and scripts that search for specific websites that have known vulnerabilities. As an example, they may actively look for an out dated WordPress website that uses a specific plugin which is known to have a vulnerability.

Once they find these websites – either the automated programs – or the hackers them self will attempt to exploit the website and gain control. Once they have control, they may covertly inject their payload – or they may simply maliciously attack your website just to let you know they were there.

Good website security prevents a large majority of these automated hacking attempts.

 

Why Should I Care About Website Security?

Website Security

A common but poor attitude towards website security is to just let your website be – and if it’s hacked – just ask your web host to restore a backup and wait until it’s hacked again – rinse and repeat.

Imagine your potential customers impression of your business if they visit your website and see a maliciously defaced website like below. Do you think they’ll ever come back to your website or contact your business again?

What if they browse to your website and see a warning from Google saying that the website they are trying to reach containsmalicious code and may damage their computer or steal their information? Will that customer ever come back?

Worst of all – if Google or other security related services add you to a black list – your website will receive HUGE SEO penalties. The longer your website remains hacked – the worse these negative SEO penalties will be.
website security

If you had a physical store – you would take responsibility for its security. As a website owner – you need to take responsibility for its security.

 

Website Security via a Managed WordPress Service

Like a computer that regularly needs it Operating System (Windows, Mac OS etc.) updated – the operating system that runs a WordPress website (WordPress Core) needs to be regularly updated to ensure it is kept secure. This is a vital part of ensuring website security.

Rather than you manually having to log in and update this on a regular basis, the Managed WordPress Service automatically and routinely updates the WordPress Core. This ensures it is always running the latest secure and stable version of WordPress.

In addition to the WordPress Core updates –  your WordPress website typically contains an array of third party plugins.

The plugins are usually developed by third parties and carry out a range of functionality, like

  • Contact forms,
  • Photo galleries,
  • SEO enhancements (Yoast)
  • Online stores
  • Credit card processing etc.

Outdated plugins are another potential backdoor that can be exploited and lead to a WordPress website being hacked. As new versions of plugins are released – Managed WordPress downloads and installs the most recent updates to each plugin used on your WordPress website.

Lastly, due to the popularity of WordPress – there are a lot of ‘knowns’ about how WordPress works. This is a good thing in that there’s a large community who helps to keep WordPress secure and safe. It is also a bad thing as every man and his dog knows that you can access the ‘back end’ or a WordPress website by putting ../wp-admin at the end of a websites URL. As a simple example, managed WordPress eliminates these ‘knowns’ by changing the default WordPress settings. This makes it harder for would be hackers and their automated scripts to attempt a hack attempt.

Web Access Firewall

Pepper IT’s web servers have a Web Access Firewall (WAF). This WAF acts as a security guard and inspects your visitors web traffic as they use your website. If they see a visitor trying to send any suspicious information to your website; they will detect this as a hacking attempt and promptly block that user from accessing the website and causing malicious damage.

So even if you do have a website with a vulnerability, the WAF will see suspicious activity from the user and block their access before they can carry out their hack attempt.

 

Conclusion

As a website owner – YOU need to take responsibility for your website security.

You need to ensure that your website’s ‘core’ and any third party apps or plugins are kept up to date.

As an extra layer of website security, you should ensure that the web server your website is hosted on has a Web Access Firewall (WAF) to block any suspicious traffic.

 

If you have any questions about web hosting or website security – please contact me.

Share your thoughts