It’s not just our personal and social lives that are moving online, more and more businesses are stepping into the World Wide Web to follow where all the potential customers are going. According to a study report from Zinnov, a management consulting firm headquartered in Bangalore, as of August 2015 out of 50 million small and medium businesses in India only 10 million or 20 per cent are actually tech ready (read full report here). As a statistic that’s woefully low! However, if you’ve at least managed to get your business’ website up, you deserve a round of applause because you’re one of the early small business owners who has at least some sort of online presence to promote your business on – as opposed to nothing at all.
However, the number of businesses being registered online is only going to go up. Domain names, web spaces, Facebook and Twitter business pages are unleashing an online avalanche; you name it, the competition’s coming – if it hasn’t already. All this is music to the ears of potential hackers – they’re always ready to do some serious mischief where there’s the greatest potential of financial gain. If you’re not careful, months and weeks spent setting up your online website and infrastructure may crumble like a house of cards.
Your website is your business’ online calling card and ideally it should be functioning and accessible 24x7. Not being able to do so can be a serious blow to your online business’ credibility. Don’t worry, though, as this guide aims to make you aware of some of the lines of defence you need to draw in order to secure your website and online business. Here’s how:
It’s all in the directories
When bad guys come knocking at your website’s door, they like to try all the popular tricks first to see if your website’s unguarded and allows unauthorized access without putting up any fight at all. To dissuade such attack vectors on your website, it’s important to make it as difficult as it can be to ensure the assailants can’t easily figure out what CMS (content management system) your website runs on (if at all).
If, say, you have a website and online blog running on custom Wordpress installation. Hackers already know that Wordpress is the most popular free CMS and all of them worth their salt are well aware of its source code, installation process and default folder hierarchy on a web server. If you (or your hired webmaster) installs a default instance of Wordpress to run your website and blog, without any intelligent folder structure renaming, hackers can easily guess and scan your website’s admin, login and other sensitive pages to gain access at a significantly easy rate.
Nowadays, most sought after CMSes allow renaming of admin and other essential folders within just to frustrate less patient hackers. Picking less obvious, hard to guess and crazy names for your website’s admin folders (known only to you and your webmasters) can greatly reduce the chances of any potential successful hack attempts.
In a similar vein, for logging into your website’s admin console or dashboard, try to avoid using “admin” as a username – for the same reason you’d want to change the login URL. Because it’s a dead giveaway, making any potential hacker’s attempt to break into your website that much more easier.
Tips for secure WordPress login page
Install a web application firewall (WAF)
Just like you are keen to protect all your digital endpoints – PC, laptop, smartphone, etc. – with a security software (antivirus) of some kind, similarly you need to secure your website, too. Enter WAF or a web application firewall, which is just what the doctor ordered, something that should be a critical component of every online business’ security arsenal on a priority basis.
A WAF can be a server plugin or a separate appliance that sits between your web server and incoming / outgoing communication lines, monitoring the traffic that wants to establish a connection to your website. Essentially what a WAF does is that it defines a strict set of rules when it comes to allowing who gets to connect to your website and who doesn’t. It’s typically sensitive to sifting through HTTP traffic and keeping an eye out for XSS (cross-site scripting) and SQL injection attacks – some of the most common hack attack vectors – but it can be configured to stay alert and vigilant about more sophisticated attacks as well. Most modern WAF solutions are capable of dealing with DDoS and other advanced potential web threats, too.
Invest in a security platform for your website to protect it against malicious attacks
WAF can be deployed both at a hardware and software level. Unlike very few popular and reliable PC security vendors, the market for WAF is inundated with a whole bevy of products offering different levels of security. Take a look at Amazon Web Services’ WAF offering which only debuted in October 2015, and offers web security at an attractive price.
SSL. Anyone who’s browsed the internet through the confines of their web browser must have encountered the term, if not the scenario, where the browser established an SSL connection. In fact, in 2016, you’d be hard pressed to find a credible, large online business provider that doesn’t incorporate SSL connections while engaging with users and sensitive user data. But what is SSL?
