editione1.0.0
Updated October 9, 2023🚀 As explained by Erica
The minimum operating expectations for any business nowadays is to have a basic website with service or product information, and contact details. Depending on whether you sell products/services via your website, you may just set it up and forget about it, or regularly interact with it.
Either way, your website is valuable real estate. That might seem silly considering how cheap and easy it can be to set one up. Anyone can make one, right? While this is true, let me explain the economics behind why someone else might want to just take advantage of yours rather than set up their own. We’ll then explain the few things you can do to stop an attacker from misusing yours.
But first, it’s important to understand the general steps involved in setting up a website. These can broadly be broken down into the following four steps:
Purchasing a domain name from a domain name registrar.
Selecting and signing up for a website hosting provider or site-building service.
Designing and building the website.
Updating your domain name to point to the new website.
Some attackers have automated scripts to run through the four steps above to set up malicious websites that host phishing pages or other scams. Technology providers have caught onto this, so they might protect you by blocking or warning you about visiting a website that was only just recently created and has no “online reputation.” It is like a game of cat and mouse—where business services are provided, attackers pop up to try and take advantage of it, and the security community reacts.
Some attackers get more creative. Why create their own domain and website when they could just use an existing one? And one way to get a website is stealing or hacking into yours (because asking nicely to use your website for crime probably won’t work).
This is another case where being “low-hanging fruit” on the internet tree bites us in the bum. Attackers will simply scan the internet for poorly secured websites to hide their bad stuff in. Have you ever been linked through to a phishing website, and noticed the URL looked odd? Perhaps it looked like a website that belonged to a small business, but it had a page that looked like a fake Microsoft login page. The website owners usually don’t notice because the page is buried in the website hosting panel, away from their site. There is also no link to it from the main website—someone would have to know the full URL path to see the page. It is like running a physical storefront, with criminals using the back door to run illegal operations. It might sound like we have been watching too many mafia movies, but these are real situations that happen.
You might think, what is the harm? So long as the attacker doesn’t destroy your website, why not let them co-exist? This isn’t a good strategy to follow because once their pages get reported (which will happen), you are the one who feels the impact. It could result in a negative impact to your online reputation by:
getting your domain and website flagged as “bad” or “malicious” by search engines (like Google) and web browsers
difficulty with having customers visit your website or receive your emails due to your domain’s reputation
getting your website taken down by your hosting provider or your domain name released by your registrar.
I have spent a lot of time working with small businesses to help clean up their websites after an attack. It can be hard to undo the reputation damage and clean up the mess, and often takes much longer to clean up than it does to secure it in the first place. So consider it time well invested rather than damage control after.
After finding a poorly secured website, in addition to hosting phishing pages, attackers might opt instead to inject some of their own code into the website. For example, they could alter the checkout page of your website to steal copies of credit card details as they are entered. Alternatively, they could inject code that steals the entire transaction, preventing you from getting paid and the customer from receiving goods. It might not be obvious right away what has happened, but as weeks pass—and as you notice a decrease in sales, and your customers notice they haven’t received goods—you might be in for quite a lot of damage control and clean up.
Imagine if you had to go through the trouble of re-hosting or cleaning up your website, and repairing the damage caused by lost sales and data. Would your business persist? At the very least, these are all distractions from running your business, which might already be running lean on resources.
Now that we understand what an attacker’s goals are with our website, we can understand and close the weaknesses and gaps they look for to prevent them from reaching their goal.
How do attackers tend to get access to these low-hanging fruit websites? The answer usually falls into one of three categories:
Weak credentials for accessing the domain name registration website, website hosting provider, content management platform, or website server itself.
Unpatched website software.
Unnecessary services running on the website server that are not safe.
This chapter assumes that you have either a static website (for just providing information), or you’re hosting an e-commerce site. If your business’s priority is web application software development, or you want more perspectives and applications of security principles, see Part III.
To close these most common gaps, we need to consider who we get help from, where the website is hosted, and what website hosting and software configurations we have available to set up.
While this chapter will go through the steps to take to elevate your website higher up that internet fruit tree, let’s be honest—not all of us are website fanciers or connoisseurs. While it wouldn’t be worth it to outsource management of your email, outsourcing websites are a different story.
