Website security

Website security

Posted on 10. November 2017.
Author: atec_dev

The information society, as the successor of the industrial society, is a form of society in which the creation, exchange and use of information is very important – the central cultural and economic activity. It is often cited that this society is based on the “knowledge economy,” because profit is generated by the exploitation of knowledge, which is the most important factor, while earlier factors such as natural resources have lost significance. In this form of society, information is treated as capital, so that the security of information is of great importance.
Security of websites is a general information security branch, dealing with everything related to the security of the web site as well as web applications and other web services. As in all other areas of life, security threats appear on the Internet. There are many different types of threats that are classified into different groups. Some are direct attacks on the website while some are executed using a human factor as a means to “leak” information. All of these attacks are known under the widely used name “hacker attacks”.

Types of hacker attacks can be classified roughly into the following groups:

  1. DdoS attacks (Distributed denial of service)
  2. BotNet
  3. Backdoor attacks
  4. Direct-access attack
  5. Keylogger attacks
  6. Spoofing
  7. Exploits
  8. Social Engineering
  9. Indirect attack
  10. Malware
  11. Addware
  12. Ransomware
  13. Rootkits
  14. Spyware
  15. Trojan horses
  16. Viruses
  17. Worms
  18. Phishing
  19. Identity theft
  20. Brute force attacks
  21. Cross site scripts
  22. SQL injections

Since every day the number of attacking methods and the creativity of the attackers increases, the protection of the web site itself is not a simple process that is done once, but a continuous process that requires attention and which takes place continuously, reducing the game of the cats and mouse between the website owner and the attacker . Despite the application of all protection measures, a website that is 100% secure does not exist. What can be done is to constantly strive to keep the level of protection at the highest possible level.
Depending on the type of website (static, dynamic), access to security differs. Relatively the safest websites are static HTML sites, where only the security of HTML files should be taken care of, because these sites do not use databases.

Dynamic sites, based on one of the CMS solutions, require a more detailed approach, as it is necessary to secure the database they use.

WordPress, as the most widespread CMS, needs protection at multiple levels:

  1. It is necessary to choose a quality and reliable hosting provider, with good technical support and the best ratio of hosting price to the performance and security it offers.
  2. As long as the website is secured, regular data backups should always be made, as previously mentioned, there is no 100% secure web site. Regular backup allows the website owner to return website to its functional state in case  of a successfully executed attack. Many hosting providers offer the option of automatic backup, but better option is manual creation of backup, because sometimes the backup that the provider does may be unusable for many reasons: corrupt files, untimely backup (the old version of the web site) …
  3. Regular updating of WordPress to most recent version, all plug-ins that were used and, eventually, the themes that were used to create if the backup is available. It is very often possible to execute an attack on a website by using old versions of plug-ins that have security flaws. Therefore, plugins that are not used should be removed / deleted from the website. Also, plugins should be from trusted sources.
  4. Protecting the .htaccess file is also crucial. This file allows you to control file permissions, so that it is possible to maliciously define the access rights to certain parts of the site, which are not customary for normal settings, and hence the greater exposure of the site to the potential security risk.
  5. In addition to this file, it is also necessary to perform actions such as deactivating the directory listing, disabling access to wp-login.php from unknown IP addresses, protecting access to the wp-admin folder, protecting the wp-config.php file.
  6. One of the important factors is the choice of names for the administrator account. It is advisable to avoid names such as “admin” because most of the brute-force attacks begin using that particular account.
  7. Choosing a password for the administrative part of a website is also very important. The password should not be a simple word, but a combination of symbols, numbers, and punctuation characters. The more character the password contains, the less chance is to be “invaded” using brute-force. It is important here that you do not choose a password that you will easily remember, but a password that will provide the greatest security to your web site (it is recommended to be at least 15 characters long).
  8. A good option is also to install one of the many security plugins that will take care of advanced parameter settings, as well as advanced settings that are not always easy to perform.

In this text only basic guidelines are given and what is most important considering security issues. Website safety is something that requires everyday work, monitoring news from the field and applying the latest solutions and procedures depending on the type of website you own and other real-time factors.