Web site (and server) security

These are the top ten potential security holes in your site.

security camerasThese are the top ten potential security holes in your site. Your site is probably WordPress which is a major source of hacks.

OWASP recommendations

  1. SQL injection – could someone get at your database remotely? Escape your SQL!
  2. Broken auth – is your login system safe?
  3. Data exposure – is your web server locked down? -Indexes in the Apache world.
  4. XML External entities – XML can execute files. Don’t do that!
  5. Broken access control – are important files inaccessible?
  6. Security misconfiguration – is your security software properly configured
  7. XSS – has someone uploaded a malicious JS script?
  8. Using components with known vulnerabilities – keep up to date!
  9. Insufficient logging and monitoring – know what’s going in and out of your system
  10. Insecure deserialisation – be careful of the serialised data you accept

Make sure you have DDoS protection. I use Cloudflare. Is has the added bonus of running my DNS. I trust them.
Snort or equivalent. This is part of your monitoring. Snort is an IDS or Intrusion Detection System.
On WordPress use a security plugin. I use Wordfence.

Site attackers can:

  • Inject SEO spam on the page
  • Drop a backdoor to maintain access
  • Collect visitor information or credit card data
  • Run exploits on the server to escalate access level
  • Use visitors’ computers to mine cryptocurrencies
  • Store botnets command & control scripts
  • Show unwanted ads, redirect visitors to scam sites
  • Host malicious downloads
  • Launch attacks against other sites

Asset inventory and management can be taken one step further into the following subcategories:

  • Web properties
  • Web servers and infrastructure
  • Plugins, extensions, themes, and modules
  • Third-party integrations and services
  • Access points/nodes

Monitoring should be in place to verify the security state of:

  • DNS records
  • SSL certificates
  • Webserver configuration
  • Application updates
  • User access
  • File integrity – monitor file modification times of plugins and themes

A proper incident response plan includes:

  • Selecting an incident response team or person
  • Reporting of incident to review findings
  • Mitigating the event

The incident response process, as defined by NIST, is broken down into four broad phases:

  • Preparation & planning
  • Detection & analysis
  • Containment, eradication & recovery
  • Post incident activities

You can base all further actions on the following tips:

  • Restrict global access to your site (or certain areas) via GET or POST methods to minimize exposure.
  • Update directory and file permissions to ensure the read/write access is properly set.
  • Update or remove outdated software/themes/plugins.
  • Reset your passwords immediately with a strong password policy.
  • Activate 2FA/MFA wherever possible to add an extra layer of authentication.

TODO list:

  1. Update everything
  2. Have strong passwords – I use lastpass.
  3. Use a password cracker (eg. John the Ripper)
  4. Limit user access
  5. File permissions
  6. Have backups
  7. Audit server configuration files
  8. Use SSL everywhere
  9. Install scanning and monitoring tools
  10. Ensure PCs are secure
  11. Have a WAF
  12. Monitor search engine blacklists (esp. Google)

The best practices for you to have a strong password are:

  • Use a password manager,
  • Do not reuse your passwords: Every single password you have should be unique.
  • Have long passwords: Try longer than 12 characters. The longer the password is, the longer it will take a computer program to crack it.
  • Use random passwords: Password-cracking programs can guess millions of passwords in minutes if they contain words found online or in dictionaries. If you have real words in your password, it isn’t random. If you can easily speak your password, it means that it is not strong enough. Even using character replacement (i.e. replacing the letter O with the number 0) is not enough. There are several helpful password managers out there, such as LastPass (online) and KeePass 2 (offline). These tools store all your passwords in an encrypted format and can easily generate random passwords at the click of a button. Password managers make it possible to use strong passwords by taking away the work of memorizing weaker ones or jotting them down.

The principle of least privilege centers around a principle that looks to accomplish two things:

  • Using the minimal set of privileges on a system in order to perform an action
  • Granting those privileges only for the time the action is necessary

Here are the things to look for when deciding which extensions to use:

  • When the extension was last updated: If the last update was more than a year ago, it’s possible the author has stopped working on it. Use extensions that are actively being developed because it indicates that the author would at least be willing to implement a fix if security issues are discovered. Furthermore, if an extension is not supported by the author, then it may stop working if core updates cause conflicts.
  • The age of the extension and the number of installs: An extension developed by an established author that has numerous installs is more trustworthy than one with a few number of installs released by a first-time developer. Not only do experienced developers have a better idea about best security practices, but they are also far less likely to damage their reputation by inserting malicious code into their extension.
  • Legitimate and trusted sources: Download your plugins, extensions, and themes from legitimate sources. Watch out for free versions that might be pirated and infected with malware. There are some extensions whose only objective is to infect as many websites as possible with malware.

A good backup solution should fulfil the following requirements:

  • First, they have to be off site. If your backups are stored in your website’s server, they are as vulnerable to attacks as anything else in there. You should keep your backups off-site because you want your stored data to be protected from hackers and hardware failure. Storing backups on your web server is also a major security risk. These backups invariably contain unpatched versions of your CMS and extensions, giving hackers easy access to your server.
  • Second, your backups should be automatic. You do so many things every day that having to remember to backup your website might be unthinkable. Use a backup solution that can be scheduled to meet your website needs.
  • To finish, have reliable recovery. This means having backups of your backups and testing them to make sure they actually work. You will want multiple backups for redundancy. By doing this, you can recover files from a point before the hack occurred.

Here are a few best practices to add for a particular web server:

  • Prevent directory browsing: This prevents malicious users from viewing the contents of every directory on the website. Limiting the information available to attackers is always a useful security precaution. Use -Indexes in Apache.
  • Prevent image hotlinking: While this isn’t strictly a security improvement, it does prevent other websites from displaying the images hosted on your web server. If people start hotlinking images from your server, the bandwidth allowance of your hosting plan might quickly get eaten up displaying images for someone else’s site.
  • Protect sensitive files: You can set rules to protect certain files and folders. CMS configuration files are one of the most sensitive files stored on the web server as they contain the database login details in plain text. Other locations, like admin areas, can be locked down. You can also restrict PHP execution in directories that hold images or allow uploads.

Here are some free website security tools:

  • SiteCheck – Free website security check and malware scanner
  • Sucuri Load Time Tester – Check and compare website speed
  • Sucuri WordPress Security Plugin – Auditing, malware scanner, and security hardening for WordPress websites
  • Google Search Console – Security notifications and tools to measure websites search traffic and performance
  • Bing Webmaster Tools – Search engine diagnostics and security reports
  • Yandex Webmaster – Web search and security violation notifications
  • Unmaskparasites – Check pages for hidden illicit content
  • Best website security software – Comparison of paid website security services
  • Best WAF – Comparison of the best cloud-based web application firewalls
  • Netsparker – (Free community edition and trial version available). Good for testing SQL injection and XSS
  • OpenVAS – Claims to be the most advanced open source security scanner. Good for testing known vulnerabilities, currently scans over 25,000. But it can be difficult to setup and requires a OpenVAS server to be installed which only runs on *nix. OpenVAS is fork of a Nessus before it became a closed-source commercial product.
  • SecurityHeaders.io – (free online check). A tool to quickly report which security headers mentioned above (such as CSP and HSTS) a domain has enabled and correctly configured.
  • Xenotix XSS Exploit Framework – A tool from OWASP (Open Web Application Security Project) that includes a huge selection of XSS attack examples, which you can run to quickly confirm whether your site’s inputs are vulnerable in Chrome, Firefox and IE.