How can you keep a website secure from bots and hackers

As internet usage has continued to grow year-on-year, so too has the threat of cyber-attacks across the web.

According to Cybersecurity Ventures, the cost of cyber-crime is predicted to reach $8 trillion in 2023 and grow to a further $10.5 trillion by 2025, which means that protecting your website has never been more of an essential investment for businesses.

While no protection is perfect, failing to ensure that your site has appropriate protection from attacks is taking an unnecessary risk for your business. Scripts run by cyber criminals are always on the lookout for an opportunity to exploit a website to make personal gains, and hackers are constantly coming up with new and innovative ways they can breach defences or exploit a new vulnerability to let themselves in and seize control of your website. 

Hackers and bots are generally looking for easy ways in which they can exploit your website and / or your business. It may be that they want to extort money from you by threatening to take your site down at a busy period, costing you enquiries and money. If you run a website which contains names and email addresses, such as a membership website, they may want to steal those personal customer details and sell them on the dark web, or use them directly for identity theft.

If you run an e-commerce website then you hold not only  personal customer information, such as name, email address, home address and mobile number, but you may also hold their credit or debit card details, or at the very least take those details on your site before they are transferred to a payment gateway. The opportunities to steal personal information and credit card numbers make e-commerce websites highly attractive to hackers, with the chance to sell that information on in the dark web, where criminals can use those to make fraudulent online purchases.

Another tactic used by hackers is to sell access to compromised servers, which can be used as part of a bot-net to attack other websites, or overload them with spurious traffic causing them to disappear from the internet.

They can also be used to distribute malware to visitors to your website, or to host pages promoting drugs or illegal content on behalf of third parties, taking advantage of the reputation your site has in Google to make their content more visible and earn them money (generally at the same time damaging the reputation of your site in Google and therefore reducing its visibility).

Whatever website or business you run, scripts run by hackers generally don’t discriminate – they will typically try to hack a site first and find out more about what it contains later. If they find something that could be valuable to them, it is likely that information will be stolen and sold once they succeed in hacking the website.

There are more targeted attacks that focus on particular types of business or even a single business, but if your line of business is one that is a particular target for cyber-attacks for political or economic or revenge reasons, then you probably already have strong protections in place.

A report from IBM and Ponemon Institute stated that it takes an average of 277 days for security teams to identify and contain a data breach, which is a staggering amount of time in terms of the opportunities this provides to damage your business. It is better to bolster your defences pre-emptively, than to hope that you never have to face the costs and fall-out of a data breach.

This is not to mention what a data breach could potentially do for your reputation as a business. We can’t imagine any business wanting to have to explain to customers that their privacy has been breached due to a lack of robust defences in place on your website or company computers or network, and that as a result their personal data is now in the hands of criminals and may be sold on for a variety of fraudulent uses.

Some of the other things you may have to tell your customers (as well as disclosing the breach to the Information Commissioner’s Office and potentially facing a fine) are as follows. You may need to advise them to change the passwords they use on other websites if they use the same password everywhere. You might even have to advise them to cancel their bank and credit cards and get them reissued, if there is evidence those are being used fraudulently. You may also need to warn them that they are likely to receive phishing emails or phone calls from people masquerading as their bank or as the government tax office etc. This sort of thing will leave a sour taste in the mouth of customers.

Businesses can and do come back from this sort of event, but it is better not to have it happen in the first place.

There is never any guarantee that what is put in place will successfully defend against an attack, especially a targeted one – but improving your website security is a good place to start.

Your website defences will need maintenance, as protection against these types of threats is something that needs to be monitored to ensure that it is effective. With a solid foundation and defences that are updated frequently to help respond to new and emerging threats, you at least will know you are taking appropriate steps to try to keep your website secure.

As cyber-attacks become ever more advanced and sophisticated, so too should your defences against these potential attacks, and the defences you put in place to stop them in their tracks will need to evolve. Cyber defences can take various different forms – as well as protecting the server your website is hosted on, you may need to take steps to protect any linked systems or backup servers, and the computers that staff or contractors use to update or modify your website. It is impossible to protect against every single vulnerability, but there are steps such as security endpoints, malware detection, rootkit detection and tripwire detection which can help protect against a variety of different threats.

In this article, we shall explore many ways in which you can help keep your website secure from potential bot or hacker attacks, and how these defences can be maintained once they are put in place.

