While you’re home eating through your third tub of cheese puffs, your website is still open for your customers to connect with you. Unfortunately, it’s also a sitting duck for those who would like to break it and get at the information stored within. Clean the cheese off your fingers and let’s get to work making sure the security of your site is up to snuff. Here are a few things to check on to ensure you and your customers are safe from those who would seek to do you harm.
One of the biggest security threats to any website is third party plugins that are not updated. The best way to protect yourself is to keep plugins updated with the latest version available. Just running updates is good, but if you have the option you should update them in a testing environment to make sure they don’t break anything before installing them on your public website.
Caching & WAF
Everyone wants a fast and secure website. One way of doing this is to set up a caching system with a Web Application Firewall (WAF). A cache is a system that saves portions of your website at an endpoint closer to your clients, so when your clients go to your website those bits are downloaded faster. Additionally, the WAF is able to monitor for malicious behavior and block it before it ever gets to your site. There are many services that provide this functionality, such as Akamai, Fastly and Cloudflare. Pricing depends on the service, but several of these have a free tier that allows you to start out with no financial commitment on your part.
Most malicious users are not subtle or secretive about trying to break your site. In fact, a lot of them are outright obvious about what they’re trying to do. Monitoring your site traffic is a great way to find what malicious users are after. Google Analytics is helpful in this regard, but you’ll see the clearest picture by looking at the server access logs. If you have a cache or WAF in front of your site, that can also be helpful in giving a graphic description of your traffic.
Aside from the obvious reasons to monitor traffic another reason is because many times your hosting cost is tied to your traffic. Say your hosting tier is based on you getting 10,000 visits a month, but a bot from Lithuania keeps hitting your site at a rate of around 5000 times a day. All of a sudden your site now has 15 times the traffic your contract says you are allowed to get and you get bumped up two tiers to make up for the difference. Paying attention to your traffic helps you avoid that situation. If you end up getting traffic from a bot like that, how do you stop it from costing you a whole lot of money? You have a few options:
- Talk to your hosting company to make sure they’re aware of the bot and have them do what they can to stop the bot traffic. And if possible, make sure you won’t have to pay for it.
- If you have a WAF you can block that bot specifically.
- If you have access to your server:
- You can set up rate limiting which sets the maximum rate that a user (or bot in this case) can hit your site.
- Set up blockers like fail2ban that will automatically block users that are hitting your site too aggressively.
This is also a good time to review who has access to your server and how they are allowed to access it. Double check the current list of users and remove any users that do not need access. Also, think about setting up policies that limit the IP addresses that can access the server and require public key authentication or multi-factor authentication (or both). These are all great ways to keep people who shouldn’t be able to access your server from accessing it.
Security for your site requires vigilance, but if you have the right practices and policies set up it doesn’t have to be too time consuming. With the right practices, you can eat your cheese puffs with the peace of mind that your site and your clients are safe from harm.