Stating the obvious, maintaining a secure website is incredibly important. Much of it is invisible, and for the most part, no one talks about it until there is a problem.
With cyber threats becoming increasingly sophisticated and prevalent, companies must consider the potential risks associated with insecure websites. A breach in website security can have devastating consequences, ranging from data breaches and theft to reputational damage and financial losses.
As more businesses rely on their online presence to attract and retain customers, a secure website protects sensitive information and safeguards the trust and confidence of clients and customers. By prioritizing website security, companies demonstrate their commitment to safeguarding user data, maintaining business continuity, and upholding their reputation.
Table of Contents
How realistic is this threat to marketing websites?
You may think you run a marketing website, not an e-commerce site, online banking application, or healthcare portal, so do I need to worry? Is my website really being targeted for exploitation? Do I really need to be concerned? Not to alarm you, but the answers are: yes, you should, yes, you are, and yes, you do.
The threat to your website is real. Using COLAB’s website as an example, in the last 30 days (September 2023), our security layers blocked 38,000 threats, ranging from complex attacks to brute-force login attempts.
We’ve seen that the number of threats and attempts on a website is typically proportional to the level of legitimate traffic it receives. It is concerning that most of our clients get far more traffic than we do, meaning attacks occur even more aggressively than on our site. Why? Websites with higher traffic are more valuable and provide more significant benefits if exploited.
As a nation, the cybersecurity threat has been so dire that, in March 2023, the White House announced its National Cybersecurity Strategy, asking the private sector to contribute to the fight against cyber attacks.
What happens if my website is hacked?
A truckload of bad things can happen if someone hacks your website. We’ve helped recover numerous sites that have been hacked or compromised and have seen the impacts firsthand. Here are some of what we’ve seen:
- Stolen Confidential Data: Malicious actors may gain access to sensitive data, such as personal information, financial records, or other confidential information. The hacker may then use that information for identity theft, fraud, or blackmail.
- Criminal Activity: Gaining control over a website can allow hackers to use the platform for advertising products, spreading malware, conducting phishing attacks, or launching further cyberattacks on other systems or individuals.
- Reputation Damage: When a website is compromised, it may display inappropriate content or redirect to inappropriate sites. Sometimes, exploited websites will show a message saying, “This website has been hacked by …” Needless to say, this doesn’t give customers who experience this confidence in your business.
- Loss of Trust: A hacked website erodes trust among customers and potential clients. The breach can lead to personal or financial information theft, resulting in identity theft or other fraudulent activities. Depending on your information security policies, you should proactively notify all customers of a data breach. Incidents like this can damage the relationship between the business and its customers.
- Marketing Impeded: Spam content and malware on the website can deter visitors and harm the user experience. Moreover, search engine rankings can negatively affect visibility and organic traffic.
- Slow Website Speeds: Hackers may inject malicious code or engage in activities that slow down the website’s loading speed. Slow speeds can frustrate users and lead to a poor user experience, potentially causing them to abandon the site.
- Banning and Suspensions: Hacked websites may contain links to spam and disreputable sites, leading to search engines or web hosting providers flagging your site as suspicious. This type of flag can result in the suspension or removal of the website from search engine results or even the temporary shutdown of the site by the hosting provider.
- Financial Losses: Hacked websites can lead to monetary theft, with hackers gaining unauthorized access to financial information or conducting fraudulent transactions. Businesses may incur financial losses due to legal liabilities, compensation to affected customers, and the costs of resolving the security breach.
What are the best practices for security on a website?
We won’t share all the details due to… security, but the following points will give you a sense of what we consider good website security practices. We tackle security from a few different angles, and perhaps surprisingly, not all of them are technical controls.
The best way to protect a website is to ensure anyone involved knows about the threat. At COLAB, we make sure our people understand security concepts and train regularly. Even a fundamental understanding of information security can be a significant preventative measure in securing your website.
Access to client websites is monitored and regularly maintained. Whenever possible, single sign-on (SSO) authentication via Google manages access, which utilizes 2-factor authentication (2FA) and only allows current COLAB employees to authenticate into services.
We maintain an information security policy that dictates how we treat client data, including proprietary information and information systems, among other things. A policy does nothing independently, but it is critical for reference, accountability, and training.
We make our websites as robust as reasonably possible so your people don’t have to think about security as much as we do. Robust security includes making sure that the following are in place and enforced:
- Platform Login/Administration Location: we often move the default login from /wp-admin/ in WordPress or /users/login/ in Drupal to a less standard location that varies per client. This practice dramatically reduces artificial login attempts.
- Login Lockout: with too many login attempts or unusual login patterns (e.g., ten login attempts a second), we block attempts from that user.
- Password Requirements: Insecure passwords are a huge target for hackers. We use tools to force each user to have a complex password. Here is one of our all-time favorite comics that explains how to create great passwords: https://xkcd.com/936/
- Two-factor/Multi-factor Authentication (2FA/MFA): having some sort of secondary verification on login dramatically reduces the risk of a compromised password.
- Secure Sockets Layer and Transport Layer Security (SSL/TLS): We use encryption to ensure that data sent between a user and our application is encrypted.
- Single Sign-on (SSO): For larger organizations, we often recommend that users authenticate using existing systems maintained by IT and tied to employment. SSO typically has a cost to implement, but this is a requirement in many organizations.
- Offboarding: for organizations that don’t use SSO, a simple solution is to have website offboarding practices for employees that are no longer active.
- Accountability: Once users log in to the CMS, we track the time and history of their actions, allowing for activity audits or later review
- Revision History: Revisions are tracked for each page, so you can see who did what or roll back to a past version of the content
Our approach to creating any website starts by choosing an application framework. For us, this is often the CMS. We prefer WordPress or Drupal. Each platform follows best practices to ensure patches for security issues are issued regularly.
