Website Security – Issues and Solutions

1. software security (CMS, scripts)
2. server security (hosting)
3. administrator awareness of the need for website security and his accuracy and precision in performing website administrative tasks

If all the elements are properly controlled and function in a correct way, your website will be protected against hackers and malicious software.

Software is either a content management system (Joomla, WordPress, Bitrix, and etc.) or scripts that a website runs on. The reliability of software ensures that it is not vulnerable (there are no security holes/flaws) to hackers attempts to access the database, the filesystem or the website admin panel.

To avoid software vulnerability, programmers must develop scripts that meet web security requirements. Unfortunately, this is not always fully implemented. In fact, almost each CMS or script has its weak points. Some of these can be found in the public domain (Public Vulnerabilities), and some are not freely available and can be used maliciously by web attackers to hack sites. To make software inaccessible and  therefore reliable, special attention must be paid to website security.

If a website is running on one of the best-known web content management systems, you should watch for updates, patches and update CMS to the latest version available. If a website functions using a proprietary script, a scan must be done using available tools to detect vulnerabilities. There are different types of tools, e.g. XSpider, Acunetix Web Vulnerability Scanner, utilities to detect SQL injections, XSS, RFI. You should also check website source codes using code static analysis (RIPS) and if any vulnerabilities are detected, they  must be rectified to avoid their exploitation.

What else must be done besides scripts and CMS regular updating? Another important factor contributing to  website security and reliability is website configuration. In order to ensure correct configuration it is vital to:

1. properly administer access rights  to files and directories
2. deny access to website back-ends (backup copies catalogue, configuration files, etc.)
3. deny script executing  in download directory
4. set up extra protection to access the admin panel point

All these actions help to reduce the risk of your website being compromised even though there are vulnerabilities in software.

The second important thing that influences website security system as a whole is website hosting. The website hosting can be shared or dedicated.

In case of shared hosting, the responsibility for secure server settings rests with the administrator of a hosting services provider. While with the dedicated server (VDS/VPS/DDS), this responsibility falls on the server owner.

In both cases, either we are speaking about shared hosting or dedicated server, their configuration needs to be adjusted to limit the range of operations that could lower website working efficiency. In other words, website owners should be provided with access to essential functional options only and shouldn’t be allowed to perform other functionalities.

For instance, if a website does not have external connection, the external connection (allow_url_fopen/allow_url_include) option must be switched off. Or, if a website does not use system calls (system, shell_exec and others), this function should be deactivated as well.

Another important thing is file permissions and access control. Server must be configured to restrict unauthorized access to files and directories of website as much as possible. Each website must be isolated from others. A system administrator is the person who must see to all those aspects.

It is known, that there are hundreds of different websites hosted on the same shared hosting server, yet every website requires its specific functional options. That is why companies that provide hosting services are very lenient when it comes to server settings configuration. As a result, they allow their customers to set up a server almost without any restrictions. Obviously, in this scenario all the websites placed in the same hosting area face high risks. So, a website owner should choose a hosting provider very carefully. The best way is to choose a hosting provider that allows to set up web server and PHP individually for each account and thus avoid the use of default settings.

It goes without saying that the server needs to be set up by an experienced system administrator, who will professionally isolate website from other elements of the system, restrict most scripts and their visibility and arrange control mechanisms of the file system, data backup and logging systems.

Website Administrator Functions/Administrator awareness of the need for website security and his accuracy and precision in performing website administrative tasks

The main issue with website security is that generally website owners pay little attention to web protection and malicious activity prevention. They are confident in flawlessness of their software and in reliability and safety of their server settings. Still, this carelessness can be the main cause for website hacking and infection with viruses.

So, what must be done to reduce potential security risks and protect websites against security threats? Here below you will find a check-list for a website manager to follow:

1. A website administrator’s local machine on which the administrator perform all the website operations should be protected by commercial antivirus software. The computer must be scanned regularly. If your website is managed by several specialists, the same rule applies to all of them.
2. Change your FTP/SSH account passwords and admin panel (administrator page) passwords on a regular basis, at least once a month.
3. Do not store your passwords in FTP client programs, browsers and email.
4. Create strong and secure passwords like «Xhsdf3@4%4».
5. Work safely using SFTP or SCP.

Great attention must be paid to website security. Only in this case you will be able to protect your website from viruses and attacks by hackers. Do not forget to update your software regularly, configurate all the hosting settings properly, and control website access points diligently. If only one of these points gets weak or ignored, your website is most likely to be hacked or infected with web based malware.

Source