A service provider who looks after your website’s security is often responsible for:
Picking and managing the hosting providers and software you need for running a website.
Keeping your website and any software and plugins you use up to date and configured securely.
Setting up your HTTPS certificate to make sure all the traffic on your website is secured.
Managing access to your website and other website accounts, including remote access.
Configuring backups and other configurations that impact your website’s availability and speed.
These service providers can take many shapes and sizes, just like any other outsourced service or consultancy. Some service providers may only support specific website platforms, such as WordPress. Often the same companies that will sell you your domain or a website hosting subscription will bundle in a managed website service for an additional cost.
If you can budget for this, great! But just like you might vet a nanny before you get them to look after your (human or furry) kids, you need to vet website service providers too. You can start with using this chapter of the book to ask them questions and make sure they are doing the right (secure) things.
danger Ask contractors who work on your website how they manage software updates, require them to use 2FA, and require them to use safe remote access technology to access your website server. Don’t assume that they will do so automatically.
The cost for these types of services will vary. What we can recommend is using this chapter to understand the work that needs to be done. You are smart, and with time can learn how to secure your website on your own. But time is money, and your time could be better spent doing other things in the business. It is a balance that you will have to find, and decide on.
Once you have a domain and a website, it is time to do a stocktake and see if it is safe enough to use, or if it is time for an upgrade. There are a few different providers involved in hosting a website, even if some are not very obvious to you or others. These include:
The domain registrar, which is the service provider who you purchase and manage your domain name through.
The DNS hosting provider, which is the service provider where you configure different technical settings related to your domain name (like your TXT records for SPF/DKIM) and the records for tying your domain name to your website (IP address). Your DNS hosting provider and domain registrar may be the same company.
The website hosting provider, or the service provider who gives you a website server to share or use to host your website itself.
The content management system (CMS) provider, or the service provider (or just software) used for managing all the content on your website.
Any other third-party software or plugins on your website, or supporting analytics or the site’s content.
If you are moving to a new service provider or setting up with a new one, you might find yourself using a website builder service, such as Squarespace, Wix, or Webflow, or an e-commerce platform, such as Shopify. Such services provide a website and cover both the roles of a hosting provider and a content management system. Paying anywhere from US$15–$40 a month can be a small price to pay for the simplicity of running your website, and these providers often provide the security features you need.
Optionally, you may pay a contractor, often called a managed service provider, to wrangle all these for you.
confusion Some techies may tell you it is cheaper and better to build your website yourself—using tools like Amazon Web Services and WordPress—but this assumes you have the technical expertise, time, and energy to use and secure these correctly. If a website builder service passes the vetting tests we discuss next, they may be best for your needs.
Here is how each service provider fits together, using our safestack.io website as an example:
Figure: Services involved when a user visits a website.
It might be that you have one service provider for all of these services, or you might have a few different providers. When taking stock inventory, identify all the third-party website service providers you have or work with, and make a note of which providers perform which services based on the providers and technologies listed above. From there, go through each and check if they provide the following key features needed to secure your website:
2FA for the account you use to access your DNS records, website server, and content management system. These are critical technology components, and they need to be protected with two steps of authentication.
Website server and daily content backups, which are stored on a different server from your main website, or are managed by your service provider (you just have to tell them which backups you need and if you need to restore from one).
Automatic updates to website server software and third-party software. This is a brownie point because not all service providers can give you this option, as helpful as it might be. You might have to compromise with just a fortnightly or monthly reminder to manually update things yourself instead.
The list of key features might seem quite small, but you would be surprised how many service providers fail just that first feature of 2FA. When drawing the line to filter out service providers who don’t check all these boxes, you might find yourself with quite a short list of options. (Silver lining: that makes decision paralysis much easier to manage!)
You are going to see the phrases “unique passwords” and “two-factor authentication” so much in this book that you will start dreaming about security. It is probably no surprise that protecting the accounts used to manage your domain, servers, and website content are important. Attackers often break into unsecure websites by simply guessing passwords, re-using leaked or stolen passwords, or brute-forcing their way in. You already know the best defense against this is a unique password for each account, and adding a second authentication step in case that password is lost.
