There really is nothing more important when operating a business website than making sure it is secure from the ever-present threat of hacking. Identifying website vulnerabilities, before hackers do, is the best way to protect your business, your customers and your reputation.
At Limelight Online we take website security very seriously and pride ourselves on the robust nature of our managed hosting service. As we only host our own clients’ websites on our server, we can offer a ‘guaranteed good neighbourhood’. You never have to worry about system security issues associated with other more common shared hosting environments and can rest assured that your website is in very safe hands.
Despite this, all common Content Management Systems (CMS) are vulnerable to security exploits, so maintaining the integrity of websites and ensuring upgrades are carried out expediently is critical to the security of your website. Regardless of the CMS that your website is running on, updates to the core and any plugins/modules or themes are pushed out to all sites every week. We also backup all websites prior to updating so that we have a rollback position should anything go awry during the update process. Plus, websites are backed up daily meaning that in the unlikely event of an exploit, recovery can be completed without loss of data.
As an added level of security, we also use intrusion prevention software that monitors inbound traffic to your website to look for any unusual behaviour such as the use of banned usernames or a high number of failed login attempts, and when triggered the software blocks the offending IP address. We block thousands of hackers from our servers every month using these tactics.
On top of this is the requirement to ensure secure connections for all of our clients’ websites with the use of SSL (Secure) Certificates to enhance the security abilities of the communications sent out by your website — essentially keeping user information private.
So, there’s no need for me to worry about a Website Security Audit then?
It’s important to remember that there are particular websites that may be more prone to attack than others and for some that’s simply by virtue of being a high-profile company — which can make your website a high–value potential target for hackers. Even if you don’t feel your company fits into this category, if you store any type of valuable customer information, proprietary information or transactional data then your website may also be a target. Hackers tend to target those websites where there is potential to do the most amount of harm or steal the most information.
There are specialist Information Security companies who perform website security audits including penetration testing to identify security vulnerabilities. Typically software is used to cause a brute force attack, an SQL injection or a social engineering cyber-attack (a common method whereby people are manipulated to provide sensitive information). Penetration testing assists server administrators to plug any weak spots and harden security. Due to our expertise and in-depth server knowledge, we have worked with a number of providers to implement recommendations for some of our high-profile client websites. We’d be happy to recommend some that we have worked with if you feel that your website would benefit from this service.
Is there anything else that can be done to secure my website from hackers?
The audits we have worked on have all recommended a higher level of security than we can offer in our standard hosting plans. As mentioned above, we make the environment as secure as we can for our clients’ websites but for clients that do need additional security, we often recommend moving a website to a dedicated Virtual Machine (VM) to allow for customisation to meet the specific recommendations of a website security audit. These can include locking down the server access to specific IP addresses, closing unnecessary ports or implementing two–factor authentication for all users. A dedicated VM gives us the ability to implement customised security recommendations without having to consider the impact of this hardening of security on other users on the same server. There is always a trade-off between security and related costs and for some it simply wouldn’t be viable or necessary to host their website on a VM — for others it gives peace of mind that they are less vulnerable to a hacking attempt that could impact business operations or compromise sensitive customer information.
Website security akin to home security
Consider the analogy of securing your home by locking your doors and windows when you go out. You may have even installed security alarms and surveillance cameras to notify you of any suspicious behaviour or of people trying to break into your home. This level of security is similar to our standard hosting whereby all necessary steps are taken to secure your website. If you were a high profile figure (the Prime Minister or Hollywood actor for instance), then a security audit may have identified that there are some weaknesses in your home security (penetration testing) and you have decided to put up high walls around your home and hire a security guard to keep watch at the end of your driveway and only allow people to visit your home if they have the correct credentials and are approved by you as someone that is allowed to visit. This level of security is similar to having your website hosted on a properly configured VM whereby all intrusion attempts will be blocked by additional security. The average homeowner/website probably doesn’t need this level of security but there is a risk that their home/website could be targeted. For high profile sites/public figures unexpected visitors turning up is not acceptable, so they have the added security and associated costs of high walls and security guards.
Still not sure if you need a website security audit? Then feel free to give us a call today and we can let you know if we feel you meet the criteria.