During the pandemic lockdowns, many businesses went from office work to an at-home workforce. Studies show that a huge uptick in cyber-attacks started in 2020 after pandemic lockdowns, which means that more attackers were scanning and searching for exploits on web servers. A web server with poor security controls, outdated software, misconfigurations, and overall lack of administration could be subject to numerous cyber-attacks and exploits.
The increase in cyber-attacks has spilled over into 2021, and the attacks continue to be more sophisticated. For a small business owner or administrator responsible for enterprise sites, it’s a full-time job to consistently stay ahead of cyber-attackers. But even with sophisticated attacks, you can secure your site in 2021 with a few best practices and basic configurations. Keep on reading our article to stay on top of website hosting security.How to keep Your Website Secure in 2021:
- Find a Reliable Hosting Provider
- Know What a Phishing Attack Looks Like
- Install SSL/TLS Certificates
- Keep Software Updated
- Frequent Backups and Retention Plan
- Use a Secure Password Policy
- Moderate Content and Comments
- Use Anti-Malware Software
- Download Your Checklist
- Recommended Articles
Find a Reliable Hosting Provider
The first step in website hosting with strong security is finding a hosting provider that takes security of their servers and your site seriously. Hosting a website on a third-party server requires implicit trust from customers - and providers must implement the right tools and cyber-defenses to protect user assets. A data breach due to poor website hosting security could mean the end of user trust and a loss of revenue and brand reputation.
For businesses searching for a reliable and secure hosting provider, we have a list of partners to help you find one that’s right for you. A good hosting provider empowers its webmasters with tools and monitoring software that protects their sites from malware and other vulnerabilities.
Know What a Phishing Attack Looks Like
One of the biggest threats to businesses, individuals, and governments is phishing attacks. Threat actors who create sophisticated phishing campaigns can gain access to website accounts, servers, and other critical customer assets.
In early 2020, Google announced that it blocked 18 million Coronavirus emails a day. In 2021, threat actors changed their strategy to target users looking for vaccine information. Sophisticated attacks leverage fear and urgency, and the pandemic was the perfect storm for a strategic phishing campaign to steal user data and authentication credentials.
An attacker’s goals with a phishing campaign could be simple identity theft or targeted credential theft. For an administrator and website owner, credential theft can lead to much more damaging attacks such as data theft, malware injection, and account takeover. If a server administrator falls for a phishing attack, it could give threat actors full control of the server hosting customer sites.
Phishing emails can be blocked using filters, but any messages capable of bypassing filters are a real threat to data security. The general rule is to never open attachments with macros or executable files, and never authenticate into a web page after clicking a link in email. Instead, type the site domain into a browser and authenticate from there.
Install SSL/TLS Certificates
Man-in-the-middle (MitM) attacks are a threat to website users and their data privacy. Any users browsing websites from public Wi-Fi are vulnerable to MitM attacks if the right precautions are not set up on your website. Although SSL/TLS does not completely protect from cyber-attackers on public Wi-Fi, it adds a layer of security.
When users open your website, an SSL/TLS certificate facilitates the transfer of the symmetric key used to decrypt traffic from the user’s browser to your site. The encrypted traffic protects users on public Wi-Fi or other insecure networks from eavesdropping. If you have an eCommerce site or any applications that ask for user payments via credit card numbers, you need SSL/TLS installed to stay compliant with various regulations. This makes SSL/TLS not only important for website hosting security but also compliance requirements.
Keep Software Updated
After phishing, outdated software is the second most common issue that affects sites on the internet. This includes software installed by website owners or administrators on the host server. Tools such as Shodan can be used to scan the internet for outdated software. Any outdated software with vulnerabilities can be exploited. Studies show that 95% of websites use outdated software with vulnerabilities, so it’s a concern for most webmasters and server administrators.
Even if webmasters are aware of outdated software running on their servers, it’s often seen as an innocuous issue that doesn’t require much attention. Updating software can also cause bugs, so webmasters must test it on their current sites. Although it might seem like a minor issue, outdated software can cause critical data breaches across the entire server. One way to detect outdated software and determine if it poses any threats to data security is to run monitoring software on the server that detects it and automatically updates software. For example, WordPress can be automatically updated when developers release patches and new versions.
Frequent Backups and Retention Plan
Every good disaster recovery plan includes backups. The retention duration depends on the business and the amount of data that can be lost before it critically affects continuity, but most backup plans include a specific timeframe for retention.
Backups can be used to recover after a critical cybersecurity incident. For example, if a threat actor is successful in installing ransomware on the server, it will be impossible to get data back without backups. At least one copy of your backups should be kept off-site or in the cloud to add a layer of security from ransomware that seeks out important files on a network drive or local storage and encrypts them.
Use a Secure Password Policy
Poor passwords are easy to brute-force. Passwords should be protected at all times and never shared with other users. Website owners, unfamiliar with the ways passwords can be brute-forced could create one with dictionary terms or using private information. Using private information such as your child’s name and birth date are easily guessable.
To combat brute-force attacks, users should be encouraged to create passwords with at least eight characters, upper and lowercase letters, numbers and special characters using random words that don’t link to private names and birth dates. To lower the window of opportunity if a password is stolen, users should be forced to change their password frequently (e.g., every 30 days).
Moderate Content and Comments
User-generated content is great for search engine traffic and engaging users, but this content can also be filled with malicious links and malware. This malicious content poses a threat to webmasters. Webmasters should frequently review user-generated content to identify and delete any malicious content.
One option for content moderation is to lock comments unless you review them first, or install software that detects malicious content. For example, if a user submits malicious links in a WordPress comment, then the software would quarantine it until you review it and approve/delete the content.
Use Anti-Malware Software
Sophisticated threats aim to take over a web server or a targeted website. Server takeover can be done in a variety of ways, but malware is one method that can be completely undetectable by server administrators. The longer malware can run on the server, the longer an attacker has to exfiltrate data or take over server resources.
To combat malware, anti-malware software should run on the server and detect malicious executable files and block them from running. You can use a Linux server antivirus application that will quarantine and block malware from being uploaded by users or installed using other exploit techniques, or use a Linux malware scanner to ensure that files on the web server are free from malicious content.
Because many businesses went digital during Covid19 lockdowns, sophisticated malware and other exploits were developed to take advantage of webmasters unaware of the many methods available to attackers for data exfiltration and account takeover. Using these website hosting security tips and anti-malware software on the web server, many of these attacks can be prevented and blocked from becoming critical data breaches.
- 17 ways to improve your cPanel security
- Top 10 Web Hosting Security Best Practices
- What are steps to secure a Linux server?
- Top 15 Plesk Server Security Best Practices
- Ultimate Guide for DirectAdmin Security from Security Experts