There is little doubt that the focus in 2017 for many in the information technology space will be security. Given recent political events and revelations of the capabilities of foreign attackers, corporations and website owners must adapt to the new reality that high security is the new normal, not just a wish list item.
Regardless of your industry, having a website that is vulnerable to attack or that becomes the victim of an attack will result in a huge credibility problem for your company or organization. Maintaining trust with customers and users is essential in this new world, so security must be the top concern for website administrators and marketers alike in 2017.
You may be thinking that at this point, your website is so small or under the radar that security risks don’t apply to you. But being attacked is a major threat your entire business, not just your website.
Those who should be most worried are administrators of websites that store user data, including:
- Subscription/SaaS websites
- E-commerce sites that store customer data
- Any portal or login-based software
- Any informational site of high value (enterprise, etc.)
- API-driven applications
Luckily, we have assembled some tips and tricks to guide you toward a safer and more secure 2017, beginning with improving your CMS security.
Step 1: Keep Up To Date
This is particularly important for those who are running their websites on off-the-shelf software. Updates usually happen because the communities or teams that maintain this type of open-source software have discovered a security-related reason to issue an update. This means that without a doubt, you should update the software immediately.
We’ve written many times about how off-the-shelf software requires updates, and how said updates may break your website. This is a risk you have to take to maintain a level of security that, at the minimum, will keep out the automated bots.
And in reality, updates do just that. They aren’t aimed at specific attackers; they’re aimed at automated systems that are going to crawl your website searching for a way in. For targeted threats, more intense steps are required to assure safety.
Step 2: Fly Under the Radar
The best way to fly under the radar—and thus improve your CMS security dramatically—is to minimize the exposure of your CMS installation, beginning with hiding the version number or easily accessible identifying information about the type and version of the particular piece of software you have in place. This can be easy or complicated depending on your platform, but the more barriers you put in place in terms of access, the better off you will be.
Along the same lines, hiding your admin portal is a must. With WordPress, /wp-admin is the default login area for administrating your website. I’d be willing to bet that more than 99% of WordPress installs don’t attempt to hide this location. Nor do they protect it with IP blocking at the firewall or web server level.
Also, consider changing default values your CMS may utilize. For example, WordPress utilizes a prefix of “WP_” when defining database tables. Many malicious scripts will, when accessing your server, look for those tables. A simple rename can go a long way. Don’t forget to also change default permissions that CMSs set when installing. They give access to write files in many places, which can be locked down.
Of course, we believe that a custom CMS installation is the safest and most secure option available. This is due to the fact that by simply running completely under the radar, they are more difficult targets for predators. And, best of all, you can build in sophisticated levels of access and publish permissions to secure environments, making unauthorized access even more difficult.
Step 3: Protection from DDOS
You may or may not know what DDOS stands for. Distributed Denial of Service is a type of attack that is initiated by those aiming to do specific harm to a website. It usually works by having many thousands of devices hitting a single website URL at the same time. What’s even scarier today is that this can actually happen from devices that aren’t even computers. Pretty much anything that can be accessed via an Internet connection could be vulnerable, including things like refrigerators to thermostats.
As the requests to your site go higher and higher, eventually your web server and host network will collapse under the pressure. In 2017, we expect more and more of these types of attacks to happen, taking down websites who are not prepared.
Luckily, you can prepare in advance by setting up some preventative measures. CloudFlare is a popular service that can help you control DDOS attacks before they happen and, when/if they do happen, provide the ability to funnel legitimate traffic rather than buckle under the pressure.
Given the relatively low cost of this solution, it is a no-brainer to invest in this type of insurance policy, providing a quick and easy improvement to your overall CMS security.
Step 4: Go Headless
This is not as quick a fix as the above recommendations, but it could mitigate many risks for you in the long run. At NPG, we are focusing our efforts on advanced CMS installations utilizing headless technology.
“Headless” or “decoupled” systems separate the CMS infrastructure from the front-end display. If done correctly, utilizing infrastructure that allows true separation, website administrators can rest assured that their CMS will be protected from outside influence.
This scenario gives you a vast variety of benefits. First, it will make detection of your CMS nearly impossible. Secondly, it’ll allow you to utilize secure hosting services that other platforms won’t allow (see below as an example). Finally, it’ll serve a good marketing and business need: flexibility on your front-end website. An entire world of possibilities in terms of design and functionality will be available to you.
Step 5: Go Static
This is going to sound crazy, like it’s 1999 all over again. But for the utmost safety and security, you can consider taking your site back to the days of static HTML.
Before you close this tab in your browser, hear me out!
Static sites don’t equal a lack of control. In fact, you can still have complete control via a CMS with a static website. The only difference is that the pages are being generated into HTML and published to a server or hosting system, as opposed to being served dynamically on-demand, as most CMSs do.
By removing the connection of your front-end experience to the actual database that powers the administrative portal, you are enhancing your security to the next level. And beyond that, by separating your website from a database entirely, you are removing even more potential areas of conflict. You will not have server scripting, meaning that you don’t actually even need a proper “server”.
Stay with me here!
If done properly, you can publish your HTML pages to a content delivery network such as Amazon S3 or similar. These systems are configured to host websites, though no one really ever thinks about it. By doing this, you are actually gaining a powerful partner in securing your website: the largest e-commerce retailer in the world who also specializes in scalable and secure hosting services!
Just In Case: Backups
Hopefully, the above steps will mitigate much risk for your organization. But while I have your attention, I want to make one more appeal to back up your website on a regular basis!
Today, this is done a few different ways. Since so much of our hosting these days is done on the cloud via virtualized servers, you can simply save images of your server, allowing for a very fast return to service if something goes wrong.
If you are on actual hardware, back up at least daily. And try to keep the files in a separate location, but one that has fast connectivity to your host in the case of the need to provision a new server with your data.
The above steps may never be necessary—and I hope it stays that way for your business. But it’s always better to plan ahead. Securing your website and CMS can cost you anywhere from a few dollars to hundreds of thousands. It’s up to you to decide from a business perspective what level of risk you are prepared to accept, and then act quickly and consistently to stay ahead of the latest threats and vulnerabilities.