With over 90% of cyberattacks in 2023 and beyond being attributed to WordPress plugins and themes, keeping a website secure is an ongoing process: new vulnerabilities are regularly being discovered and attackers are constantly coming up with new ways to hack their targets.
Here are 6 ways website operators can maintain their security and prevent attacks:
Keep Platforms, Systems, and Softwares Up-to-Date
Whether your software was created in-house or by a third party, ensuring everything has the latest update is typically the owner’s and administrator’s responsibility. Often, organizations with the mindset that hackers will not target the most at risk because they do not take the necessary steps to protect themselves.
Updates are important because they do not just apply to the website's core platform or plugins; they also apply to browsers, themes, and operating systems.
Prioritize Password Management
We hear about password hacks and compromised data that result in the news regularly, it is estimated that hackers stole 45 million passwords from over 1,100 websites and that 81% of breaches in 2016 involved stolen or weak passwords, with 2023's statistics continuing to mirror this. Proper password management should include a corporate wide password policy which outlines password strength requirements, how often passwords need to be changed to limit or prohibit the reuse of passwords.
Strong passwords should consist of a random mix of upper and lower-case characters, symbols, numbers and be at least 12-15 characters long. Avoid having obvious words such as the names and dates as part of the password. They should be unique and not used to access multiple accounts or applications. Change passwords often and keep them secure. Passwords should only be known to employees if access is critical to their role. Change passwords whenever there are changes in personnel and disable or remove unused access accounts. For more information on proper password management, refer to NIST’s password guidelines.
Perform Recurring Security Testing
Every day there are new vulnerabilities found to affect a large volume of applications and system components. Once your website has undergone security testing, it is critical that it be added to a recurring schedule in order to maintain constant awareness into the level of risk for each of your web properties. More often, websites or web applications undergo changes at a source-code level in order to introduce new functionality or enhance existing content which may introduce vulnerabilities into the application.
While it is recommended to perform security testing after any significant code change, adopting an annual or quarterly security testing schedule will dramatically reduce exposure and provide extra runway for remediation.
Restrict Access to Management Applications
Perhaps the most overlooked countermeasure for automated attacks on content management systems is to simply restrict access using a network-based access control list. CMS applications such as WordPress, Drupal and various others are subject to password guessing or brute-force attacks sometimes every hour of the day.
If unauthorized access to your website is obtained through the CMS management platform, it is possible for an attacker to attempt to compromise back-end web servers and databases in order to maintain persistent access.
An easy way to protect your customers is to use and mandate HTTPS (i.e., SSL) which encrypts communications between the web server and clients using SSL certificates. Consumers are now looking for the green HTTPS logo in their browser's URL form anytime they will be providing sensitive information, as it indicates their traffic is encrypted.
In addition to the extra security that having HTTPS offers, Google has confirmed that their algorithm considers HTTPS when ranking websites, which is their way of providing users with accurate and secure search results.
Consider Security Consulting
Hiring professionals to provide insight into your existing security controls is a great step in maintaining the security of your website. While these services are typically thought of as being reserved for companies that routinely store or transmit sensitive information through their website, any organization can benefit from an assessment.
Web application security assessments consider the holistic approach to multiple security domains and identify controls in place within your environment, measure their effectiveness and review the implemented policies to establish a maturity level at each of the core security domains. System hardening should also be considered in an assessment: this includes evaluating the security of the underlying operating system and system configuration to identify ways to reduce the attack surface.
If you are a seasoned IT professional or you are just starting to investigate website security, there are a variety of tactics you can use to protect your own and your user’s data. To learn more about web application security risks visit the OWASP Top 10 Project to review the ten most critical security risks in web applications.
Contact us today for your free, zero-obligation website security consultation and quote.
Have Questions? Need a Quote?
Contact our team today to see how we can help improve your security posture. Get a no-obligation quote and a copy of our sample report to help you get started.