5 Simple Ways to Secure your Website or Web App
As the popularity of the internet and digital technology continues to grow, so does the importance of securing your website and web-based applications. According to Cybersecurity Ventures, the cost due to cybercrime is expected to reach $10.5 trillion USD by 2025. The potential consequences of not securing your website or web apps includes:
Experienced web and mobile developers implement a host of security measures to thwart cyberattacks. In addition, there are a number of simple security measures that can be implemented and are surprisingly effective at preventing successful hacking attempts.
- Loss of your data or vital data of your customers, leading to ...
- Loss of trust by your customers,
- Potential identity theft and other crimes suffered by your customers,
- Legal liability stemming from the lost data,
- Decreased trust placed on your app or website by your visitors or customers,
- Usage of your website by malicious hackers to do phishing attacks.
1. Don't use an obvious admin area URL
Most websites and web apps have an online access to the admin area. An admin area allows the management team to update content, view user activities, and perform other tasks related to their website or web app.
One way that a hacker may attempt to gain access to your admin area is to try to access commonly-used admin area URLs. For example, many websites powered by WordPress has admin URL at https://your-domain-name.com/wp-admin/. When a hacker gets a 200 response (i.e. an "OK, this page exists and works") from your website as he or she accesses this URL through a script, the hacker would now know that's the entry point that he or she can try to gain access to your sensitive areas.
The solution is to use a custom, hard-to-guess URL for any part of the website that should be accessible only for you and your team. For example, instead of one of these rather obvious admin URL:
you can use this URL for your admin areas:
which is "safe-area" spelled backward. In one of our web apps, we get thousands of bots trying various URLs, but we haven't seen a single one that was able to "guess" our real admin login URL. If you use Wordpress, there are plug-ins that can help you do this task without any coding. If you have a custom-made application, changing login URL should be an easy task for an experienced developer.
2. Use a strong password
As a rule, always use a strong password. When you get your new app or website, you may be provided with a default password by your developer. That might be a number sequence like "1234@@9876" or "ABCD!123". Never use the default app passwords because they can be cracked in mere seconds.
If you like to use dictionary words, use at least 3 dictionary words, and mix in uppercase, lowercase, number, and symbols. For example, the password "Password@Secure1n=5Min" will take 43 years to crack according to PasswordMonster.com.
In addition to a strong password, you may also want to use 2-factor authentication. That is when you have to verify your identity via text message or phone call when you log in from an unfamiliar device. Some content management system such as Joomla has a 2-factor authentication option. WordPress CMS has plugins that allow you to authenticate using 2-factor authentication.
The fact that easy passwords such as "Password123" can be cracked very quickly has been known for many years, but you'd be surprised how many people still use such passwords, even in a crucial business application!
3. Enable HTTPS encryption
If you see a lock icon beside your web address in the address bar of your browser, then the traffic between the user and your web server is already encrypted. The URL should start from "https://" as opposed to "http://".
HTTPS is a secure protocol that encrypts the data that is sent from the user to your server or your server to the user. Without it, it's like sending a letter without an envelope. A hacker can see the data in plain text, including your user's password.
If the HTTPS is not enabled, it could be due to several issues:
1. Your SSL certificate is expired or doesn't exist.
An SSL certificate is a digital certificate that identifies your website and encrypts the traffic. It is possible that your website doesn't have an SSL certificate installed or it has expired. Some SSL certificates require the owner to renew them annually.
If your hosting provider has a technical support, you can ask them to install one for you (you may have to purchase one). Or, your web server may come with a free SSL certificate (that's not self-signed) that you can install on your own.
2. Your SSL certificate is self-signed. A self-signed certificate should not be used in production environment. If your website is using one, switch to an SSL certificate that is signed by a third-party company such as Comodo.
3. Your SSL certificate information doesn't match the domain. This usually doesn't happen, but if it happens, it's because perhaps you changed your domain but an old SSL certificate is still being used in the web server.
In addition, it is a good idea to redirect the traffic visiting http:// addresses to the corresponding https:// addresses. This can be done by altering .htaccess file in your web server. A developer will be able to help you do this task.
4. Leave the firewall on
A firewall is a network security system that monitors and controls network traffic using security rules. It is a barrier between a trusted internal network (e.g. between your database and your web server) and untrusted external network such as the Internet.
A firewall is important because it prevents malicious traffic from entering the website. It blocks unauthorized access to parts of your web server that nobody but the site admin can have an access to.
Sometimes, a firewall may prevent a legitimate user from accessing the website or performing legitimate tasks. Then, you might be tempted to shut off the firewall. With the firewall turned off, however, your web server will be open to malicious traffic and vulnerable to unauthorized access and suspicious activities. This may lead to data theft, data loss, or even complete system compromise.
Firewall is usually turned on by default. But, if you have a reason to suspect that it has been turned off, make sure to turn it back on.
5. Restrict IP addresses that can access your website / admin area
An IP address is a numerical label of the device connected to Internet. Your IP address is unique to you because it is associated with your unique device. A website or an app "knows" your IP address when you access it (unless you are behind a proxy server or VPN).
If you have a web app that is used exclusively by your team at your office location, it might be a good idea to allow users with your office's IP address to access the app and no one else. You create a list of allowed IP addresses and if a traffic does not have an IP address in this list, it will be disallowed from accessing the website.
The benefits of restricting the IP to a few in the allowed list are:
- It prevents other devices, possibly hackers, from accessing your website or app. This method rejects any traffic with a "wrong" IP address and therefore does not allow the traffic from performing any tasks on your server, such as trying out various passwords.
- It prevents your employees or contractors from accessing your website or app from a public, potentially unsecure network such as in a cafe or in a library.
- You can prevent IP addresses from certain geographical regions from accessing your website or app.
- You can add IP addresses to your allowed list, or remove them.
You may also choose to restrict only the admin area of your website by IP address while leaving the public-facing portion of the website open to all traffic.
There are several ways to implement this measure.
- Restrict the IP addresses in the server. IP rules can be set in the configuration files of Apache server or in the web server's net security rules, for example.
- Store the allowed or disallowed IP addresses in the database and write a custom script to allow or disallow users with matching IP address.
- For some CMS such as WordPress, use a plug-in to restrict the IP address.
The disadvantage of this method is that it is cumbersome to change the IP addresses in your allowed list. Also, your users' IP addresses may change over time. For example, a blackout may reset the network device and the associated IP address. It is also possible that your own IP address may change, locking you out of your own website or web app. So, it is important to have a second way of accessing the allowed list of IP addresses without going through the web interface.
And, finally, lose the "How-can-I-be-hacked" mentality.
When it comes to internet security, the biggest obstacle might be your own mentality. People often think that security precautions are not necessary because hacking happens to large companies and governmental entities; that it happens at a faraway land. People think that their website, app, or company is "too small to be hacked".
The reality is, it doesn't matter if you just sell shirts and shoes, have a blog about dogs, or your company just has 2 employees. Hackers are looking to hack into easy targets. Both small and large websites are being hacked into successfully every day. It is important to lose the "How-can-I-be-hacked-I-am-just-a-small-company" mentality and make it as hard as you can for the hackers to gain access to your website or app.