You protect your every office computer with an antivirus. You install firewalls to prevent unwanted access to your network. But what do you do to secure your website? And what can happen if it’s not secured?

This article is aimed at website owners that are not experts in website security or web application security – especially at small businesses. We will explain what steps you can take to build a good security policy for your website and how to avoid security threats. We’ll also talk about common misconceptions.

Let us start with a definition.

What is website security?

Website security is all the security measures that protect your website from cyberattacks made by cybercriminals.

What does website security include?

Website security involves the right procedures, the right people, as well as the right tools and applications. It often goes beyond just the website and includes web host/web server (for example, Apache/IIS/Nginx) and hosting provider security as well.

What can happen if your website security is not good enough?

If you don’t have a secure website, cybercriminals may gain access to your website and, for example:

  • Cause a data breach and steal sensitive data/sensitive information (for example, passwords or credit card numbers from e-commerce sites)
  • Escalate to attack your other systems (for example, to install a backdoor or ransomware)
  • Use your existing website functionality to attack others (for example, send phishing emails that include your website URL)
  • Deface your website, making you lose reputation.

Is an SSL certificate enough?

Many businesses think that installing an SSL certificate for your domain name is enough to guarantee cybersecurity. While it is important, it is definitely not enough:

  • An SSL/TLS certificate will protect your website from man-in-the-middle attacks. Nobody will be able to listen in on the communication between the web browser and your web server if the connection is secure.
  • An SSL/TLS certificate will not stop cybercriminals from exploiting a vulnerability in your website code or in your web server configuration.

Most hacked websites are caused by security vulnerabilities in website code and in web server configuration.

Are strong passwords enough?

Strong passwords help you protect your sensitive areas – those that require you to log in to access functionality or information that should not be publicly available. A strong password helps you avoid both brute force and dictionary attacks. However, most computer users have a lot of misconceptions about what is a strong password – in short, length and uniqueness (no reuse in different places) are more important than special characters or regular changes.

While strong passwords are an important element of security, not just website security, we know of very few major web attacks that were caused by a weak password.

What are web vulnerabilities and where do they come from?

Web vulnerabilities are errors in the code of the website or web application. Such security issues are introduced by software developers.

These common threats let an attacker either access information that they should not have access to or let the attacker include their own malicious code. This malicious code is then run by the web server or by your website visitors.

What type of software can help your website security?

To eliminate security risks, you must be certain that the website has no vulnerabilities that cybercriminals could exploit.

The most efficient way to check for possible vulnerabilities is to use a web security scanner. Such security solutions:

  • Analyze the structure of your website very carefully to find every possible data entry point (in the case of Acunetix, it even works on very complex applications with lots of HTML5 and JavaScript)
  • Send special data to your website to see how the website code reacts to such data
  • If they find a vulnerability, they report it (in the case of Acunetix, including proof that the vulnerability is real and information on how to fix the error)

However, automated software will never be able to find every possible vulnerability. That is why it is a good idea to perform periodic penetration testing. If you do not hire security experts, you can hire an external security contractor to do it.

What about web application firewalls (WAF)?

Web application firewalls are useful to protect your website until you can fix a vulnerability. A web application firewall checks the data that is being sent by users and looks for patterns that may be a sign of an attack. If such a pattern is found on the WAF blacklist, the data never reaches the server.

The problem with using WAFs is that it’s like fixing your car with duct tape. It keeps the parts together but does not fix the problem. If an attacker is smart enough and manages to send data that is not recognized by the web application firewall, but still contains malicious code, they can still attack your website.

What are SQL injections and XSS and are they a major problem?

SQL injections and cross-site scripting (XSS) are the two best-known types of vulnerabilities in websites. They have been around for a long time, more than 20 years. However, they are still present in the code of many websites and web applications. The 2021 Acunetix Web Application Vulnerability Report shows that SQL injections are still present in 7% of sites and cross-site scripting is still present in 25% of sites. There is a big chance that your website has one of those vulnerabilities.

Such vulnerabilities are common even for very big web companies like Google. For example, independent researchers used Acunetix to find an XSS vulnerability in Google and a major IT security provider, Sophos, was found to have an SQL injection.

SQL injections and XSS vulnerabilities are very serious and may have very serious consequences. SQL injection attacks may let the attacker access your database, and even your web hosting operating system. Cross-site scripting lets cybercriminals attack and impersonate your users.

Does malware affect websites?

Malware more often attacks desktop computers, but an attacker who compromises a website may place malicious scripts on that website. Such malicious scripts may help the cybercriminals attack the users of your website.

Professional web security scanners like Acunetix protect you from this threat, too. Acunetix downloads all scripts from the websites that it analyzes and checks them for malware. However, no software can help you with malware removal from your server – you will have to handle that manually.

How can I protect against DDoS attacks?

You cannot buy any software that will fully protect you against most DDoS attacks (distributed denial-of-service).

Some DDoS attacks are possible because of vulnerabilities (for example, the Slowloris vulnerability). Vulnerability scanners often protect you against such attacks.

However, most DDoS attacks, performed with tools such as Low-Orbit Ion Cannon (LOIC) or High-Orbit Ion Cannon (HOIC), are indistinguishable from regular user requests. The easiest way to protect against them is to have a very powerful server with dedicated anti-DoS solutions.

Luckily, most business websites today are hosted on such servers. Large hosting companies such as Akamai can handle so many requests that DDoS attacks are much less of a threat. They also have special mechanisms in place that protect websites.

How do I keep WordPress secure?

WordPress is the most common content management system and it is also the one that is known to have the most security problems. However, most problems with WordPress are not caused by the core software but by plugins and themes.

The first two things to keep WordPress secure are, therefore:

  • Always use the latest version of WordPress. Install software updates (especially security patches) immediately.
  • Use only necessary plugins and themes. The fewer of them you have, the more secure you are. Use only well-known plugins and themes and avoid those that are less popular.
  • Regularly scan your WordPress site with a vulnerability scanner for security validation. For example, Acunetix has many WordPress-specific checks but can also discover other generic vulnerabilities.

Note that all the above suggestions apply also if you don’t use WordPress but you use Joomla!, Drupal, or other CMS systems.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.