15 Business rules that will make your website more secure
There are a number of things you can do to protect your website. I’m listing an overview of what you can do in terms of business rules. I’m saving a list of specific attacks and what you can do to avoid them in a future post.
- Start with a security plan. Do you have one? Do you know what this means? If you don’t understand where to start you need to bring in an expert. Don’t make assumptions your business is too small to get attacked. Don’t make assumptions software products – even by big names – are inherently secure.
- Use a Cloud Proxy Firewall. The great thing about a cloud proxy firewall such as Sucuri CloudProxy is it blocks attacks at the DNS level before they can even reach your server. The proxy firewall filters and blocks attacks, stops DDOS, stops Brute Force attacks and prevents malware and blacklisting.
- Use a firewall to protect your admin panel. The whole world doesn’t need access to your admin panel. Just your organization and maybe just a single office location. Restrict access to the admin panel to as few IPs as need to access it. Hacking scripts target well-known admin panel locations such as WordPress’s wp-admin directory. Restrict access to it. If you can rename default admin folders then rename them. Nothing says “hack me” like using an /admin folder off the root of your website.
- GEO-Blocking. You have zero sales in Latvia and yet several IPs from that country attacked your site 30,000 times in one hour. GEO block Latvia with your firewall. And GEO-block other regions such as Eastern Europe and south East Asia that provide no financial benefit to your business. GEO-blocking won’t stop skilled hackers – they can spoof their IPs. However, it will block the majority of script kiddies and bot networks from ever reaching your site.
- Use versioning control. If your site gets attacked you need to be able to fix it quickly. You need version control software such as SVN or Mercurial for your software and built-in versioning for content. We haven’t used FTP since 2012.
- Backups. A prospect contacts us once per month about their site being compromised and they need to fix it. The first question we ask is how recently the site was backed up and where we can find the files and data. If you don’t have back-ups you’re starting from scratch.
- Deployment process. We make content changes in a staging environment separate from production then use products like DeployHQ to push to production. If anything happened to our sites we can restore them at the press of a button.
- Move to the cloud. No more failed spinning disks, no more crashed system software updates, no more downtime. PCI compliance. Armed guards and retinal scans to access the physical environment. Scalability, redundancy — I can go on and on and on.
- Avoid cheap, shared hosting. Twice a month, we’re contacted by a prospect because their site was hacked in a shared environment with no security protocols. You can’t control what happens in a shared environment. Your site may appear secure but the next site could be a disaster. As soon as one site is attacked and the details are shared throughout the hacker universe — it’s open season on your site. You get what you pay for.
- Never hold credit card information. The fines for not properly securing credit card details can be up to $25,000 for the first violation. Why would you want the liability? Use a third-party payment gateway and let it handle the transactional risk. Never, never, never hold credit card information.
- Don’t give your passwords to people you don’t know. A large percentage of infamous hacking attacks are done through “social engineering.” Hackers call and misrepresent themselves as technical support. They may ask for technical details and login credentials. A person will give it to them. Don’t be that person.
- Password protocols. Don’t use abc, 123, test, your login name, or the name of your company. Have a company policy in place. You can find some great password policy tips here.
- Use SSL – Encrypt all forms and data-collection points.
- Regular Updates for your CMS platform. Do you know how you are constantly getting updates on your operating system or even Web browser? A large percentage of the updates are patches to fix security issues in the software. The same applies to your content management platform. You need to regularly update the core files for your CMS and all related plugins to improve security.
- Harden your CMS through plugins and enhancements. The default installation of most CMS platforms isn’t secure. You need to take the extra step of installing a security “hardening” plugin. Bullet Proof Security, for example, is a popular option for WordPress. These security plugins lock down files, ports and perform a number of functions to make your site more secure.