Image submitted by Twitter user @salim_madawaki
Last week, website of popular Nigerian airline company, Aero Contractors, was the latest victim of a series of hacks committed by the Moroccan Revolution Team (M.R.T), a hacker group with alleged ties to ISIS. The website has since been restored but there are a few lessons to learn from the mistake that the development team at Aero Contractors and many other companies ignore.
Listed below are a few simple steps to protect your website from hackers.
Never ignore update notifications
This seems like the most trivial thing but most updates come with security fixes for known security holes. This applies to the server operating system or any other software you may be running on your website such as a CMS (Content Management System) or forum. If you are using a managed hosting solution, then you don’t need to worry about applying security updates for the operating system as the hosting company should take care of these updates. However, you should check with them to ensure they handle all of this. Most developers use tools like npm or Composer to manage software dependencies. They also ignore updates on these software dependencies making them more likely to fall victim to these hacks. Ensure you keep your dependencies up to date, and use tools like libraries.io to get automatic notifications when a vulnerability is announced in one of your components.
Beware of error messages
Everyone wants to make sure that the error messages they give out are extensive enough to explain the source of the error to their user, however, make sure you don’t leak secrets on your server (e.g database passwords). Don’t provide full exception details either, as these can make complex attacks like SQL injection far easier. Keep detailed errors in your server logs, and show users only the information they need.
Use secure passwords
Your users know they should use strong, complex and secure passwords, but that doesn’t mean they always stick to this rule. Ensure that passwords user sets on your website consist of a minimum of eight characters, including a capital letter and a number. Ensuring that users stick to this rule will protect their data in the long run. This doesn’t apply only to your users. All passwords used to secure servers and all website information should follow these rules. Avoid predictable usernames & passwords like Admin, Superuser, user and so on.
HTTPS is a protocol used to provide security over the Internet. HTTPS is a combination of HTTP and SSL/TLS (Secure Sockets Layer/Transport Layer Security). It means that HTTPS is basically HTTP connection which is delivering the data secured using SSL/TLS. HTTPS guarantees that users are communicating with the right server and that nobody else can intercept or change the content they are seeing. If any part of your website requires users to upload personal data or input card information, the importance of HTTPS can not be overemphasized. An SSL certificate is important because it secures the transfer of information – such as credit cards, personal data, and contact information – between your website and the server. In July 2018, Google Chrome released a security update that alerts website visitors if their website doesn’t have an SSL certificate installed. That makes visitors more likely to bounce, even if your website doesn’t collect sensitive information. On the plus side, Google has announced that they will boost you up in the search rankings if you use HTTPS, giving this an SEO benefit too.
Aero Contractor website without an active SSL certificate.
Invest in automatic backups
Even if you follow these simple steps, there are still some risks. The worst-case scenario is that the hackers are successful and you lose everything because you didn’t back up your website. The overall cost of rebuilding your website will outweigh the cost of investing in website backups. With backups, you can be sure that you will have a recent copy of the website. You can decide to back up daily or weekly. On the off chance that you forget, invest in automatic backups. It’s a cheap way to buy peace of mind.
Toughen up access controls and network security
Your admin is the easiest way to get all the information any hacker would love to see. Change the admin username and passwords from the defaults to something harder to guess. Limit login attempts within a certain time frame and log out a user after being inactive for a reasonable amount of time. Change passwords frequently. Ensure passwords are strong and are not written down.
Hide admin pages
Ensure admin pages are not indexed by search engines, so you should use the robots_txt file to discourage search engines from listing them. If they are not indexed, it is harder for them to find. Since businesses have gone online, it is important that you take these simple precautionary steps to protect your business from hackers. If you’re not a developer, ensure that you ask the developer in charge of your project if these tips listed above have been put into consideration. These tips have been made simple enough so that non-technical persons can still understand and keep their websites protected.
Image credit: How-To Geek
As you depart from this blog post, always remember to look out for the Google Chrome warning as shown above before visiting any website. Do not ignore this message as any sensitive information could be at risk.
Assim-Ita Jemima Oluwadarasimi