Home
firestarters clients careers creative services articles blog subscribe
subscribe to content subsribe through iTunes
 
   
 
 
   

security on websites

Anthony Coundouris, Thinker


MNCs and Government agencies are opting to host outside their organisations. External hosting provides:

  1. Faster time to market. Fewer approvals, more flexibility and greater emphasis on marketing objectives.
  2. Customisation. External servers can be configured to suit the required solution. There are no legacy templates which need to be adhered to.
  3. Cost effective. Open-source frameworks for the most part are free, and have many plugins created by an active community of developers.

 

Secure servers and hosting

For all its benefits, hosting externally does raise security concerns. Two common threats are brute force attacks and DOS attacks. Both essentially concern themselves with bots that attempt to guess passwords in order to infiltrate an FTP or content management system.

To mitigate risks from attacks, consider the following:

 

Choose a reliable hosting provider

Begin a relationship with a hosting provider who understands security risks. It is likely these hosters may cost more each month, but the investment is well worth it in terms of tips and best practices they can offer.

Reputable hosting providers will have a Service Level Agreement, which is likely to detail their own security measures. These include power maintenance, personnel security, fire, hardware, and network monitoring.

There are a few in Singapore including Usonyx or Signetique. Hosting providers can advise you further on how to set up your hardware to load balance connections and data transfer.

Firewall protection and load management 

 

Firewalls and VPN

Firewalls behave like a protective skin over the web server. It is the first line of defence. The firewall attempts to detect and block attacks early before a breach occurs.

VPN is an additional security function which limits IP access. By designating a few IPs, you limit the number of computers/offices which can talk to the FTP. VPN creates a tunnel connection between the remote terminal and the web server, and can encrypt passwords.

VPN is available for dedicated and Virtual Private Servers.

Firestarter VPN tunnels

 

Uninstall services not being used

Tweak the Plesk and within a few minutes you can optimise the server to provide extra protection. Establish SSH, place password-protected key and disable password access (only key access).

These will make the server run faster, and reduce risk.

  1. Uninstall postgresql if you don't use it
  2. Disable mod_perl/mod_python and some other apache modules
  3. Disable MySQL networking (only local MySQL will be allowed)
  4. Some Plesk have Plesk-OpenVPN. Server -> Modules -> VPN.

 

Content management system security

A priority when building a website, is securing content management systems like WordPress from attacks.

  • Nobody should be allowed to search your entire server. Block WP- folders from being indexed by search engines. Block them in your robots.txt file.
  • Directories should not be left open for public browsing. Prevent versions or plugins becoming public knowledge. Make an empty wp-content/plugins/index.html file to prevent people from browsing your directories. Also strip out version strings from metatags. A large number of WordPress themes by default print versions in metatags - delete them.
  • Protect your WordPress wp-admin folder from brute force attack. Restrict which IP's can access the wp-admin folder via .htaccess.
  • Install Login Lockdown plugin. To record the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.
  • Remain up to date. Keep your plugins / widget, theme, and WordPress versions up-to-date. New versions are built to sustain threats.
  • Regular backups of website and data. It is recommended to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.
  • Use SSH/Shell Access instead of FTP. If someone gets a hold of your FTP login information (which is usually not encrypted and easy to get), they can manipulate your files and spam the website, without necessarily being detected. Using SSH, everything is encrypted including the transfer of files, etc.
  • Use alpha-numeric passwords. Creating a strong password is one of the easiest lines of defence to erect. Use an online password strength checker to test the strength of your password.

 

Third party websites

Accounts with popular sharing websites like Flickr, Addthis and Twitter, open potential risks. Treat these accounts with care, and consider the ramifications if the account is hijacked.

Always use alpha-numeric passwords no matter how difficult they may be to remember, and change them often.

 

Storing passwords Vs Dynamic passwords

The ultimate goal is to never have to store a password. No matter how well protected the server may be from attack, careless storage of passwords poses a problem. 

One solution is to setup dynamic password management.

  1. RSA offer keychain devices which change the password every 10 seconds,
  2. SMS providers can store mobile numbers they are authorised to send passwords to.
  3. Content management systems which dynamically change user passwords each week and email the administrator a new one.

 

Eyeball content weekly

Security will keep invaders at bay. However, if a hack occurs, it may not be detected. Physically eyeball content for malicious damage at least once a week. High profile sites should have someone do this as a matter of course to test links, and the integrity of newly added content.

 

Fire drills

Recognise that if a bank can be hacked, any website is a target. It is necessary to put in place contingency plans.

  1. Awareness. Ensure the hosting provider is aware they are hosting content which is highly sensitive
  2. Create a kill switch. If the site needs to be pulled quickly, a temporarily page already written, can be loaded to replace the index page while decisions are made as to how to best handle the attack.
  3. Step-by-step plan. Establish roles and responsibilities about how an attack can be dealt with effectively and efficiently.
  4. Conduct a drill. Pretend the website has been compromised and ticket a high-priority request on a Sunday, when the hosting provider is likely to have the least resources. Test the time taken for the site to be restored from back up.

Useful articles

  1. Security on websites
  2. Wireframing website pays-off
  3. Architecting a website 
  4. Websites are collaborative

 

Further readings

  1. Future of open source in Government
  2. UK government backs open source
  3. 11 Ways to secure your wordpress blog
  4. Useful plugins and hacks
  5. Notes on WordPress

Written 22nd Jun 2009


Firestarter is an online marketing agency, providing digital and branding solutions. Servicing multinationals companies in Singapore and South East Asia, Firestarter provides business leaders avenues to reduce their cost of sales and increase customer engagement using the online space.

 
articles
iphone applications and adoption . mobile for property developers . how hashtags work . usability testing tips . creating an annual report website . choosing a domain name . syndicating content for free . security on websites . open id and single sign-on . catchy subject lines . choosing a partner agency . keyword research and social media . tween marketing . facebook marketing . html email design . facebook for b2b marketing . branding an online-only business . what is twitter . online publisher workflow . web page readability . online revenue for publishers . moving publishers online . effective email marketing . impactful direct marketing . tips on creative campaigns . marketer's seo checklist . search ranking is branding . permission marketing online . online web analytic tools . reasons to have a company forum . forum design . long term survival of a forum . building content on a forum . gathering critical mass to a forum . monitoring online influence . wireframing website pays off . architecting a website . websites are collaborative . how igoogle works . widgets and gadgets demystified . opensocial platform . rss - what is it? . event planning checklist . email marketing best practices . breaking brand rules . getting executives to blog . starting a corporate blog . podcasting is engagement via headphones . creating internal corporate video . role of brand in events . creative thinking . post event video . market entry for start-ups . sem achieves low cost per lead . same same brands . business card etiquette . branded business cards . death of email marketing . engaging presentation . brand is a narrative, not a logo . creating a sales pipeline . when to invest in brand . rebrand to improve sales .
 
contact us . fine print . sitemap . Created by Firestarter Pte Ltd copyright © 2010