This year has been a big year for publicised security vulnerabilities with websites and servers, all around the world. The emphasis is on ‘publicised’ because we seem to have had a flurry of flaws covered in a big way by the mainstream media with great names like Heartbleed, Shellshock and POODLE. But the real situation is that website and server security is a daily, even hourly battle against new threats being exploited.
The three vulnerabilities mentioned above were among the most serious, with many thousands of websites and servers being attacked:
- Heartbleed: A security bug found within OpenSSL, which is a key component in web security on millions of servers and websites. This bug risked the compromise of important security data that could unlock some or potentially all encrypted information flowing between a server and
- Shellshock: This was a bug that allowed attackers to execute abritary commands on a vulnerable server. In other words, secure information could be obtained from websites, or servers could be turned into ‘botnets’ (slaves that can attack other servers around the world, or send spam), or servers could have their information wiped and websites defaced or deleted.
- POODLE: Yes, it does stand for something. This vulnerability was connected with the way security negotiations took place between, for example, web browsers and web servers when one side was not capable of doing all the things that the other side could. It was in the process of falling back from TLS (one of the most secure methods of secure data transfer) to SSL 3.0 (older) that data could be grabbed.
So, that’s some vulnerabities that could probably be summarised as being linked to servers that run websites. What about the websites themselves?
Well, there’s been a number of vulnerabilities discovered in content management systems (CMS) and e-commerce platforms this year. These are the pieces of software that could be running your website and online shopping systems. Some have been very serious and have led to websites being compromised – and in some cases the whole server containing the vulnerable website(s).
Timing is everything
Of course, at some point, details of a flaw comes to light. Hopefully, this is after the patches (small pieces of code that try to fix the flaws) have been released and people have had time to install them. But sometimes the vulnerabilities are exploited within just a few minutes or hours of the issue being discovered, and sometimes that’s before people can fix them.
What do we do about security?
Well, we are constantly being proactive and monitoring the latest security announcements. Our servers are regularly updated when patches to vulnerabilities are released. We’re also always looking for and implementing other ways to bolster security to counter emerging threats. We won’t say any more than that.
What do you need to do?
Passwords
It’s absolutely vital that you keep all your passwords secure. Use a combination of upper case, lower case, symbols and numbers in each password wherever possible. Use a different password for each different thing. Change passwords regularly. Don’t choose something easy to guess, something that people could work out about you or anything common. And don’t use ‘password’ as your password! There are other important tips to follow.
In the context of this blog article, it’s particularly important that you apply this to your web presence. You will have passwords for secure file transfer, your website content management system, your hosting control panel and email. Plus perhaps others too. Make sure you maintain rock-solid, ultra-strong password discipline.
Also, think – what information have you stored on your own computer, tablet, smartphone etc that can help people get access to your web presence? Home computers and smartphones get hacked too.
Your website’s software
Websites mainly run on pieces of software, like a content management system, e-commerce platform, your host’s site builder, etc, and these should be kept updated at all times in order to be as protected as possible. If your website’s software has a facility to let you know when updates are available, use it (but don’t rely on it – check for yourself too). If not, then make sure you keep an eye on the website of the software creators (and the sites of add-on modules), for updates. Make sure you follow all instructions to install software updates and protect your website more generally. Some systems can auto-update components, but in many cases not everything is covered.
Unfortunately, this can be more technically complex than it might be on your own computer, tablet or smartphone, where you might just get prompted to ‘install update’. In many cases, updates need to be installed manually, following a number of technical steps, and then your site thoroughly checked to ensure there that the issue in question has been fixed and nothing else has been affected as a result of the update.
If this all seems a bit too technical for you, or if you have more important (or interesting) things to do with your life, then we offer a great service where we proactively monitor the software on your website for any security patches, bug fixes or feature improvement updates that are released, and fully install and test them for you. Prices start from just £14.99 per month and you can just ‘pay and forget’ – we’ll take care of all the updates for you, so you can get on with running your business. You don’t have to have your website hosted with us, to benefit from this great service.
You can find out more on our Website Maintenance page and here’s a great video about our website maintenance services:
Nothing in this field can ever be 100% secure, 100% of the time – it’s about minimising the risks as much as possible – and everyone has their part to play.