What is Website Security?

How to Secure & Protect Your Website

Website security is the measures taken to secure a website from cyberattacks. In this sense, website security is an ongoing process and an essential part of managing a website.

Website security can be a complex (or even confusing) topic in an ever-evolving landscape. This guide is meant to provide a clear framework for website owners seeking to mitigate risk and apply security principles to their web properties.

Before we get started, it’s important to keep in mind that security is never a set-it-and-forge-it solution. Instead, we encourage you to think of it as a continuous process that requires constant assessment to reduce the overall risk.

By applying a systematic approach to website security, we can think of it as an onion, with many layers of defense all coming together to form one piece. We need to view website security holistically and approach it with a defense in depth strategy.

Why is Website Security Important?

Website security is important because nobody wants to have a hacked website. Having a secure website is as vital to someone’s online presence as having a website host. If a website is hacked and blacklisted, for example, it loses up to 98% of its traffic. Not having a secure website can be as bad as not having a website at all or even worse. For example, client data breach can result in lawsuits, heavy fines, and ruined reputation.

1Defense in Depth Strategy

A defense in depth strategy for website security looks at the depth of the defense and at the breadth of the attack surface to analyze the tools used across the stack. This approach provides a more accurate picture of today’s website security threat landscape.

2How Web Pros See Website Security

We can’t forget about the statistics, which make website security a compelling topic for any online business—regardless of their size.

After analyzing over 1,000 survey responses from web professionals, we uncovered some insights about the security landscape:

  • 67% of web pro clients have asked about website security, but only less than 1% of respondents offer website security as a service.
  • About 72% of web professionals are concerned about experiencing a cyberattack on client sites.

Why Websites Get Hacked

There are over 1.94 billion websites online in 2019. This provides an extensive playground for bad actors.

There is often a misconception about why websites get hacked. Owners and administrators often believe they won’t get hacked because their sites are smaller, and therefore make less attractive targets. Hackers may choose bigger sites if they want to steal information or sabotage. For their other goals (which are more common), any small site is valuable enough.

There are various goals when hacking websites, but the main ones are:

  • Exploiting site visitors.
  • Stealing information stored on the server.
  • Tricking bots and crawlers (black-hat SEO).
  • Abusing server resources.
  • Pure hooliganism (defacement).

1Automated Website Attacks

Unfortunately, automation reduces overhead, allows for mass exposure, and increases the odds for a successful compromise—regardless of the amount of traffic or popularity of the website.

In fact, automation is king in the world of hacking. Automated attacks often involve leveraging known vulnerabilities to impact a large subset of sites, sometimes without the site owner even knowing.

Automated attacks are based on opportunity. Contrary to popular belief, automated attacks are much more common than handpicked targeted attacks due to their reach and ease of access.

Nearly 60% of the internet runs on a CMS.

2CMS Security Considerations

It has become easier for the average site owner to get online quickly with the use of an open source content management system (CMS) such as WordPress, Magento, Joomla or Drupal.

While these platforms often provide frequent security updates, the use of third party extensible components – such as plugins or themes – lead to vulnerabilities that attacks of opportunity can easily exploit.

We have developed detailed website security guides for each popular CMS to help website owners protect their environments and mitigate threats.

Information Security CIA Triad

A benchmark in information security is the CIA triad – Confidentiality, Integrity and Availability. This model is used to develop policies for securing organizations.

1Confidentiality

Confidentiality refers to access control of information to ensure that those who should not have access are kept out. This can be done with passwords, usernames, and other access control components.

2Integrity

Integrity ensures that the information end-users receive is accurate and unaltered by anyone other than the site owner. This is often done with encryption, such as Secure Socket Layer (SSL) certificates which ensure that data in transit is encrypted.

3Availability

Availability rounds out the triad and ensures information can be accessed when needed. The most common threat to website availability is a Distributed Denial of Service attack or DDoS attack.

Now that we have some background on automated and targeted attacks, we can dive into some of the most common website security threats.

Website Vulnerabilities & Threats

Here are the most common website security vulnerabilities and threats:

1SQL Injections

SQL injection attacks are done by injecting malicious code in a vulnerable SQL query. They rely on an attacker adding a specially crafted request within the message sent by the website to the database.

A successful attack will alter the database query in such a way that it will return the information desired by the attacker, instead of the information the website expected. SQL injections can even modify or add malicious information to the database.

2Cross-site Scripting (XSS)

Cross-site scripting attacks consist of injecting malicious client-side scripts into a website and using the website as a propagation method.

The danger behind XSS is that it allows an attacker to inject content into a website and modify how it is displayed, forcing a victim’s browser to execute the code provided by the attacker when loading the page. If a logged in site administrator loads the code, the script will be executed with their level of privilege, which could potentially lead to site takeover.