This is a case where having a team password manager can come in handy. You might be getting help from others on the team to manage your website. Most of the time, website management accounts only allow you to have a single user, or in some rare cases they may charge you per user.
True, sharing accounts can be risky. But when it comes to setting up a website, you might not be using those accounts all the time. Sharing a single account is a great way to save cash. The safe way to navigate this is to create a unique password, and store it in a shared folder or vault in your password manager. If you picked a good password manager, you can also use the 2FA that is built into your password manager. So you can keep your account secured, and also get help from others in managing it.
The next step of protecting your website is to turn on automatic operating system and software updates that will both prevent attacks and also help you recover in case something goes wrong. While there is the risk of an update causing a bug or issue, it is one less thing you have to think about or make time to do. For most websites that lack technical complexity, automatic updates are pretty low risk—unlike an unpatched website software that is relatively high risk.
Your website and its content is simply made up of many lines of code. More often than not, that code is not perfect. Think about it like building a fence. Anyone can go down to the hardware store and get wooden planks and make a fence. You don’t have to be a builder to do it, you just need some tools and have an idea of what you are trying to make. After making a fence, you need to maintain it. Maybe you built it to a certain height, but now there is a new neighborhood dog (or threat) that can jump it (or bypass the security of the fence). Or maybe the weather has taken its toll and over time the fence has fallen apart and caused gaps to show up.
The software you use to build your website is the same as the fence. You have to keep the software up to date to manage any new security holes that are found and also to maintain the code base it is built on. Updates for you are less about the flash new features, and more about maintaining security.
important If you are using a website builder service, you might not have to worry about underlying website software because this is taken care of by the vendor. If you are running your own website, or pay someone to run the software for you, you’ll need to make sure you or the software manager keep it up to date. Websites also have the concept of “plugins,” or additional apps or software that provides a specific feature. Common plugins include shopping cart features, customizable forms, or features to help you with SEO. Keep website software and plugins in mind when you are toggling on updates to happen automatically.
confusion If you don’t have the option for automatic updates, then you need to set a reminder to go into your accounts regularly to hit the update button. Updates can be released at any time, and a good frequency to check would be once a month. So set a time in your diary where you are often doing most of your month-end processes, and add in some time to log into your website hosting provider and CMS to run updates.
In addition to automatic updates, you need to have automatic backups. This will be a more common feature you can turn on, and will be important to have when something does go wrong. Maybe you miss updates for a few months, or someone gets access to your hosting provider or CMS account and wreaks havoc. Backups are like hitting a reset button to restore back to a period in time before the attack happened.
The problem is you often don’t know exactly when an attack happened. While you can always get help to find and restore the right backup, what you can’t do is to hire someone to fix the problem if there are no backups available. Think of it like having a spare tire in the trunk of your car. It is easier to flag someone down to help you replace your flat tire, but they can’t help you if you don’t have any tire to swap to.
important Configuring automatic backups is probably one of the single greatest actions you can take now that future you will greatly appreciate. You can most likely configure this with a button toggle in your hosting provider or CMS.
If not, chances are there is a well-reviewed and often-updated plugin you can download to handle this for you. When turning it on, there are two other things you’ll want to think about and configure:
How far back do my backups go? By default, most hosting providers create and save the past 30 days. This is better than nothing. If you have the space and you can, save up to six months worth. Most incidents are not noticed right away, and you might only notice after 30 days have already passed. A common approach is to save daily backups for 30 days, and then store one backup from each of the previous months.
Where are my backups stored? This comes down to who manages your hosting for you. A website builder will take care of storing these backups in most cases. For everything else, configure a backup solution that stores backups in a cloud account, like OneDrive, Google Drive, or Dropbox.
Cloud backups are essential because if an attacker gains access to your website, the first thing they will do is delete any logs and local backups, so you won’t detect their activity right away and won’t be able to reset everything when you do. They surely don’t want you to undo all their hard work. Storing your backups in a cloud account protects them separately from your website so an attacker can’t destroy or mess with them.
We spoke about how your website is just made up of lines of code. The more lines of code you have, the more problems you could have. If the fence you are making is miles long, it carries more risk than the one that just goes around a small house. If you don’t have to have all that software installed and running on your website, then now is the time to do spring cleaning. This is similar to the advice we gave on removing old apps from your phone that you no longer use.
