I recently replaced the doors and windows on our home. Naturally I had a number of suppliers visit to discuss their products and give me a quote. With each one I talked to I noticed that a very large part of the conversation was about security. Doors and windows are the main access point into a house so it seemed obvious that I would want to make it as difficult as possible for anyone to break in. Each brand of windows came with an impressive list of security features including locking systems, strengthening systems, anti-bending systems and so on. Every attack method a burglar could use was covered.
This got me thinking about how much thought most of us give to securing our website (and company networks!). For a lot of companies the website is essential to the running of the business. Not just for e-commerce companies who can’t make any sales if their website is down, but for any business which needs to keep their customers informed and build trust.
When I talk with clients website security is often more of an afterthought than a prime concern. Most people assume that their website won’t be hacked as their web hosting company and website designer will just take care of “all that cyber security stuff”.
But what is this “cyber security stuff”? Do web hosting companies provid it? Do website designers make sure it’s in place? Did you ask?
A Crash Course in Hacking a Website
To understand how to protect a website you need to know a bit about how hackers get in. There are two main routes into a site.
- Hack the web server.
- Hack the web site.
Hacking the Web Server
All websites use a Web server computer to store your website files and run your code (make the page work!). This is your hosting account. These computers have to be connected to the Internet to allow people to see your webpages. Any computer connected to the Internet is a potential hacking target.
Web servers use communication ports to talk to other computers. Each communication port is used for a particular service. For example, port 80 is used to view your website (HTTP service), port 21 allows you to upload and download files (FTP service), etc. But every port open to the Internet is be a doorway for hackers to get into your server.
To hack a server you first need to check which doors are available. You then need to query each door to find as much information as you can about the system you’re trying to hack, but also to probe for any weaknesses. This is very much like a burglar “casing the joint” and then trying all the door and window handles to see if anything’s been left unlocked.
After this initial survey you can then decide how easy or difficult this computer will be to break into. You also need to work out how valuable the system is to decide if it’s actually worth your while spending effort on the server.
One very important thing to understand about hacking is that it’s a highly automated process. There isn’t a disgruntled customer sat at his computer trying to bring down your company. It’s someone who doesn’t know who you are, who has a large bank of computers automatically scanning thousands of servers per day trying to find doors that can be easily opened. Assuming that no one will want to hack you isn’t a form of protection. Your server will get attacked. It’s probably already being attacked multiple times per day. So making sure that all your doors and windows are bolted shut with high security locking systems is essential.
Most of the “bolting the doors and windows” will be handled by your web hosting company. But this is where the type of hosting you have comes into play.
Shared Hosting Versus Dedicated Hosting
Most websites use shared hosting accounts. This is where each Web server is shared by a number of customers. Unless you specified something different you will almost certainly be on a shared server. Shared hosting is generally fine and your hosting company will have taken all the precautions it can. But being on a shared server means that a larger number of people need easy access to the system. Everyone needs to be able to connect to the server, upload their web files, access the Control Panel, type commands onto the server and so on. This means that the server is only as strong as the weakest person using it. If people are careless with passwords, have badly programmed websites or just fail to take sensible precautions they can inadvertently open one of the server doors.
Dedicated hosting, including virtual private servers (VPS) is where you have the server all to yourself. This lets you completely lock the system down so that only the bare minimum of ports are open to the Internet. You can also use extra security on any doors that are open, even if this means a bit more work in setting up the system.
Dedicated hosting costs more than shared hosting both to set up and maintain. But if you can’t afford to lose your website for even a short period of time it’s definitely the way to go. For most people though shared hosting will be fine. Provided you have good backups a server hack will only mean the loss of a few days or weeks of work on your website.
Hacking a Website
Almost all websites these days have a part that your visitors and customers see, and an admin area where you can make changes to the site. The websites run code on the Web server to make everything work and connect to a database to store your information.
Hacking a website often involves breaking into this admin area. It’s generally the easiest route to hack as it involves a password. Passwords are generally the weakest link in any security policy. People like to create passwords they can easily remember, but this usually means that it’s a real word, or based on real words with a few extra characters. One of my clients was into custom motor bikes and had a beautiful Harley-Davidson. Can you guess what his password was, and yes he did like to wear t-shirts with it written across his chest!
Random character sequences are the best passwords, e.g. !hKmhsYF9A#o. Yes, you’ll never remember it, but get yourself a password manager app to remember them for you.
Software Bugs
You’ve no doubt come across security updates for Windows, MacOS etc. These are basically bug fixes to block up holes in the software. These holes can also get into your website code. A great description of programming is that…
“Programming is 90% bug fixing and 10% bug creation!”
Programming errors can allow hackers to either break into your admin area, or simply break into your server so they can run their own code. This sort of attack is very much down to your website developer to combat by making sure that your code is watertight.
If your website is based on a standard package like WordPress or Drupal, you need to install all updates to both the core software and any plugins you’ve installed. On the plugin front you also need to be careful about what you install. Plugins are written by coders of various skill levels. Make sure you check the reputation of a plugin before using it.
Being Better Than the Rest
Two men are walking through the jungle. They spot a ferocious lion who also spots them. One man drops his ruck sack, takes out his running shoes and quickly puts them on. His friend says, “You’re wasting your time. You’ll never outrun the lion”. He replies “I don’t have to outrun the lion. I just have to outrun YOU!”.
In reality if a skilled hacker decides he’s going to specifically target you and use everything in his means to break into your website then the chances are he will, given enough time. Look at the reports of the latest high profile hacking victims. But that takes an awful lot of time, energy and money. By thinking about your security and taking a few simple precautions you can make your website a harder nut to crack that 99% of the rest. Automated systems won’t be able to get in and a hacker would have to personally spend time trying to get around your security without the guarantee of success. Why would he waste his time on you when there are juicier victims just one click away.
So have a chat with your web team and make sure they have their running shoes on!
What Next
In this article I’ve introduced the idea of website security. Keep an eye out for more detailed posts over the coming weeks.