3Credential Brute Force Attacks

Gaining access to a website’s admin area, control panel or even to the SFTP server is one of the most common vectors used to compromise websites. The process is very simple; the attackers basically program a script to try multiple combinations of usernames and passwords until it finds one that works.

Once access is granted, attackers can launch a variety of malicious activities, from spam campaigns to coin-miners and credit card stealers.

4Website Malware Infections & Attacks

Using some of the previous security issues as a means to gain unauthorized access to a website, attackers can then:

  • Inject SEO spam on the page
  • Drop a backdoor to maintain access
  • Collect visitor information or credit card data
  • Run exploits on the server to escalate access level
  • Use visitors’ computers to mine cryptocurrencies
  • Store botnets command & control scripts
  • Show unwanted ads, redirect visitors to scam sites
  • Host malicious downloads
  • Launch attacks against other sites

5DoS/DDoS Attacks

A Distributed Denial of Service (DDoS) attack is a non-intrusive internet attack. It is made to take down the targeted website or slow it down by flooding the network, server or application with fake traffic.

DDoS attacks are threats that website owners must familiarize themselves with as they are a critical piece of the security landscape. When a DDoS attack targets a vulnerable resource-intensive endpoint, even a tiny amount of traffic is enough for the attack to be successful.

Ecommerce Website Security & PCI Compliance

The Payment Card Industry Data Security Standards (PCI-DSS) outlines requirements for website owners with online stores. These requirements help ensure that you are properly securing the cardholder data you collect as an online store.

Under PCI DSS, cardholder data that must be secured refers to the full primary account number (PAN), but may also appear in the form of one of the following:

  • Full magnetic stripe data (or chip equivalent)
  • Expiration date
  • Service code
  • PIN code
  • CVV digits
  • Cardholder name and/or surname

PCI compliance regulations apply regardless of whether you share data digitally, in written form, or speak to another individual with access to the data.

For ecommerce websites, it’s critical to do everything in your power to ensure that cardholder data passes from the browser to the web server by being properly encrypted via HTTPS. It should also be stored on the server securely and similarly encrypted when transmitted to any third-party payment processing services.

Hackers may try to steal or intercept cardholder data at any time, whether the data is at rest or in transit. Our PCI Compliance Guide and Checklist can help you walk through how to meet these requirements.

Website Security Framework

Regardless of the size of your business, developing a security framework can help reduce your overall risk.

The US National Institute of Standards and Technology (NIST) developed The Cybersecurity Framework which forms the basis of our website security principles framework in this guide.

Knowing security is a continuous process means it starting with the foundation of a website security framework. This framework will involve creating a “culture of security” where scheduled audits will help in keeping things simple and timely.

The five functions: Identify, Protect, Detect, Respond and Recover will be broken out in more detail along with actions to be applied.

1Identify

During this stage all asset inventory and management is documented and reviewed.

Asset inventory and management can be taken one step further into the following subcategories:

  • web properties,
  • web servers and infrastructure,
  • plugins, extensions, themes, and modules,
  • third-party integrations and services,
  • access points/nodes.

Once you have a list of your website assets, you can take steps to audit and defend each of them from attacks.

2Protect

There are many reasons why having preventative measures in place is crucial, but where do you begin? These are known as protective technologies and layers of defense.

Sometimes these measures satisfy compliance requirements such as PCI, or make it easy to virtually patch and harden environments that are vulnerable to attack. Protection can also include employee training and access control policies.

One of the best ways to protect your website is by activating a web application firewall. Taking the time to think through security processes, tools, and configurations will impact your website security posture.

3Detect

Continuous monitoring is a concept that refers to implementing tools to monitor your website (assets) and alert you to any issues.

Monitoring should be in place to verify the security state of:

  • DNS records,
  • SSL certificates,
  • web server configuration,
  • application updates,
  • user access,
  • file integrity.

You can also use security scanners and tools (such as SiteCheck) to scan for indicators of compromise or vulnerability.

4Respond

Analysis and mitigation help to build out the response category. When there is an incident, there needs to be a response plan in place. Having a response plan prior to an incident of compromise will do wonders for the psyche.

A proper incident response plan includes:

  • Selecting an incident response team or person
  • Reporting of incident to review findings
  • Mitigating the event

During the remediation process, we never know beforehand what malware we are going to find. Some issues can spread quickly and infect other websites in shared server environments (cross-contamination).

The incident response process, as defined by NIST, is broken down into four broad phases:

  • Preparation & planning
  • Detection & analysis
  • Containment, eradication & recovery
  • Post incident activities

Having a comprehensive preparation phase and a website security team you can count on is critical to the success of the mission.

Here’s what that should look like:

Preparation & Planning

In this phase, we make sure that we have all the necessary tools and resources before an incident occurs.

