Overview
As we continue on into 2021, more than 30,000 sites are being hacked a day, most of the time due to a lack of website security features. This information isn’t to scare you (although, if you aren’t implementing the following, maybe it should scare you in a good direction…), but instead act as a reminder that having a secure website is as important as ever.
What practices can you implement now to prevent an even bigger headache in the future? Well, the list could change depending on who you talk to, and if we’re being honest the list is probably close to endless.
However, take a look at what we believe if you follow, you’ll be in good shape.
1.) Hypertext Transfer Protocol Secure – (HTTPS)
If you know what this is, and even if you don’t, there’s a good chance you’re already using this if you went through a website builder like weebly or wix (I don’t know why you’d ever choose those platforms, but to each their own). Alternatively, most hosting providers and platforms don’t include this by default.
If you’re on Google Chrome as your browser, you’ll know your site is secure when you see a lock icon next to your URL. Conversely, when your site is not secure, it will be rather evident as it will display “Not Secure” next to the current web address of your site.
The explanation into this could go deep and take up your entire day, or I can keep it shorter and keep you going on about your life. Assuming you prefer the second, HTTP is unsecured and operates at the application layer in networking, while HTTPS is secure and operates at the transport layer and is encrypted before it’s sent. If you’re curious on the in’s and out’s of network layering, you can click here.
While it’s true that many hosting providers don’t enable these by default, many of them, such as preferred host Siteground, provide you with a free SSL certificate to enable HTTPS as long as you request it and implement it correctly, you’ll be one step closer to securing your site.
Additionally, while it may not kill your search engine rankings / search engine optimization, it’s still important and can give you that extra edge you need to outrank your competitors. Lastly, once it’s implemented it’s important to make sure it’s working properly across your full site and not mixing between HTTP/HTTPS depending on what’s being loaded.
2.) HTTP Strict Transport Security – (HSTS)
HSTS stands for HTTP Strict Transport Security and is a method used by websites to declare thet they should only be accessed with secure connection (HTTPS). When a website declares an HSTS policy, the given browser must refuse all HTTP connections and prevent the user from accepting insecure SSL certificates.
HSTS is supported by most browsers including Internet Explorer, Edge (which is now dead anyways), Chrome, Safari, Firefox, Safari, iOS Safari, Android Browser, and more. The whole point is to prevent man-in-the-middle attacks from hackers who may try to force access via HTTP and sniff packets.
Additionally, you can add your site to the HSTS preload list as an added measure to your website security. The Chromium project maintains a list of websites that use HSTS and this list is distributed with browsers. Then, if a browser knows you’re supposed to be on the HSTS list, then your site will not be accessed without HTTP, not even during the first connection attempt.
3.) Content Sniffing Protection
Content sniffing attacks usually involve fooling a browser into executing a script disguised as a different file type. When a browser is processing a response, browsers sometimes don’t pay attention to the MIME type in the ‘Content-Type’ header and guess the type based on the contents that are responded.
This is what is known as content sniffing and ironically enough is done to improve the user-experience when the headers are not accurate or not present. The problem with this is that it can be exploited.
For example, if your website has a contact form with the option to upload an image file, an attacker may be able to produce an image file that contains script inside of it, which could then be used to execute malicious code across your site.
You can simply set the ‘X-Content-Type-Options’ header to ‘nosniff’. By doing this, you’re letting browsers know not to guess the response types and rely solely on the ‘Content-Type’ header. This simple setup will help to better your website security by a lot.
4.) Clickjack Protection
Clickjack attacks occur when a user is tricked into taking an action they didn’t mean to take. This is usually done by wrapping your site inside an iframe and overlaying invisible elements on the page not visible to the user. Some things that can be done with clickjack attack are:
- Promoting online scams
- Spreading malware
- Tricking users into turning on their microphone or camera
- Harvesting login information
While clickjack attacks won’t affect your site directly, they will affect your users/visitors. To circumvent this possibility, you need to ensure your site can’t be wrapped in an iframe by a malicious site. This is achievable via instructions you can place in the HTTP headers of your site.
5.) Hiding server information & domain privacy
One of the biggest mistake you can make with website security is in regard to your hosting. First and foremost, you need to ensure that your website is with a hosting provider with a high reputation and not some random guy who claims he cant ‘get you the fastest speeds on the internet’. This is important both in terms of the provider not stealing your information, but also so that they are able to provide the protections needed to help your site from being hacked from the backend.
You should then ensure that your servers, host, and platform (i.e. wordpress + plugins), are fully updated to avoid any unnecessary security vulnerabilities that have been patched. Additionally, another step you can take is to simply hide your server information. Wow – this probably seems like a lot, and that’s because it is! At the very top level, you can pay a little extra to your domain provider to hide your information. Without doing this, anyone can use sites like whois.com to lookup your information and see you own the domain. This also provides information regarding your address, phone, email, and more.
Next Steps
We hope you found this short read informative and opened your eyes to the multitude of security risks that are out there. Obviously, this does not cover every type of attack, but we hope it gives you a better picture as to the threats that do exist. If you’re unsure whether or not your site has these, talk to you website manager, or contact us and we can check your site for you!
