Website Security: What You Need to Know as a Site Owner
Hacked sites. Security flaws. Lost data. Loss of trust. Lost customers. Lost revenue. Nightmare.
Just thinking about themes such as these in the media can send a shiver down your spine. It can all seem very daunting, and not just a bit scary when you start to think about it. This article aims to paint a clear picture of what you should be aware of as a site owner - where security weak points are, and strategies to avoid them.
My Website Has a Password - That Makes it Secure, Right?
Security, like the technology behind a modern website, has many facets and layers. Alas, merely password protecting your site admin screens is not enough. Having said that, I do remember, in the bad old days, being presented with a site without even that, such that anyone who guessed the admin URL could edit all the site content.
Unlike back then, security is now a serious business and needs to be treated as such.
Starting from the first point of contact and working down, the security layers are:
- Password protected user accounts
- Appropriately set permissions for user accounts
- Protected forms
- Secure file location
- Securely written site code
- Up to date site code
- Up to date server applications
- Up to date server operating system
- A secure location for your server
- Encryption for traffic to and from your site
User Accounts
It may seem obvious that a strong password is important, but alas, people don't seem to take this very seriously, as evidenced by this article from TechCrunch.
Fortunately, there are Drupal modules to help avoid chronic passwords, e.g. Password Policy and Password Strength to name but two.
A password is only half the battle, though. Drupal ships with a powerful and fine-grained permissions system that allows a site administrator to dictate what users can and cannot do. It is critical that proper attention be paid to user permissions when setting up a site or introducing new features.
Protected Forms
Following on from user account permissions, forms, e.g. content editing forms, comment forms, contact forms, should all be viewed as potential areas of attack and need to be locked down. The safest thing to do is simply restrict who has access to a form. E.g. only site editors can post new content. But in the event that other users can use forms, strategies to limit the potential for harm include: using a text filter on text inputs so that no potentially harmful tags, such as <script> can be used, or enforcing a publishing review policy that means all new content is reviewed by a trusted editor before publication. Other tags to be wary of include <img> <iframe> <object> and <embed>.
Secure File Location
If users can upload files to your server (images to go with a blog post or products in an e-commerce catalogue), you need to make sure that the directory these files are being uploaded to is secure and that web users cannot upload files there without using the proper form fields. You also need to make sure that you restrict the types of files that are allowed to be uploaded. We've seen examples where malicious scripts have ended up in the sites/default/files folder and been used to exploit the website and server.
Securely Written Site Code
Filtering text input is an important concept. Drupal filters content on display (rather than input), which means that content is passed through several functions before display to make sure that nothing harmful reaches the screen. The Drupal API has various security flavoured functions built-in such as check_plain(), filter_xss() and many more excellent sanitization functions that are available to developers.
There is also the database abstraction layer, which developers can use to avoid SQL Injection attacks and the Form API which protects against CSRF attacks.
Drupal.org also has a guide on how to write secure code.
The Drupal community puts a lot of store and effort into writing code that works and is safe to use.
The Drupal Security Team exists to work with module maintainers to resolve security issues and manage the announcement and release process.
(Note: Annertech is the only Irish Drupal agency privileged to have a member on the Drupal security team.)
Up To Date Site Code
Security issues happen. It is the nature of software to evolve; as machines get faster, new methods are developed, new protocols emerge and people have ideas. What was secure last year could well be insecure next week. This is why we need to keep on top of it.
When someone finds an issue with a Drupal module, they report it to the security team, who will work with the module maintainer to fix the flaw and plan a release. Only when the issue has been resolved and a patch has been accepted is the issue announced and a new version of the module released. Security releases are scheduled and so updates can be planned for - every Wednesday for contributed modules, every third Wednesday of the month for core releases.
Keeping your modules and Drupal core up to date with security releases is of major importance for the ongoing health of your site. Fortunately, if Annertech hosts your website, our hosting service includes all the security updates as part of the package, leaving you one less thing to worry about!
Secure Servers
Even if your site is up to date, written securely, has tight permissions and strong passwords, there are still avenues for attack by dastardly evil-doers. The server itself will have application software on it, e.g. the webserver, and an operating system, all of which will need to be kept up to date - a daunting task for those who are not familiar with the inner workings of servers. Often, many people make the mistake of renting a server without thinking of how it will be maintained, or by whom. A cunning solution is to rent a fully managed server, where the server provider undertakes to do all the maintenance for you.
Needless to say, along with covering all your site security updates, our hosting service also covers all operating system and server application updates so you can rest easy and concentrate on your own business, rather than the upkeep of your website. Our servers live very comfortably in a highly secure data centre in Dublin, so you can be sure that your site is safe.
SSL
SSL, or Secure Socket Layer (also commonly referred to as Secure HTTP - HTTPS), is a way of encrypting traffic between your web server and a client browser, so that nobody else listening in on the network can find out what information is being sent back and forth. Where once SSL was treated as a luxury for special pages, e.g. e-commerce checkout, it is becoming more and more common, with many sites opting to serve all pages over HTTPS only.
Recently Google announced that it was lending weight to sites which served all pages over SSL. If the mighty Google is using SSL as a factor in its algorithms one can only assume that this level of security is a good thing and a big deal.
Your customers - your site visitors also love to see the SSL symbol, be it a padlock, a little green shield or however your browser displays a secure connection. It instills confidence in your site and increases the chance of return visits and sales.
What to Do Now?
All that is a lot to take in, but don't worry. We're here to help. If you're not sure, we can offer a complete site security audit, and between our support service and hosting, we've got your back.
Anthony Lindsay Director of Managed Services
With decades of experience, Anthony leads the Annertech Managed Services Team, delivering top quality design, development, and, ultimately peace-of-mind services to all of Annertech's wonderful clients.