Website Security Best Practice

Log-in security proctocols

• Protected user names: Ensure that you are not using a predictable user name such as ‘admin’, ‘administrator’ or even the name of the business / organisation - even the names of directors or employees who are publicly listed as working for the company are a bad idea. These make it easier for a potential hacker to gain access to modify your website, so they should be avoided. It is good practice to make all log-in names unique, and difficult to guess.
• Limited access levels: Limiting access to the different administrative areas of the site strictly to those who need that access will mean you have better control of who can make what changes to your website. If news editing credentials are obtained by a hacker, then at least that will only impact on your news area and is less likely to require disinfecting your whole website. The fewer people that have access to a website’s admin area, the less likely it is that those log-in details will leak and end up in the wrong hands. The lower their level of permissions, the less damage those credentials can do. Setting editing permissions so that staff can only carry out the work they need to (and not letting people share a log-in) is good security practice. For example, copywriters do not need to be able to update website code or edit templates. The granular limitation of permissions will give clear definition of which staff have the ability to do what on the website and helps reduce the impact of credential theft, or even potential malicious activity by a former member of staff if you forget to disable their log-in after they leave.
• Two-factor authentication: Enabling two-factor authentication (sometimes known as 2FA for short) offers a second level of security. Once the log-in details, user name and password of any registered user have been entered correctly, the system will then send a one-time code to an email account or mobile phone number associated with the specific log-in details, one that would have been set up by that user as an additional level of security when logging in to their account. This means that even if a hacker  did manage to intercept or guess your user name and password, they would still not have access to the one-time code needed to log in, halting their attempt to access your account. Enabling two-factor authentication can also tip you off that your user name and password have been compromised if you have 2FA through text messages to your phone, and you receive a 2FA code for a log-in you did not initiate; or that an account user name / email is known if you see someone attempting to reset your password.
• Passwords: Ensure that any passwords associated with the log-ins of users (especially ones with administrative access) are hard to guess, and complex (‘strong’) enough to resist being cracked by brute force. This means not using any common passwords from the ‘top passwords’ lists, for you personally not using the same email and password on different websites, and when you choose a password not using a dictionary word or standard phrase. It is best to use a selection of lower-case and upper-case letters, numbers and symbols for the highest level of protection – you will find many websites now insist that a password you choose complies with this to make it more complex. Programs deployed by bots to attempt to crack passwords will tend to try the more common passwords first, and there are publicly available lists of the most common ones used in websites that have been compromised, so these should always be avoided. Targeted attacks will try email and password combinations you have used previously on a site which was hacked and held passwords in plain text. Storing a strong password is a separate challenge – you can save a record of your password somewhere where only you can ever find it (some people save passwords in their browser), or you may prefer to use a password management system to store your passwords for you.  It is also important for websites to have protection against brute-force attacks - where a hacker tries a series of common passwords (or passwords that have been leaked from other websites that were compromised in the past).

Website security plug-ins

• Firewalls: Installing a firewall on your website (such as the one included in the Wordpress plug-in called Wordfence) is often a good idea to enhance your website defences. At server level, you can also install a ‘web application firewall’ and external CDN services like Cloudflare also offer firewalling.
• Brute-force protection: Installing brute-force protection routines such as the ones provided with both Wordfence and Stop Spammers for WordPress is recommended. These can automatically lock IP addresses or accounts out for a specified time period after users have attempted to log in from them with incorrect details a specified number of times during a specified time period. On Wordfence, five incorrect log-in attempts in 24 hours can be set to trigger a two-day lockout. This helps stop bots from trying a series of guessed passwords until they are able to log in to an account.
• And ensure your website plug-ins, modules and the version of your content managament system are all kept up to date, as well as the software running on the server - vulnerabilities are found in content management systems on a regular basis, and if your website system and the software running on the server hosting it is not updated regularly this can lead to a security vulnerability that allows a hacker to gain control. Check that backups are available in case the worst does happen, so those can be used to restore your website.

Use captchas

Installing captchas and ‘honeypot’ web-forms (invisible to real users) to intercept and block bot traffic can help prevent bots from trying to log in to your website. Cloudflare also offers some excellent anti-bot defences, with a fallback to tests to prove you are human, and we recommend trying the free version to enhance your website’s security. It also helps to defeat email address harvesters by obfuscating email addresses on your website.

Don’t use public Wi-Fi without a VPN

Ensure that precautions are taken in relation to where members of staff are logging on and accessing admin accounts or email addresses associated with them. If someone is working remotely you should ensure they only log on to the office using a VPN (Virtual Private Network). If they are using a public or potentially insecure Wi-Fi network such as one provided by an airport, Internet café, or any retail premises this is especially important -  they should not log in to any websites that don’t have an https:// address and a padlock which ensures data is being encrypted and can’t be intercepted in transit. A VPN is normally available via app or software download but you should speak to an IT professional to get proper advice on this. You ought to ensure that a VPN client is installed on any employee work laptops, and also establish similar parameters if you are outsourcing or using freelancers. This is related to the security of company or home networks – those networks are often exploited due to an old router or insecure device on the network, and again you should get an IT professional’s advice on this.

Training

• Include cyber security training in on-boarding: Your staff are another form of defence that can potentially be breached, so it makes sense to include cyber security training as part of the on-boarding process for all new employees and in regular refreshers. This can cover things like never connecting USB drives, not opening attachments unless those are verified to be legitimate, and not clicking on links in emails unless the email is expected and the link goes to a sensible address. Many ‘phishing’ emails purport to be from a known / respected organisation that the recipient has a relationship with (or a co-worker or person known to them) and many emails containing viruses purport to be emails related to invoicing / payment. Training will not only help to cover any gaps in new staff knowledge about cyber security but also bring them up to speed on your company protocols, even if they have some prior knowledge from previous work. Not all companies will need the same measures in place, it’s sensible to educate new starters on your specific procedures and make them fully aware of the company’s expectations of them with regard to protecting your business from cyber-attacks.
• Ongoing training: We’ve seen that hackers and bots really have no bounds, and that the hacks and scams they are creating are getting more sophisticated all the time. Invest not only in software to defend against these, but also in your staff. As well as initial training when they join the company, offer them regular training throughout the year as and when needed. This will keep cyber security front and centre in their mind. Scams are getting harder and harder to spot all of the time, so educate your staff on ways in which they can identify email and phishing scams and what to do if they think they have been targeted. Even with any amount of training, however, there is always the possibility that the hackers may be able to fool staff, so ensure that they also know the procedure to follow in the event that they should accidently click on something that is not legitimate.

Conclusion

We can see that there are a whole number of ways in which hackers or bots may attempt to gain unauthorised access to a website, and we’ve also covered the fall-out that can ensue following the unfortunate circumstance where a criminal does succeed in breaching website defences. That said, there are also many ways in which defences can be tightened to protect against these types of attacks. We believe it is far easier to improve and strengthen a website in order to defend it, rather than having to make amends with unhappy customers who may have had their personal details stolen.