The best ways to secure your website from cyber attacks
October is Cybersecurity Awareness Month, marking 20 years since the campaign began. While big security advancements have been made over the years, cyber attacks are unfortunately more common and sophisticated today than ever before.
For context, in 2022 there were around 2.39 million cases of cyber crime across UK businesses. More recently in August 2023, the largest-ever Distributed Denial of Service (DDoS) attack attempted to take down Google, Amazon and Cloudflare. Luckily, this attack was stopped but if it wasn’t, it would have caused an unimaginable amount in damages.
Attacks like this emphasise why you must prioritise your company’s website security, especially if your site generates a lot of revenue. Failing to do so could seriously hurt your business; you could lose significant amounts of money (both revenue and legal fees), damage your brand’s authority and reputation – the stakes really have never been higher.
In this blog, I’ll share the most effective ways to protect your website from cyber attacks, explaining what a DDoS attack is and steps to mitigate risk.
There’s also a cyber security glossary here, to help you familiarise yourself with key terms along the way.
What is a DDoS attack?
A DDoS attack is one of the most common types of cyber attacks that can be launched against your website. Generally, the attacker floods your web server with a huge volume of requests to take your site offline as your server collapses.
This is exactly what Google, Amazon Web Services (AWS) and Cloudflare all recently survived. This particular DDoS attack was launched by a relatively small botnet using a new ‘Rapid Reset’ technique. This exploited the commonly used HTTP/2 protocol, leaving each brand’s web servers open and vulnerable.
The scale of this attack was unprecedented, lasting just two minutes and peaking at 398-million requests per second (rps). That’s more requests than the total number of article views for Wikipedia in the whole of September 2023. What’s more, the largest attack was seven and half times larger than the previous record-breaking DDoS attack, a mere 46-million rps back in June 2022.
How do I protect my company’s website from cyber attacks?
There are plenty of ways to reduce the risk of your website being attacked. The best measures depend on your network infrastructure and platform because they have different considerations and some are more vulnerable.
For example, if your website is powered by a popular web application such WordPress or Magento, you’re unfortunately at more risk of being targeted. This is because these platforms power millions of potentially unpatched websites, so finding exploits is more valuable.
However, there are steps you can take, regardless of platform, to add an extra layer of security to your company’s website. Here are four effective ways to protect your website and mitigate the risk of being attacked.
Use Cloudflare
One of the best ways to add extra security to your website is by managing your DNS through Cloudflare. If you choose the “proxied” option, this sits between the internet and your server recognising malicious traffic, caching your site, hiding personal data – the list of security features goes on. The best news is that Cloudflare is free, with the option of upgrading for more features if you need them.
Cloudflare protects against the vulnerability that made the DDoS attack mentioned earlier possible. That’s why no websites using Cloudflare were impacted by the breach, and why implementing Cloudflare is one of the first things we do when we onboard a client.
Keep everything up to date
💻Website platform
Let’s go back to basics. Your website runs on software, and like your phone’s operating system or Xbox game, it needs regular updates. This is often to implement critical bug fixes or security patches that stop vulnerabilities being exploited. You must complete updates fast to prevent cyber attacks, so don’t ignore notifications.
It’s not just your main website platform that needs security updates either. Third party plugins, modules and extensions, as well as your server operating system and services, can also have vulnerabilities. So, it’s important to keep them updated and manage them properly for maximum security.
🔥Antivirus, malware protection and firewalls
Install trusted antivirus and malware protection software on your computer or laptop. These don’t just keep your device safe, they protect your website too.
Without them, you’re vulnerable to many things including ‘keylogging’. This is malicious software that records everything you type, including passwords and personal data. If you fall victim, hackers could gain access to any of your online accounts, including your website.
Similarly, have effective firewall software (or hardware in your company’s network infrastructure) set up and running smoothly. This monitors and blocks potentially malicious requests being sent or received by your computer, or other network devices.
Firewalls do typically exist as part of your website’s hosting infrastructure too. One particularly useful type is a Web Application Firewall (or WAF), which specifically targets HTTP/S traffic. As I mentioned earlier, Cloudflare offers one for proxied traffic. Using WAFs is becoming increasingly common as they offer targeted protection, often with rulesets that can be application specific – for example, if you need to block known exploits specific to WordPress or Magento, or web servers like Apache.
