The 3-step plan to make your website harder to hack

Online attackers are increasingly targeting websites to make a statement, send spam or flood someone else's network.

When a big website like Lenovo's gets hacked, it's news. But most such attacks take place under the radar, at smaller sites lacking the skills or time to protect themselves. Take the legions of Wordpress-based sites, which got a rude awakening last year when many thousands of them were hacked.

Don't be one of those sites. Even if you don't use Wordpress, you can learn important lessons from what those poor blighters have been through.

The un-magic bullet: site maintenance

Quickly spinning up a Wordpress site on a hosted server is simpler than ever, but users need to understand that the sites require regular management. Cybercriminals and hackers are continuously looking for sites whose administrators use easy-to-guess passwords, inadvertently misconfigure the site, or fail to apply the latest patch.

Earlier this year, for example, security firm Zscaler found that compromised WordPress Web sites were forwarding visitors' login credentials to an attacker-controlled site. Last year, in one of the worst cases of serial compromise, a malicious program, known as SoakSoak, infected more than 100,000 Wordpress sites using a vulnerability in a popular plugin. "The beautiful thing about these applications is that they are easy to use and make it easy to get a website up online," Tony Perez, CEO of Sucuri, says. "But it's a double-edged sword--we cannot depend on the users to be able to manage the sites securely."

Security experts don't blame the content management systems, which typically take security seriously. But Wordpress sites account for 24 percent of all Web sites, and Joomla and Drupal account for another 5 percent, according to Web technology firm W3Techs. The software is under intense attacker scrutiny. Attackers have historically tried brute-force password guessing as a first assault on content management systems, followed by quickly attempting to take advantage of any just-published vulnerabilities.

Passwords are an easy problem for users to solve, but keeping up with a steady stream of vulnerabilities and patches requires diligence, says Mark Maunder, CEO of Wordpress security firm Wordfence. These three best practices will help you fend off attackers.

1. Update as soon as possible

Anyone managing their own site should either use a hosting service that manages the core content management system (CMS) updates or create a process to keep up with information on vulnerabilities that could impact their installation.

Be warned, it's a tough job. Subscribing to any vulnerability feeds for their software and plugins is a necessity to quickly patch vulnerabilities in either the CMS or its plugins. Yet, it's easy to be inundated, says Sucuri's Perez.

"It is almost impossible for developers to keep up with vulnerabilities," he says. "They are trying to run their site, and trying to keep track of all the patches and applying them is difficult."

Web-security services like Sucuri, Cloudflare and Incapsula can buy administrators more time to patch their sites, by blocking known attacks.

2. Don't forget your plugins and themes

While keeping the main content management system up-to-date is challenging, patching every plugin can be a more onerous burden, as attackers have increasingly targeted vulnerabilities in plugins and themes to compromise Web sites.

"In general, attackers are trying to own as many WordPress sites as possible using as many zero days or recently-disclosed vulnerabilities, and then using that site for other attacks," says Wordfence's Maunder.

A variety of Wordpress plugins provide security. Wordfence, BulletProof Security and iThemes Security perform a variety of security-related tasks, from scanning Web sites for compromises to setting the security controls of a WordPress site to harden the software against the most common attacks.

3. Regularly maintain your Web site

Having a hosted Web site is a responsibility and requires frequent maintenance. Administrators should back up the site, and make sure the backup is copied off the Web server--many inexperienced administrators overlook that step, says Maunder.

If you don't have time to do this, go with a fully managed site. Wordpress.com has a wide variety of templates and more flexibility than ever before. For other content management systems, such as Joomla and Drupal, a hosted service provider can manage the CMS on that server and help keep your Web site patched.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityLenovozscalerWordpress

More about CMSLenovo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place