When you initially set up your website, turn off any features or default software that you don’t need. Your website builder might by default come with different features like mail or file transfer features. These are commonly misused features that can be turned off right from the word go. If you have outsourced setting up your website, contractors might have remote access services enabled so they can get things set up for you. When they are finished, have a close-out chat where you go over how to maintain the new website, while also closing up any access that they might have left behind.
During your monthly check for updates, if you notice that some plugins, apps, or software have not had an update available in a long time, it could be that they are no longer supported. This isn’t an emergency now, but with time that feature can fall apart and become unsafe, so you will need to set aside time to replace it with something that is supported.
It is common for people to build software, share it with others, then move on and give up on supporting it. It is similar to how you probably have a closet or bin somewhere with all the personal projects you have half started. Like building a fence, you don’t have to be an expert to make software and give or sell it to others. The plugin or app ecosystems online are full of hobbyist software developers. Most people are more interested in solving a problem and creating something than they are with maintaining and taking care of it for life.
It can be challenging to find replacements for unsupported plugins and apps. If you search in the plugin or app store for “shopping cart” functionality, you will probably have thousands of lines of results. Shopping for a plugin is kind of similar to shopping for anything online. You have to have some criteria to filter down to a smaller set of options that check your boxes. The boxes here determine whether a plugin or app is safe to use.
You can run through these questions when you are assessing a new plugin or app to use for your website:
When was it last updated? Acceptable answers are within the past four weeks. The further it gets away from this date, the more risky it is.
Who manages this app? Acceptable answers include recognizable companies, your hosting provider, or the owners of the CMS or website software you use. If you have not heard of the author, Google or search their name online. If the results come up with limited results, that is a red flag and you should move onto the next.
Do they provide customer support? Is there an email address you can contact? Do they have documentation and help pages to understand how to use the app? If not, that is another red flag.
Is the app well reviewed and endorsed by your hosting or website software provider? Did the most recent reviews have positive mention of the customer support? Are there any reviews about security concerns?
Answering these questions will allow your gut to get a good feel for if a plugin or app is safe. There are going to be so many options out there, you’ll want to make sure you are going with one you won’t have to replace later.
In some cases you might have had a need for remote access to your actual website server. This might be because a third party was helping you set up the website, and using remote access software was easier for them (rather than giving them access via your account). This remote access usually works in the form of special access, or ports, being opened up on your website server itself. Opening up remote access is not as secret as it might seem—when attackers are scanning the internet for websites to attack, they are also checking to see what other access is opened up.
important With remote access being so different from just logging in via a website, you don’t immediately think about it when it comes to security. Remote access is often configured with just a password. Think of it like putting some heavy-duty locks on your front door, while leaving your windows unlocked. This access needs to be protected to the same degree as your accounts, including a unique password and 2FA.
confusion More often than not, though, it is not you using this access but the people you have hired to help with your website. Make security for this access a rule, and require third parties to follow the rules or their access will be turned off. With IT, there are usually multiple ways to achieve the same goal, so be empowered to challenge your hired IT support when they ask for things to be set up a certain way. Just because they know about IT, doesn’t mean they are security experts. They are often more likely to follow the path of least resistance to help with your website, rather than making it as secure as it can be.
Sadly, there is no central resource or place we can direct you to to get exact step-by-step instructions for performing these security changes. However, the more common platforms and software (such as WordPress, Joomla, Squarespace, Wix) have large communities online that tend to provide guides and help docs. When in doubt, do what any techie would do and Google it. At the end of all of this, your website will be a bit higher up the tree of website security and less likely to get attacked due to common and easy-to-find weaknesses.
Wpmundev’s guide to remote access for Wordpress (using SSH) and how it can be set up (the details may vary depending on hosting provider and setup)
Squarespace’s developer mode allows you to use FTP or Git to edit template files that your website it built on
🚀 As explained by Erica
Your email and website are the most important parts of your technology, regardless of what your business does. The rest of the technology in your toolkit will vary depending on the context of what you do.
To help get you thinking of the tools and other accounts you need to secure, think through these scenarios and note the ones that apply to you.