In the hosting industry, hacked websites, botnets, malware, DDoS attacks, and various other forms of security vulnerabilities are all very commonplace. When you sign on to owning a website, you should expect one or several of these threats to rear their ugly heads over the course of your site’s lifespan, but you don’t have to accept DOOMED as your destiny.
Erik Soroka, the Tier 3 Operations Manager who oversees IT security at InMotion Hosting, states, “Maintaining the integrity and security of our servers and networks is one of our highest priorities to ensure a safe and dependable web presence for all of our customers.”
We’ll cover some of the top threats to web security and how to prevent such assaults on your site.
2017’s Top Website Security Threats
Today’s modern hosting landscape is fraught with dangers — from both self-inflicted “human error” and third parties with malicious intent. Erik boiled it down to the foremost enemies:
Next, we’ll cover his advice to shield your site from harm. If a certain security risk has caught your eye, feel free to jump ahead to its tip using the links above.
Tip #1: Avoid Untrustworthy 3rd-Party Apps & Sanitize Input Data
“If your site uses a database backend, it is important to know and trust the code behind your website,” Erik explained. Verifying your code works and verifying it’s secure and stable are two very different beasts to wrangle.
You’ll want to validate your code coming into your CMS or application (input data) and confirm it matches what’s presented to the end user on the frontend (output data). If you’re using WordPress, the Codex gives an excellent rundown on input and output data validation here.
“Avoid using untrusted third-party applications that haven’t undergone a thorough security audit. And always be sure to sanitize input data,” Erik added.
Tip #3: Ensure Request Validity with Random Challenge Tokens
Developers should always append random challenge tokens to each request that are associated with the user’s session. By including a challenge token, you can ensure the request is valid and not coming from a source other than the intended user.
Tip #4: Enforce Password Complexity and Implement Request Throttling
“Brute forcing is one of the simplest yet common ways hackers can compromise your website or your hosting account,” Erik said. Always have automatic account lockouts, enforce password complexity, and implement some form of request throttling.”
Additional tips to creating a secure password:
- Avoid common words (e.g., “Caligirl,” “doglover,” or *shudder* “password”).
- Avoid obvious personal details (e.g., your birthday, pet names, a guessable anniversary).
- Make it longer than six characters — some say, the longer the better.
- Include a mix of capital and lowercase letters.
- Include numbers and symbols, too.
- Note: Starting with a capital letter and ending with a number is predictable these days.
- Don’t be predictable. A strong password is memorable only to you — without hints!
Whether you’re a site manager, developer, or web user, you should rotate through a series of complex, strong passwords known by you alone. Google suggests creating a unique password for each individual account you own and operate. For an added layer of security, try enabling two-step verification.
Tip #5: Update Any and All Software Regularly
If you use a content management system (CMS) or another application to power your website(s), you have to stay on top of the latest updates and patches to the software.
“This includes any third-party plugins or scripts you may be running,” Erik said, noting that (most) developers release new updates regularly to patch insecurities and bugs discovered within their apps, plugins, and frameworks.
“By not always updating to the latest version, you could potentially leave your website vulnerable to further attacks or compromises.”
Tip #6: Be Mindful of Error Reporting
If you’re not developing or debugging your website, Erik recommends turning off error reporting wherever possible.
“In cases where errors are necessary, be sure the error messages do not reveal any critical information that may be helpful to an attacker. Additionally, for sites with a login page, always return a consistent error message for failed attempts,” he said.
For example, if your site returns “Incorrect Password” when “johndoe” fails to authenticate but then returns “No such user” when “janedoe” fails, you have just disclosed the existence of a valid username to the attacker which can then be used for further exploits.
Tip #7: Use the Most Secure Web Hosting Provider You Can Find
If you have a website, regardless of the site’s popularity or content, you can expect it will be the target of an attempted attack or intrusion at some point. While it’s important that the website’s owner or developer take the necessary security precautions to protect themselves, it is equally important that you are hosting with a provider that takes security seriously.
“Even the most secure websites in the world can easily become victims if the server or network it’s hosted on is lacking in security,” Erik said. “At InMotion Hosting, we have a dedicated team of system administrators working 24 hours a day, seven days a week, 365 days a year to safeguard our infrastructure by performing regular audits and proactively applying patches to our servers. In addition, we are one of the only hosting providers that will try to patch popular content management systems (e.g., WordPress, Joomla, etc.) for our customers’ sites immediately following a vulnerability disclosure.”
Web Hosting Security is Made Simple by the Most Secure Hosts
From SQL injections to assailable hosting services, security vulnerabilities abound in the hosting industry. It’s imperative that you partner with a hosting provider to withstand attacks on your network; follow best-practice coding procedures; and stay up-to-date with the latest software updates and security trends. Signing up with security-conscious hosts, like InMotion, means you get a fleet of security gurus, like Erik, who have your back.