We are currently accepting projects from 4th of July.
If you have a project in mind, please get in touch using your preferred method of contact.
Loudon Design Ltd
@29studios, 84 Miller Street,
Glasgow, G1 1DT
Live Chat Online
Working with great companies around the world and across time-zones.
I have carried out security fixes and patching for some of the highest turnover businesses online today, fixed countless compromised websites and even secured a WordPress website (one of the most hacked platforms) for the UKMOD.
Website Security is about balancing/mitigating risk. I take my web design projects seriously. I ensure they are built in a manner that accounts for the type of risks a client will be exposed to. This article has been built around the common mistakes I look out for.
If you are a business owner please ensure you never take security lightly. The damage that can be done once someone is on the inside of your website or server can be devastating.
I am currently in the process of making a product that reviews a website’s security, as part of an overall website health check. If you suspect your website is open to risk feel free to contact me. I won’t charge you for looking at it, a couple of quick tests could indicate if you’re open to attack.
Research any articles on hacking and security and you will soon learn that “human” error is the number one area of security that gets exploited.
This happens for a few reasons:
In the future all websites are likely to sit on HTTPS:// which is a secured protocol better suited to protecting your website from getting scammed or exploited.
You might have seen an SSL certificate and not realised it, many of the most well-known brands will be on https://. One way to tell is in the web address itself. The other common way people look out for security is to see if there is a padlock present.
Clicking that padlock (most likely something you’ve not noticed you could click on until now) allows you to view “Details” about the security of the website. It should lead you to a page that looks like this:
If you shop online or have personal details being placed on a social network or ecommerce store that does not have these in place then stop and use another store.
Hackers use a tool called a “listener” that sits between you as a user and the websites hosting. It can read credit cards, names, passwords, and other sensitive information as it’s being typed into the website.
HTTPS:// prevents this from happening which is why it has become a trusted standard for online stores and payment gateways worldwide. To setup SSL/HTTPS:// you will require an SSL certificate which you can find cheaply here: https://cheapsslsecurity.co.uk/ and also a dedicated IP address for the secured address.
Website Security Tip: Don’t allow your users to get exploited, if you take card details or sensitive information on your website ensure that you have an SSL Certificate and HTTPS:// address.
I used to work a lot with the public sector. One of the best clients I ever worked for was the UKMod. Not from a design or project standpoint but from what I learnt about security. This was the first time I had to pass a “Penetration Test (PEN)” which is a scan that goes over the website and looks for ways it could be exploited.
If you have ever used a WordPress template or know people that do, you will have likely also heard the horror stories. While WordPress drives 25% of the world’s websites it is also one of the most heavily exploited services within the CMS space.
Now you might wonder, how exactly does a hacker know what version you are running?
If you asked that then you are thinking along the right lines.
Your WordPress website is a tattle tail, it reports in various locations what version you are running. The RSS feed, the WordPress header, the default post and the default plugins. In order to protect yourself, it is best practice to remove these “tells” from the PHP template files.
How do you know you have got them all?
Go to http://builtwith.com/ and type in your URL, regardless of what you run as a CMS if BuiltWith can tell what your running then hackers can. If you run Loudon Design through BuiltWith you will notice it can’t detect what I use http://builtwith.com/loudondesign.com
That’s not some fancy trickery that’s me actively removing a risk from my website. I know what CMS I use, I have no reason to share if my sites not fully up-to-date. This buys me additional time and allows for me to have an extra layer of protection.
Website Security Tip: Remove the versions and CMS declaration from your website. Test with builtwith.com for free in order to see if you caught them all.
The admin path is the page you log in with to get into the CMS. Step one would be getting this page at a minimum behind https:// but even if you have it there you can protect yourself further by changing the path.
Let’s take a look at what we know. These three links would be the URLS used if I had the site running Joomla, WordPress or Drupal.
Knowing where the admin is located gives yet another tell towards which system you are using.
www.loudondesign.com/wp-admin is what my website was built with however I manually moved it to increase the security of the website.
www.loudondesign.com/192168001 Offers a lot more security in this regard (not actually what I use). If you set this page up to not be crawled by google and have it sitting on a memorable phrase or number you will cut down attempts at breaching your website.
I remember watching a documentary on car theft. The ex-criminal had stated that they would steal cars that had the wheels aligned parallel to the kerb. Rather than the cars that had the wheels turned in towards the kerb. That might not be obvious to people like you and me who do not make a business of stealing cars, to them it was simple.
When you steal things, you want to go for the easy target. Anything you can do to make it a little harder protects you by a huge amount more than leaving everything as default.
Website Security Tip: Move your admin URL, and set up your robots/metatext to prevent search engines from indexing the new path.
How many admin accounts do you think are called admin or [email protected]? I don’t know the numbers, however, this is how the majority of CMS systems are configured.
This is where the security risk comes in. If I know your username I am already way ahead of the game when it comes to getting into your website. If I get into your email I can reset your password just with the username. So what you want to do is use a random email address not info@ and then delete “admin” as a user from the backend of the CMS.
You can change it to something more complex for example: admin-192168001 if you wanted, but never leave this as default.
Website Security Tip: Don’t leave your admin username as admin, do not use your company email info@ as your admin account, or your own business email. These details are too easy to get hold of. Better to make it different so that it’s harder to guess or obtain.
Most agencies, freelancers and amateur web designers make the mistake of disabling rather than deleting. WordPress comes with some default plugins already sitting ready to be used. If you do not use a plugin then remove it.
Why remove the plugins if not in use?
This was pretty surprising when I first saw it, but disabled plugins still have PHP files that can be visited on the server. They reveal the version of your website and can be used as a back door to get into the admin area of the website.
Website Security Tip: If you have something disabled you don’t think about it, however even these disabled plugins need to be fully up to date. It’s easy to add plugins so get into the habit of removing rather than disabling things.
The best plugin I have come across for security on WordPress is a plugin called “WordFence”. It will alert you to risks, and notify you by email when your website or the plugins you use are out of date.
It can feel like a pain to keep your website fully updated, but coming back from a hacked website is a much bigger headache. It only takes a few minutes a week and you just have to log in and click “update” next to the plugins it tells you.
Website Security Tip: Install Wordfence into your WordPress website, it will save you having to check things manually and will make keeping yourself safe a lot easier.
Servers are just like big hard drives, they come in various flavours some with amazing security some with the bare bones to keep them cheap. Your website needs a firewall to protect it from attack. Things like DDoS Attacks can cost businesses a lot of money. Having your website setup with a firewall and larger cache network will allow you to better mitigate those types of risks.
Security is a big deal, while I have tried to keep this article down to earth the risks of not having your website secured could cost you your full website, or irreparably damage trust with your customers. Most of the nine points listed above can be done for free as a DIY, or you can hire someone like myself to make the changes for you.
I would personally rather be helping prevent attacks happening to your website than reforming the website from the damaged remains of an exploited website. If you are unsure if your website is secure or not I would be happy to run a few tests for you. I won’t charge you for doing this. It just bothers me to see people getting hacked when it was preventable.
If you would like a more in-depth scan and reports you might be interested in a new Website Health Check service I am offering.