WordPress gets some bad press around security, but this needs to be revised. WordPress is the most popular CMS (60% market share). As a result, it is a big target for hackers. However, WordPress has an excellent security team that frequently provides security updates. Most compromised websites need to be maintained more regularly. As proof of this, The White House of the United States of America uses WordPress.
We strive only to use version-tested plugins with active development tracks and past performance history. Whenever practical, we use plugins available through WordPress.org, which are code-reviewed by the community and covered by the WordPress Security Team. Plugins outside the WordPress.org ecosystem are carefully selected to ensure they have a regular cadence of security updates and a positive response history to security issues.
Drupal is well-known as a security-oriented application. While both WordPress and Drupal are secure platforms, some organizations prefer Drupal for its track record in security practices. The Drupal Security Team helps ensure that contributed code is safe and secure.
Like our WordPress work, we select modules carefully to ensure they are well-maintained. We almost always use modules covered by Drupal’s Security Advisory Policy. Coverage means the security team has reviewed the module, and it has undergone a vetting process.
If you have poor website infrastructure, you are far more susceptible to exploitation. Low-cost solutions are never the correct answer for corporate websites. What you save in cash each month, you pay for in upkeep and risk. If your site is ever compromised, you will pay a premium to remediate the short and long-term issues.
It takes work to keep a website secure, and if your infrastructure doesn’t include that work, then someone will need to spend time maintaining security. You then need to consider whether whoever is responsible for security is well qualified to do that work.
- Are they up to date on website security best practices?
- Do they understand how websites are exploited?
- Are they proactively taking action to secure the website?
- Are they proactively taking action to secure the infrastructure?
To keep a website stable and secure, we recommend starting with infrastructure designed for your specific content management system or framework (e.g., Drupal, WordPress, Laravel, Vue.js, etc.). This infrastructure should include regular server updates to minimize the attack surface.
From a security perspective, this is what we look for in a secure host:
- Has built-in website hardening or security features
- Meets industry standards for secure infrastructure
- Offers end-to-end SSL encryption
- Allows least-privilege user access
- Maintains a security team that monitors infrastructure security
- Availability of infrastructure-level security features (e.g., reverse proxy or web application firewall)
Here are our typical hosting recommendations:
- Pantheon: Highly performant platform for WordPress and Drupal.
- WP VIP: Enterprise hosting for WordPress (including FedRAMP).
- Acquia: Enterprise hosting for Drupal (including FedRAMP).
- Netlify: Static site hosting.
Pantheon, our most popular partner for hosting, has built-in hardened security features, including secure infrastructure, end-to-end encryption, and least-privilege user access. They have a security team that monitors infrastructure. Clients can upgrade individual instances to include infrastructure-level security features such as Advanced Global CDN (includes reverse proxy and WAF) and Secure Integration (data transmission behind a firewall).
Domain Name Server (DNS) Security
Not all organizations are amenable to changing where their DNS records reside, but those that are can gain an additional layer of protection. IT often restricts changing DNS providers as they have many business-critical settings in DNS and adding a dependency on other services makes them nervous. We get it, but the benefits outweigh the costs, and we are always willing to talk it out. If this is not possible, we recommend upgrading your hosting package to include additional security features. Our recommendation is to use something like Cloudflare.
Cloudflare is a cyber security authority. We utilize their services to protect our web applications from threats worldwide. When utilizing their DNS service, websites are protected from DDoS attacks, malicious bot traffic, and other hazards. Their coverage is ever-increasing as they use their client network to detect and block threats intelligently.
Backups and Redundancy
As part of our risk mitigation strategy, we take regular backups of the websites we manage. If a failure or breach occurs, we can restore a backup in 30 minutes. We regularly test backup systems to ensure proper operations. These backups are usually stored offsite from our hosting to further protect against data loss or corruption.
If a website or web application is business critical, other solutions, such as multi-zone failover, may be implemented. If a website using this technology goes offline, it will automatically recover itself in 15 minutes with a maximum of 5 minutes of data loss. This timing is referred to as Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
Maintenance and Monitoring
One of the most essential steps in maintaining a secure website is providing the updates your software needs. Updates come in a combination of core platform software as well as any plugins/modules that need to be updated separately. Besides maintaining the software, we make recommendations based only on trends in the industry or security landscape.
We use a variety of tools to analyze and monitor site stability and security:
- Uptime Robot: Informs us of any issues with website stability or downtime events.
- New Relic: Identifies unusual application load or errors in production.
- Mozilla Observatory: Scans website configuration to identify opportunities for improvement.
- Real-time Threat Detection: Automated threat mitigation of probable attacks and suspicious activity.
In some instances, we audit sites using more robust and invasive tools. Most of these tools require more effort to implement and have costs associated, but for sectors that need high security, these are excellent solutions:
- Penetration Testing: A prelaunch test conducted in collaboration with hosting.
- Surface Monitoring and Vulnerability Management: Ongoing monitoring for security issues with vulnerability scanning.
Ok, that was a lot. If you’re still with me, I appreciate you and hope this helped answer some questions about our best website security practices.
If you’re skipping down for the key points, here they are, but you really should go back and read the rest:
- The threat to marketing websites is genuine.
- There are significant business consequences for a compromised website.
- A secure platform comes from training, high standards, and quality infrastructure.
- Fail-safes like backups decrease risk, increasing a website’s ability to bounce back if compromised.
- On an ongoing basis, maintenance and auditing of security are required to ensure that a website remains secure.
Website security is an important and valuable investment that requires knowledge of the threat landscape, tools to implement protections, and diligence from all parties involved.
If you need a highly secure website or want a partner that understands security and can help you in IT conversations, reach out. We’d love to work together and help you get more done.