Skip to main content

Improving website security: three simple tips

15 November 2016

If you’ve never been the victim of a website hack, you’re very lucky. It’s not a very nice experience and it can be costly.

The Information Commissioner's Office (ICO) has the power to levy hefty fines against charities for website hacks leading to data breaches. Many charity websites run on content management systems (CMS). Here are three ways you can easily improve the security of your website and reduce the risk of being hacked. 

1. Strengthen your CMS passwords

Most hacking is done by people running freely available software, using quite crude ideas and techniques. One of these techniques is called brute force hacking. 

This technique often involves filling in the user name and password fields on a website’s login page. These user names and passwords come from huge dictionary files and usually contain user names and password combinations like this:

admin – password
administrator – password1
manager – letmein
editor – january1
editor – february2

The hacker loads thousands of URLs into the program then lets it run. Later they come back to see if any of the attacks were successful. If you’re using CMS passwords that are simple to guess, it’s only a matter of time before the wrong person gets in and starts poking around your data.

Strengthening your CMS passwords is the first step to better website security. To help you with this, you might want to consider adding a password strength module or plugin to your site that forces users to enter hard to guess passwords. Modules for Drupal and plugins for WordPress are readily available.

2. Keep track of your websites

Strengthening the passwords for your website is a great start, but do you know how many websites you actually have? Did you have a microsite developed for an event back in 2012? Did somebody build a test site for you in 2010? Are these websites still online? Does anybody even know?

These “forgotten about” websites can pose a real threat to security because of something called pivoting. Pivoting is the act of hacking one system simply to gain access to another system.

Microsites – even though they have a different domain name than your organisational website – often sit on the same server and sometimes in the same directory. If a microsite is forgotten about, it becomes less secure over time because it’s not being updated.

It usually doesn’t take much for a hacker to hack insecure microsites and then pivot into the main organisational website where all the juicy stuff is. If you suspect you have some forgotten about websites hanging around, log into your domain registrar. Are there any domain names that you’ve forgotten about or never even knew existed? If so, try to access that domain in a web browser and see what happens. If you’re taken to a live website that you no longer need, you should probably think about having that site decommissioned and shut down.

3. Apply security updates regularly

CMS websites are not fool proof. They are prone to security threats simply due to the nature of how they work. Drupal has had its problems and WordPress can be alarmingly vulnerable.

Here’s why.

Do you remember the last time you uploaded a new image into your CMS? Maybe in a blog post?

How did the CMS know what you were trying to do was a safe operation and not malicious? How did it know that the image wasn’t instead a script designed to harvest browser cookies of site users, for example? It knows because of various checks performed in the code that runs the CMS.

Your CMS performs hundreds of checks all the time, ensuring what’s input into your website is safe. It works well. But what happens when somebody finds a type of malicious input that isn’t currently being checked for? A security update is created and released. Here’s the list of WordPress security updates and the same for Drupal security updates.

If your site runs on Drupal or WordPress, you may have seen messages telling you your site needs security updates. It means there are new checks to add to the code that runs your website. If you are seeing security update messages, you should try to have them applied as soon as you can; and keep having them applied on a regular basis to stay safe.

The people I work with whose websites have been hacked tell me they were aware of the security improvements they could make – they just never got around to implementing them. Until they got hacked, of course. By addressing these three things, you’ll very quickly and drastically improve your websites’ security and reduce the risk of your site being hacked.

Peter Brady

Drupal developer, freelance

Peter is a freelance Drupal developer. He specialises in rescuing ex-agency Drupal sites when the developments have either slowed down or simply stalled. He has worked with many charities including Comic Relief, Build Africa and IFES, and has provided technical review services for the Packt Publishing Drupal series.