Website security: tools and advice.
Owning and managing a website involves a series of activities such as managing a blog, the optimized use of SEO practices, managing popularity by sharing on social networks, and so on and so forth. But the management aspects are not limited only to these practices. A very important aspect that is often overlooked is that of the security of a website.
Every day, most websites are constantly under attack, without us noticing it: these are standard attacks of a niche of web users who try to understand if our site has flaws to exploit in order to take possession of them.
WHY SHOULD THEY ATTACK ME?
This is the classic question I get asked when I talk about website security. To answer you need to understand who are the subjects who attack a website.
We often think of a hacker, we think of anonymous. No it’s not about them. By definition, a hacker is someone who solves problems in a creative way and who is endowed with a strong lateral thinking. A hacker is someone who disassembles a device to understand how it is made (and then reassembles it) or a computer expert who tries to understand what are the flaws in a system or software to remedy or to find a way to deal with any attacks malicious. There are also ethical hackers, those who violate certain sites or systems because they follow an ideal.
Then there are the bad ones: crackers. They are the ones who attack us who have done nothing wrong. For what reason? Some of the main reasons can be the following:
- Take possession of the physical space that hosts our site (ftp, sometimes even database) to place fraudulent pages and steal sensitive data (credit card numbers for example);
- Practice cracking practices (which novices do);
- Create redirects to well-defined web pages;
- Compete with its competitors;
- And so on…
In light of this, the answer to our initial question is therefore clear, and it becomes more evident that the security of a website should not be underestimated.
THE EFFECTS THAT A TAMPERED WEBSITE HAS
A tampered site obviously has negative repercussions. In the first place it needs to be cleaned up because:
- It is no longer navigable
- It can cause us a lot of hassle, especially if it contains fraudulent pages (resulting in a report by the postal police)
- It is penalized by google and even deleted from its indexes
- It will cost us time and money to clean it up and put it back online
- And above all it will make us feel helpless and anxious because: we will no longer have our website!
Security of a Website: Prevent Attacks
As a famous slogan said, prevention is better than cure. The security of a website is never 100% certain, but it is always better to identify and prevent those criticalities that are evident (as per project management best practice: risk analysis).
The best practices to follow for the security of a website are of various types: some are simple and can be implemented even by the less experienced and which in this article for simplicity of discussion I will call management best practices ; others require computer skills: I will call these computer best practices .
But there is a third and unique best practice , accessible and feasible by all: having patience, dedication and perseverance .
Usually this practice is never followed, although it is the simplest and most accessible. In fact, in the last few months, I have cleaned about ten websites and analyzed some flaws in websites under attack that were not well managed in terms of security: and these are customers who have not had the patience and perseverance to monitor. your site.
But let’s get to the best practices for the security of a website, which I will describe below, without going into details, but trying to give some useful ideas about security.
BEST MANAGEMENT PRACTICES
These practices concern the management of one’s own site and which affect the security of a website; are more aimed at those who own a website built with CMS such as WordPress , Joomla! , Prestashop , Magento .
Keep your CMS up to date .
Whether it is WordPress or other CMS it is always important to make updates to the latest versions. This is a basic rule of website security. Updates are often released because the codes have flaws, i.e. gaps that can be targeted by malicious users to attack our website.
Always update plugins
Plugins or components and extensions for Joomla! Users. Update them constantly for the same reason as above. This is also a basic rule for the security of a website
Quality of add-ons
Use plugins, modules, components, made by developers who are on the piece! A plugin must always be updated, for the same reason explained in point 1. This factor is also fundamental for the security of a website.
Before downloading a plugin check the change log: this is the development history of the plugin, which lists all the updates made by its developers and the release date. Installing a plugin that hasn’t been updated for a year can be a risk.
Always check the reviews of users who have used it.
Don’t use plugins you don’t need
If you have installed some that you don’t use, I recommend that you delete them! The fewer plugins you use, the better! You will ask yourself “ok, but I need a nice site, I need a lot of plugins”. I answer you that, unless they are essential features, the quality of a website also depends on how it is created and there is no need to use many plugins to have a professional and beautiful result. And this is the job and the job of an expert web developer.