This goes hand in hand with the previous sections in the security framework.

Hosting companies play a crucial role in this phase by ensuring that systems, servers, and networks are sufficiently secure. It is also important to ensure your web developer or technical team is prepared to handle a security incident.

Detection & Analysis

Although there are several methods of attack, we should be prepared to handle any incident. After hundreds of thousands of responses, we narrow down most of the infections to vulnerable components installed on the website (mostly plugins), password compromises (weak password, brute force) and others.

Depending on the issue and intent, the detection phase can be tricky. Some attackers are looking for fame, others may want to use resources or intercept sensitive information (credit card).

In some cases, there is no sign that a backdoor has been installed, waiting to be accessed by the attacker for malicious activities. Therefore, it’s highly recommended to implement mechanisms to ensure the integrity of your file system.

Containment, Eradication & Recovery

As for the “Containment, Eradication & Recovery” phase, the process has to adapt to the type of issue found on the website and predefined strategies based on the attack.

For instance, cryptominer infections usually consume lots of resources from the server (leecher), and before starting the remediation process the incident response team has to contain the threat. The containment of this attack is a critical step to prevent the depletion of additional resources and further damage.

This decision-making system and strategies are a crucial part of this phase. For instance, if we identify a particular file as being 100% malicious, there should be an action to wipe it out. If the file contains partially malicious code, only that piece should be removed. Each scenario should have a specific process.

Although there are several methods of attack, we should be prepared to handle any incident. After hundreds of thousands of responses, we narrow down most of the infections to vulnerable components installed on the website (mostly plugins), password compromises (weak password, brute force) and others.

Post Incident Activities

Last but not least, the “Post Incident Activities” could also be called the “Lessons Learned” phase.

In this phase, the Incident Response Team should present a report detailing what occurred, what actions were taken, and how well intervention worked. We should reflect on the incident, learn from it, and take action to prevent similar issues in the future. These actions could be as simple as updating a component, changing passwords, or adding a website firewall to prevent attacks at the edge.

Conduct a review of the actions your department needs to take to continue fortifying your security posture. Next, ensure you take those actions as quickly as possible.

You can base all further actions on the following tips:

  • Restrict global access to your site (or certain areas) via GET or POST methods to minimize exposure.
  • Update directory and file permissions to ensure the read/write access is properly set.
  • Update or remove outdated software/themes/plugins.
  • Reset your passwords immediately with a strong password policy.
  • Activate 2FA/MFA wherever possible to add an extra layer of authentication.

In addition, if you’re actively using a web application firewall (WAF), review your existing configuration to identify potential adjustments to be made.

Remember that even though WAFs help in meeting several Payment Card Industry Data Security Standards (PCI DSS), they are not a silver bullet solution. There are other factors that can impact your business, especially the human factor.

4Recover

Recovery planning will happen when a complete review of all phases in the event of an incident takes place. Recover also relates to having a backup plan for situations in which all prior phases failed, for example, in the event of ransomware attacks.

This process should also include arranging time to speak with your security vendor on how to improve areas of weakness. They are better equipped to offer insight into what can be done.

Have a Communication Strategy

If any data is at risk, notify your customers. This is particularly important if you’re a business operating in the EU where an organization must report a data breach within 72 hours, according to Article 33 of the General Data Protection Regulation (GDPR).

Use Automatic Backups

No matter what you do to secure your website, the risk will never be zero. If your website functionality is damaged, you need a way to recover the data quickly – not only one way, but at least two. It’s essential to have a local backup of the entire application and an external backup not directly connected to the application in case of a hardware failure or an attack.

How to Secure Your Website

The importance of website security cannot be overlooked. In this section, we will review how to secure and protect your website. This is not a step-by-step guide, but it will provide you with guidance to find the right services for your needs.

1Install Scanning & Monitoring Tools

Monitor every step of the way to ensure the integrity of the application. Alerting mechanisms can improve the response time and damage control in the event of a breach. Without checks and scans, how will you know when your website has been compromised?

At least a months worth of logs can be quite useful to detect application malfunction. They will also show if a server is under a DDoS attack or facing unnecessary stress.

2Perform Regular Security Audits

Record and regularly review all actions that occur in the critical parts of the application, especially (but not exclusively) in the administration areas. An attacker could try to exploit a less vital part of the site for a higher level of access later.

Be sure to create triggers to alert you in the event of a brute force attack or attempt to exploit any site features, including those unrelated to authentication systems.

It’s important to regularly check for updates and apply them to ensure you have the latest security patches. This is especially true if you do not to activate a web application firewall to block vulnerability exploitation attempts.

3Limit User Access & Permissions

Your website code may not be targeted by an attacker, but your users will be. Recording IP addresses and all activity history will be helpful in forensic analysis later.

