We’ve seen a measurable increase in overseas site traffic recently and while I’d love to claim this is due to our good work, this is most likely due to malicious users. In our measurements through analytics services, we’ve seen that this traffic is largely driven by bots attempting to gain access to your CMS or exploit outdated code.
What can you do to stay safe? There are a number of best practices that we follow during our build process to help protect you. This is a combination of enforcing good coding practices and recommending technology along the way to help secure your site. That being said, our coding practices improve over time and the tactics used to neutralize challenges must be kept up to date.
We take a layered approach to site security. This adds a variety of barriers for anyone attempting to access your site in a malicious way (bots or not). Here are a few practices we recommend to increase security regardless of who built your site or the platform it’s on:
- Security Standards: Your organization should have standards around security including governance for website access. It’s a good idea to limit the number of users with accounts and ensure that any website users have a strong password that isn’t shared by other services.
- Hosting Quality: We choose to host many of our sites on Pantheon due to their attention to detail on the engineering side. Good security and proactive security monitoring some of the reasons we recommend using them.
- Encrypt Traffic with SSL: If you haven’t already, encrypt your site with SSL. Part of the reasoning from a site security perspective is so that no one can listen in on your form submissions (ie. CMS login) when you’re on public wifi.
- Up to Date Software: Keep your core platform and dependencies (ie. plugins/modules) up to date. This will ensure the latest security patches are applied and reduce the likelihood of an exploit.
- Code Quality: If you didn’t build your site with us, make sure functionality isn’t driven by a store-bought theme or a large set of plugins/modules (these are larger targets and often more vulnerable to exploit).
- Web Application Firewall: We recommend using a service like Cloudflare to implement a layer of security on top of the other recommendations. They have a Web Application Firewall (WAF) product, which can be activated to proactively block malicious traffic.
While this certainly isn’t an exhaustive list, it’s a good place to start, especially if you know you’re missing a couple of these items.
If you need more information or help getting these measures in place, give us a call, say firstname.lastname@example.org, or fill out our contact form. We’d love to hear from you and talk through what would be best to keep your organization safe.