Learn about the security status of add-ons
To find out about the security status of a plugin, I recommend that you do a Google search and take a look at the sites that list the latest vulnerabilities of the CMS itself and its plugins. Below I list the sites where the vulnerabilities of WordPress plugins and Joomla!
- Joomla! Vulnerability List
- WordPress Vulnerability List
For CMS like Prestashop (excellent for e-commerce) the situation regarding plugins is more under control, but it is always good to keep them monitored. Prestashop has a large amount of native plugins that make it unnecessary to install others, except in exceptional cases (but they are expensive and robust).
Keep the FTP space clean
This is the physical space of our hosting where the files of our site are present.
Avoid creating or uploading unnecessary folders. If you really need to create them, do it from the administration panel.
In case you want to do it as an ftp client, pay attention to the assignment of permissions to folders and files.
When uploading files and folders from ftp, always check that the permissions assigned are the right ones (usually 755 for folders, 644 for files).
I often have to delete a __MACOSX__ folder from the ftp space of a site. It is a metadata folder created by Macs, invisible to users, but which becomes visible when we copy content from Mac to Windows or Linux. When does it show up? The classic case occurs when we compress a file on the Mac and unpack it on a PC or Server with a different operating system (Windows or Linux for example). Well, this today represents a vulnerability , especially for those who own a site in WordPress (it makes it subject to exploits). Would you have ever thought that?
Symptoms of An Attack
When could your website be under attack? I would say: always! Many bad guys are there ready to find and evaluate the security of a website. If you try to install plugins and extensions on your website, which send you an email every time there is an attack attempt, you will find your inbox full of warnings.
In this regard I point out
this list of WordPress plugins
this extension for Joomla!
The problem therefore is not to avoid attacks but to ensure the security of a website.
The use of plugins can sometimes be an incomplete practice. Some signs of attack can be:
Excessive daily registration of users on your site.
Weird redirects to pages we don’t know about.
Excessive bandwidth usage on your hosting.
Excessive access to a folder on your site by a small group of users (do a cross-analysis of the access statistics on your site).
Reporting by Google.
Best Computer Practice
These are useful for those who manage their own site and “fiddle” with codes and / or databases. For the security of a website, the golden rule is to touch the code as little as possible; but in case you feel the need to do so it is always good to follow the best practices for developers and make the most of the APIs provided by the community.
For those who are familiar with computer codes or for those who would like to do so, I point out two tools written with the Python language , which provide us with information on the security of a website, indicating some of the vulnerabilities present on our site.
This is the site of one of the Offensive Security projects , which among other things take care of the releases of Kali Linux , a version of the Linux operating system adapted to analyze (and sometimes carry out) attacks on systems, networks, sites, and above all used for analysis of computer forensics.
Exploit Database provides a constantly updated list of exploits from different systems vulnerable to this type of attack. Put simply, an exploit is a technique that allows you to scale the privileges of a system and become an administrator. To be clear: if they make an exploit attack on your site and it is successful, you become the owner! This is equivalent to giving your hosting administration panel username and password.
Even Google Hacking Database (GDHB) is a Offensive Security project. It shows various vulnerabilities, showing them in Google search results.
If we go to the site and type the word WordPress as the search key, among the various vulnerabilities we see the exploit of WordPress sites that contain __MACOSX__ folders, which we talked about earlier.
It also shows vulnerability to SQL Injection , a practice that allows you to exploit leaks in the database by injecting code into it. To do what? To steal your data and passwords.
Here is a tool written in Python language (and present in Kali Linux). It’s called Plecost , and it is used to identify vulnerabilities on websites, especially for WordPress sites.
In the Github repository of the tool you can download the tool as well as see how it works. You can use it even if you are not a computer expert. Just download and install the Python interpreter and run the commands as described in the mini guide.
The tools described above have been mentioned for educational purposes and above all for the purpose of monitoring your site. Like any useful tool, it can also be used for malicious purposes, practices from which I dissociate myself Abdul Rimaaz.