Limit and secure website access
Compromised user accounts are the number one cause of cyber security issues. To prevent this, ensure strong security measures for logging into your website’s CMS. After all, this is where highly sensitive information is stored such as customer contact details, so if a bad actor gains access, the potential implications are enormous.
Here’s a few ways to improve your website’s admin security:
❌Don’t share logins
Create everyone who needs access to your website’s admin panel their own account. This ensures that you can see who is doing what in your application. Notice that order 820316 was refunded, but not sure why? You can ask Geoff from Sales, rather than seeing the action was performed by ‘Admin’.
Also, assign each user the correct account type or role by implementing the principle of least privilege (PoLP). This means only giving a user the ability to do what they need to do. If someone doesn’t need to create other users or create discount codes, don’t allow them to.
🔐Enforce strong passwords
Always use a minimum password length of 12 characters and a mixture of uppercase, lowercase, numbers and symbols. Avoid dictionary words and any personal information such as names and significant dates. Don’t use the same password across multiple accounts, and set your passwords up to expire regularly. Browsers like Google Chrome typically offer a password manager that suggests strong passwords and stores them on a per site basis. Leverage these to make password management much easier.
📱Two-factor authentication (2FA)
More and more web applications offer the ability to enable 2FA so if you can, set it up. This requires an additional step on login, which usually involves clicking an email link or providing a code sent to your phone. Without this additional step, authentication will fail, so even if your password is compromised, your account is still protected.
Backups, backups, backups
No matter how careful you are with cybersecurity, having a good backup and disaster recovery plan is always important. Ask yourself, how critical is my data? What is the cost to my business if I experienced data loss or an offline website due to a cyber attack? If the answers fill you with dread and you don’t have a back-up plan in place, now is the time to make one.
💡How do back-ups work?
Nowadays, website infrastructure tends to be virtual or cloud-based, not stored in physical boxes sat in data centres. This means they’re spread across a range of hardware and software, often with redundant copies in different regions. Physical hardware failure was once the most important reason to back up your hardware, but this is less true than it once was.
However, regular off-server and off-network backups are an essential way to protect against attacks. Track your site’s application code in a trusted code repository, and back up transactional data, such as databases and user uploaded files, as frequently as their importance dictates. If your server and infrastructure are compromised, having this copy will enable you to quickly recover – even if that means changing your server or wider infrastructure.
Summary
Website cyber security is complex, and specific advice is not possible without knowing your business’ infrastructure. Updating software, using a WAF, setting strong user permissions, and making backups are important, but they are just the basics.
That’s why we highly recommend having a web maintenance plan, either with your in-house IT team or a maintenance contract with an external agency. This way, your website’s security is kept up to date and you have people constantly monitoring for potential threats and fixing issues fast. Without this, the potential for hugely costly data breaches is all too real.
Cyber security glossary
Antivirus: A software program designed to detect, prevent, and remove malicious software (malware) from computer systems to protect them from security threats.
Bad actor: An individual or entity that engages in unethical, malicious, or harmful actions, in this case in the context of cybersecurity.
DNS: A Domain Name System (DNS) translates human-readable domain names (e.g. reckless.agency) into IP addresses (IP 123.45.68). This enables computers to locate and communicate with each other on the internet.
Firewalls: A security barrier that filters and controls network traffic to protect against unauthorised access and security threats.
HTTP/2 protocol: An improved web protocol that makes web pages load faster by allowing multiple requests and responses to happen simultaneously on a single connection.
Malware: Any software intentionally designed to cause harm, steal data, or disrupt computer systems and networks.
Security patching: The process of applying updates or fixes to software, operating systems, or applications to address known vulnerabilities and enhance security.
Software: A set of instructions and programs that enable a computer or other device to perform specific tasks, processes, or functions.
Web app: A software program or application that is accessed and operated through a web browser and provides various interactive functions or services to users.
A bit about Reckless
We’re an e-commerce digital marketing agency in Liverpool, Chester and Manchester. We support brands with custom website builds and maintenance, bespoke software development, paid media, SEO and online marketplaces. If you need support with website maintenance and cyber security, drop us a message in the form below. We’d love to chat ☕