A large increase in the number of registered users, for example, may indicate a failure in the registration process and allow spammers to flood your site with fake content.

The Principle of Least Privilege

The principle of least privilege centers around a principle that looks to accomplish two things:

  • Using the minimal set of privileges on a system in order to perform an action.
  • Granting those privileges only for the time the action is necessary.

Granting privileges to specific roles will dictate what they can and cannot do. In a perfect system, a role will stop anyone who tries to perform an action beyond what it’s designed for.

For example, let’s say an administrator is able to inject unfiltered HTML into posts or execute commands to install plugins. Is this a vulnerability? No, it’s a feature, based on one very important element – trust.

However, should an author have the same privileges and access? We highly recommend that you separate roles based on trust, and lock down all accounts.

4Follow Personal Security Best Practices

Securing your personal computer is an important task for website owners. Your devices can become an infection vector and cause your website to get hacked.

A good website security guide will mention scanning your computer for malware if your website has been hacked. Malware is known to jump from an infected user’s computer through text editors and FTP clients.

You should remove all unused programs from your computer. That step is important because these programs can also carry privacy issues, just like unused plugins and themes on your website. If something isn’t installed, it can’t become an attack vector to infect your machin, especially browser extensions. They have full access to websites when webmasters are logged into their admin interfaces. The less you have installed in your computer the better.

If you aren’t sure of the purpose of a specific application, do some research online to confirm whether it is necessary or something you can remove. If you don’t intend to use it, then lose it.

5Apply Virtual Hardening Techniques

To harden a website means to add different layers of protection to reduce the potential attack surface. Hardening often involves manual measures of adding code or making changes to the configuration.

It is important to emphasize that when it comes to hardening, each environment is unique.

6Install an SSL Certificate

SSL certificates are used to encrypt data in transit between the host (web server or firewall) and the client (web browser). This helps ensure that your information is sent to the right server and is not intercepted.

Some types of SSL certificates such as organization SSL or extended validation SSL add an additional layer of credibility because the visitor can see your organization’s details and know that you’re a legitimate entity.

As a website security company, it is our job to educate webmasters and to inform them that SSL certificates do not protect websites from attacks and hacks. SSL certificates encrypt data in transit, but do not add a protective layer to the website itself.

7Get a Website Firewall

Using SSL certificates alone is not enough to prevent an attacker from accessing sensitive information. A vulnerability in your web application could allow the attacker to eavesdrop traffic, send a visitor to fake websites, display false information, hold a website hostage (ransomware) or wipe out all its data.

Even with a fully patched application, the attacker can also target your server or network using DDoS attacks to slow a website or take it down.

A web application firewall (WAF) is designed to prevent such attacks against websites and let you focus on your business.

8Use a Website Security Service

Our mission is to protect websites and to make the internet a safer place. We have free resources and tools to help website owners be proactive when it comes to their website security. We believe that together we can make a difference.

Website Security Tools

Here are some free website security tools:

Further Resources

Here are some educational website security resources:

If you are looking for a website security partner, we would love to work with you. Let us secure your website so you can focus on what you do best.

Website Security FAQ

Why is website security important?

Website security is vital to keeping a website online and safe for visitors. Without proper attention to website security, hackers can exploit your website, take it offline, and impact your online presence. The impacts of a hacked website can include financial loss, brand reputation issues, and poor search engine rankings.

What are the security risks for a website?

The main security risks of a website include: vulnerable code, poor access controls, and server resource exploitation. For example, DDoS attacks can make a website unavailable to visitors in a matter of minutes. There are a lot of reasons why websites get hacked; a weak password or outdated plugin can lead to a hacked website.

How can you tell a website is secure?

A secure website has a web application firewall activated to prevent attacks and hacks. It also follows website security best practices and has no configuration issues or known vulnerabilities. You can use SiteCheck to see if a website has a firewall, any security anomalies, malware, or if it is blacklisted.SiteCheck to see if a website has a firewall, any security anomalies, malware, or if it is blacklisted.

Do I need security for my website?

Yes, absolutely. Website security is not included with most web hosting packages. The responsibility of securing a website is on the website owner. Security should be one of the first considerations when setting up a website, and an ongoing process of review. If a website is not secure, it can become a low-hanging fruit for cybercriminals.

How can I secure my website?

You can secure your website by following website security best practices, such as having a website firewall; using the latest version of the website CMS, plugins, themes and third-party services; enforcing strong password requirements; only granting the type of access that someone needs to accomplish a task.

Additional Resources

Webinar

Learn how to identify issues if you suspect your WordPress site has been hacked.

Watch Now

Email Course

Join our email series as we offer actionable steps and basic security techniques for WordPress site owners.

Sign Up

Report

Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento.

Read Now

Infographic

Learn security best practices for WordPress websites to improve website posture and reduce the risk of a compromise.

See Now