Advertisment

10 Ways to Secure Your Website

author-image
PCQ Bureau
New Update


Advertisment

Advertisment

Dhruv Soi, Director, Torrid Networks

Launching your company's website or portal is a great idea, but keeping it secure is equally if not more important. Nearly 70% of cyber attacks on the Internet today occur at the web application level. Website defacement by hackers can bring embarrassment to your business and an insecure website infected with malware can put its visitors at high risk of getting compromised.

Applying an SSL certificate to make the website work upon the HTTPS protocol doesn't provide any protection to the web application because HTTPS merely secures the communication channel so that an intruder can't read any data traveling between the visitor's Internet browser and the website. Similarly, the network firewall protects the server on which the website is hosted from external threats and doesn't provide any kind of security to the website.

Advertisment

It's therefore essential that you follow a multi-pronged strategy to protect your website from cyber-criminals. Here are ten things you must do to secure your website:

1. Avoid Using Shared Hosting: In shared hosting, multiple websites are hosted on the same physical server. Even if one website is completely secure, another insecure website hosted on the same server can help the hacker to compromise the secure website by attacking the insecure one. So avoid shared hosting as much as you can, and in case shared hosting is the only available option, sign-up with a secured shared hosting provider.

Advertisment

2. Harden your website's security: Hardening is the concept of securing a hosted environment that includes an operating system, web server, network and website, by removing the installation defaults. In shared hosting, access to most components is limited. However, in case your website is hosted on a dedicated server, there are certain measures you need to take to add protection:

  • Stop unwanted system services and remove unwanted programs.
  • Configure the network firewall and intrusion prevention system (IPS) to protect your web server.
  • Use the latest software versions and apply operating system patches to fix known security problems.
  • Install an anti-virus program on the web server.
  • Critical web applications can be protected by configuring web application firewall (WAF).

3. Back up content and log files to a secure location: Taking regular backup of your website's content is a good practice. However, you must back it up to a different location rather than storing backups within the website folder (webroot) itself. Doing this will make it available over the Internet, which actually makes life easier for malicious users than difficult! Similarly, logs offer sensitive information about your website and its underlying environment. So store the backup content and logs at a secure location. Search engines keep crawling every website over the Internet and display the indexed contents as search results. To protect files and folders from being crawled by the search engines, configure a robots.txt file in the webroot with rules to deny access to important directories by robots.

Advertisment

4. Encryption in storage and transit: Websites storing confidential data in a database or a file system should use strong encryption mechanism to store data. To protect the website data on transit, use SSL certificates to encrypt the communication channel between the visitor's Internet browser and the website.

Advertisment

5. Install host integrity checking software: Install host integrity checking software to track any unauthorized changes to the website contents. Such software sends an instant email notification on detecting any change in the website contents.

6. Do regular monitoring: Perform regular log monitoring to detect malicious activities and take informed decisions. Log monitoring and correlation tools can also be used to simplify the monitoring activity.

7. Secure the Webmaster's system: Webmasters should keep their systems updated with latest patches and antivirus software installed. Website management or modification from an insecure system can also lead to compromise of the website.

Advertisment

8. Use safe management methods: Follow safe methods to manage your website. For example, to protect the FTP username and password from being read during its transit over the Internet, use SFTP instead of FTP. Admin panel of website can be restricted to a particular IP address of the webmaster so that it is not available publicly. Also, change all management passwords on a regular basis.

9. Do black box testing for dynamic websites: For interactive websites having dynamic pages with input areas or database driven websites, it becomes important to get the website audited by experts. Specialized third party information security companies can be engaged to perform black box testing against the website. Black box testing provides a detailed report on the vulnerabilities present in the web application along with the mitigation steps.

10. Online scanners: Online scanners scan the website on a regular interval to detect security threats and malware infection and sends email or SMS notification to the webmaster. Online scanners are available as subscription services at affordable pricing.

The above guidelines provide a broad framework of what you should do to secure your website. Remember that security is an on-going process and not a one-time activity, so webmasters and website owners need to continuously take proactive measures to keep their websites secure.

Advertisment