Best Practices for Proactively Maintaining Web Security
Know Your Resources:
- Identify all content management systems (eg: WordPress, Drupal, etc), both current and legacy. For example, your main company website may be well known to your entire organization, but what about that special sales system, built on WordPress several years ago, that is not being actively maintained? Have a list in-hand, with all of your web-based resources clearly documented.
- Keep these systems up-to-date on a regular basis, as new vulnerabilities are found in-the-wild every day. This information travels fast on the web, and would-be attackers with automated tools can, and do, scan sites for known vulnerabilities. The software we’ll recommend below (Wordfence, for instance), will remind you to perform regular updates.
- If you’re not using a particular system, or don’t have the resources to keep them up-to-date, archive them and remove them from the web entirely. A single unprotected website can sometimes compromise an entire server account, even across domains.
- Audit your user access policies on a periodic basis, and remove user accounts that are no longer needed. As company personnel changes, update your user accounts accordingly. If someone has left the company, then by all means, remove his or her access from your systems. As your list of users grows, this is easier said than done. So thoughtfully re-review your user access policies on a periodic basis.
Protect Your Assets:
- Practice the Principle of Least Privilege. Trust is important, it really is. You have to trust your people, and yourself. Just the same, not everyone needs to know everything, all the time, and this is especially true with web-based assets. Restrict access to key passwords on a need-to-know basis.
- Use Strong Passwords, all the time. And use them only once per asset. Be mindful of potential password recovery options: if you use a very strong password for a web service, and yet that service will send an email for password recovery to an email account with a weak password, then the advantage of the strong password is negated.
- There is no single piece of software or “silver bullet” that will protect your websites across the board. Rather, the best security is often cultivated by layers of protection. Some of the best techniques that we’ve found include:
- Sucuri is a website antivirus and firewall software + hacking cleanup service that we highly recommend. Get a premium account. In their words: "We will secure your website from hackers, so you don’t have to. Our security experts will thoroughly scan, clean, monitor & protect your website 24/7. Our security software will automatically block your website’s vulnerabilities from any & all attacks. We provide peace of mind for over 30,000 website owners just like you."
- Wordfence is a WordPress plugin that offers real-time vulnerability scanning, based on a worldwide monitoring network. It’s one of the best ways to keep abreast of new developments, vulnerabilities, and fixes. We recommend a Premium account.
- iThemes Security (formerly Better WP Security) is a WordPress plugin that can lock down many potential security vulnerabilities, making it that much harder for a would-be attacker to do their work.
- Mod Security is a generalized web application firewall that runs on the server, and can protect against many broad classes of security threats. Mod Sec can protect against vulnerabilities both currently known, as well as more ubiquitous threats such as sql injection.
- Server firewalls that offer brute force detection, such as CSF (ConfigServer Security & Firewall) or APF (Advanced Policy Firewall), can monitor key services for repeated login failures and automatically block ip addresses with too many failures.
- Server configuration can play a large role in how easy (or difficult) it may be for an attacker to expand their reach. For example, setting the php handler to DSO or SuPHP, and running php processes as the user “nobody”, combined with setting appropriate file and directory permissions, can afford you the ability to lock down write-access to certain files and directories. The end result is that it becomes very, very difficult for a malicious script to propagate itself, effectively containing an infection that might otherwise spread.
- All of the above pieces of software are very configurable, and complicated indeed. There are hundreds, even tens of thousands of combinations for their settings. Some may apply to your current situation, whereas others will not. Some configurations may run happily on your server, and others may cause problems. Find a combination that works for your systems and situation.
- False positives are a fact of life when running security scanning and protection software. All of the above pieces of software will at some point in time pick up on something, and identify it as a threat, even when it is actually harmless. Knowing the difference takes experience, knowledge, research, and thought.
Have a Disaster Recovery Plan:
- In the real world, "stuff happens". No matter how careful and how diligent you are, stuff still happens. Hackers are out there. Disgruntled employees do occur. Servers do crash. And datacenters do go down. Be prepared and have a plan.
- Backups are critically important. And again, having layers of protection is a good way to go:
- Backup your databases, preferably every single day.
- Backup your codebases and files, at least once a week.
- Backup your server, which also provides redundancy for the above backups.
- Backup your local machines, which also provides redundancy for the above backups.
- Review your backups for each platform on a periodic basis, to ensure that they exist and are running well.
- Know how to use your backups should it become necessary. Once again, know how to use your backups, or have somebody on speed dial that does.
- Practice the Principle of Least Privilege and Strong Passwords, for your backups too.
- Consider an off-site storage solution for key assets, that is geographically distant from your other backup solutions.
- Relationships with multiple web hosts, multiple payment gateways, and multiple email marketing vendors will give you additional flexibility in challenging times. If one server is down or compromised, having a “known clean” server as a backup or load balancer can be very useful. Likewise, if one payment gateway is causing problems, having an alternative can save the day.
- Version control systems, such as Git, can be very important and insightful for tracking codebase changes, as well as for identifying files or changes that “don’t belong”. Combined with a remote versioning repository and server deployment strategy, such as GitHub or Bitbucket, each with deployment keys. Git offers yet more layers of redundancy, tracking, and fallback mechanisms.
There is no "silver bullet" in the world of web security. But with good practices and careful thought, you can protect yourself and your investment. Have a plan, and be smart.
To your success!