SSL’s nothing but a short form of Secure Socket Layer, which corresponds to an encryption technique used by web servers to establish secure connections with endpoints to ensure data flows between them in an encrypted format. If a web server connects to a browser over a secure, encrypted connection, the browser highlights the change in the URL as an HTTPS connection (as opposed to regular HTTP connection which is unencrypted), and the appearance of a lock icon. These are web norms that more and browsers are enforcing to warn users whenever they’re NOT connecting to a secure web server. For online businesses, regardless of what you’re advertising or selling, encryption is an absolute must-have in today’s day and age. No wonder hacking is so rampant online because more than 80 per cent of the websites online don’t support encrypted connections. It’s high time we all changed that, starting with every business owner with a secure website.
Encrypt your data with SSL
While you can definitely create and deploy your own SSL certificate, it’s highly recommended to get SSL certificates issued from a verified vendor like Symantec (which bought over VeriSign’s secure authentication business) or domain registrars like GoDaddy. SSL security is extremely important for the website owners who are concerned about secure logins and credit card transactions. When you’re looking to purchase an SSL certificate for your website, make sure you look for one that offers SHA-2 and at least 256-bit encryption.
If your business’ website has a lot of users logging in with usernames and passwords, make sure you have certain password policies set in place. Make sure you enforce passwords to be updated as often as you can (ideally on a monthly basis), and ensure they have at least alphanumeric and special symbols and be of certain minimum character length (more than 10). Just like you’d notice on forums (like our own Digit forum), make sure you disconnect the user after a certain minimum period of inactivity (5 to 15 minutes). This may sound like a lot of rules to you, but trust us it’s only covering the basics as far as Passwords 101 goes in 2016.
If you’ve used two-factor authentication while logging into Gmail or while executing a credit card transaction on Flipkart or Amazon.in, you can get similar solutions deployed for your website, too. Two-factor authentication essentially makes use of your phone (number) to send you a part of the password to successfully login, thereby hoodwinking hackers. There are a number of two-factor authentication services that offer to send uniquely generated codes over SMS or voice. If you’re interested in exploring this advanced authentication mechanisms for your website’s users, check out 2factor.in which provides OTP (one time password) codes delivered within 2-15 seconds to any mobile phone in India and charges as low as 18 paise for every successful OTP authentication.
Can’t go wrong with 2-factor authentication
Content delivery networks (CDN) are also worth evaluating in your quest to secure and safeguard your website online. Not only do they ensure super fast delivery of your web pages or online service all across the globe, through a vast array of servers all over the world, it can also be a line of defence in your security strategy when you’re website’s encountering DoS attacks – and especially if your website happens to go down for some reason.
A security-focused content delivery network (CDN), CloudFlare (among others) is worth looking into. It likes to describe itself as an online community watch, keeping the internet’s bad guys from disrupting your online business, and in a nutshell that’s true. By adding CloudFlare to your website, you essentially allow it to filter content requests flowing into your website, blocking out all the spam and DDoS elements in the process. It also caches all your website’s static and dynamic content across its network of web servers, so even if your website happens to encounter some down time (even for maintenance) a copy of it can always be online and accessible to users from around the world. What’s more, CloudFlare is free to use, and it also has paid plans for more serious businesses who don’t want to compromise with their website’s security and reliability.
While CloudFlare is the most popular free CDN out there (even the Pirate Bay uses it!), there are alternatives like InCapsula, Myra Cloud and CDNify that are also worth looking into.
Last but not the least, don’t forget to regularly backup your website – everything from databases, content folders, logs, everything. Depending on the size and scale of your online website’s operations, backups should be conducted either on a daily or a weekly basis at max. Also, apart from all the tips thus far, don’t forget to stay vigilant at free Wi-Fi hotspots – even if you’re inside a hotel. Free almost always means insecure. Invest in a VPN to create encrypted tunnels while connecting to any unfamiliar or unknown network. These are only the first steps towards securing your business’ online presence. Best of luck!