Between website hacks, data breaches and focus from Google on page speed/load time, it became clear in 2017 that security and performance were going to be of growing importance in the digital world. At webFEAT Complete, we’re fortunate to work with a technical/hosting team that is phenomenal at what they do. I’ve worked with them on performance related tasks, but generally the security work is their territory. Even so, the topic of security is intriguing. I decided to sit down with our C.O.O and Senior Network Administrator, Jeremy Maurer, to learn as much as possible about the current state of website security.
Learning from 2017, Planning for 2018
Ray Cheselka (RC): In 2017, where did the majority of vulnerabilities stem from or occur?
Jeremy Maurer (JM): The majority of vulnerabilities that I dealt with were in WordPress, primarily where a user can post something, and also out of date frameworks. Front-end examples include: search boxes, contact forms, blog posts, etc. Back-end examples include: Out of date frameworks, themes and plugins. It’s really important to be sure someone is maintaining the website.
RC: Given that, do you have any predictions for security strategies that will be prevalent in 2018?
JM: I think 2 factor authentication, password complexity (more numbers, acronyms) and website security in general are going to become a much bigger focus. The reason behind this is that hackers are going to look for more than just credit cards. They’re going to want names, emails, really anything that they can build information from. This is a secondary strategy for them, because hacking passwords and website security in itself is getting better and better. A tip for users: use a credential manager or keep track of passwords so you can vary them instead of using the same one for everything.
RC: Do you have an idea of what the most popular method of hacking will be this year?
JM: Attacker methods will always vary depending on the target, but given the progress of open source: CMS driven sites, outdated plugins and the core of the CMS will be the most likely vector. Sites that are deployed and not managed will always be the most attacked.
RC: What is the best piece of advice you have to stay prepared for those who may attempt a hack?
JM: Consider your website to be an employee that cannot speak. You should interact with the admin interface and employ technologies that will help alert you of things that change or become out of the ordinary.
RC: What is your strongest recommendation for anyone with a website in 2018?
JM: Make sure you know that you can contact someone directly about your website and hosting situation. Having a knowledgeable staff on your side can help with maintenance, security and prevention of hacks. If something were to come about, you’re one phone call away from understanding the problem, and ensuring it’s resolved quickly. The last thing you want in a hacking situation is support that is hard to reach, and unfamiliar with your website.
RC: For those who have their website and hosting situation in check, or for the clients you manage, what new things will you be recommending?
JM: A few things! Less is more, which kind of ties in with SEO. Some of the current trendy ways sites are built include large images, video, etc. All of this can weigh down a website and make it slow. Speed and load has a lot to do with on-site factors, but also your hosting situation. We’ll be recommending that our clients work with us to take certain measures that will improve their websites performance. The internet is getting faster, and patience of users is getting shorter. It’s important to make sure we’re being efficient.
RC: Some of the businesses that are most concerned with security are those with Ecommerce websites. Is there anything different hosting-wise that needs to be attended to?
JM: One of the most important elements with ecomm sites is what you’re using to facilitate shopping. There are a lot of ways out there to process and take orders, but it’s important to have a proven and supported platform and provider. If someone like authorize.net is processing a payment that helps with your website efforts to add additional security. There are a lot of details associated with this, and you need to have great support team on your side.
RC: Any other recommendations?
JM: One other thing. A lot of folks look to host with us, and realize they don’t know who the owner of their domain name is or where they’re hosted. Make sure you know this information! Otherwise, you have to chase things down, and it’s possible you could lose your domain.
Implementing Security Measures
RC: Is there anything that is easy to implement, that someone can do on their own?
JM: Honestly, this isn’t something the average person can really take care of themselves. I strongly recommend having a provider that can assist you. That being said, users can keep an eye on the plugins on their site, and make sure they only add plugins that are updated regularly, and created by a credible developer.
RC: What are some higher level items that you or a specialized hosting provider would take care of?
JM: We’d look at your network, take a look at usage, visitors, and spot abnormalities. We’d also protect you from the server side, working with firewalls and other configurations. Security used to just be protecting websites from the outside, now you have to work internally, externally, in-between, and put yourself in the shoes of a potential attacker.
Phishing, Encryption and Comment Moderation
RC: We heard a lot about phishing last year. I’ve noticed it’s becoming difficult to differentiate real emails from some of the phishing emails out there. Is it possible they could become more sophisticated?
JM: I think social engineering will become more frequently used, as well as spear fishing. Spam will become a new, old problem for many IT admins as the spoofing and ways that spam can be generated have, and are becoming more tech savvy.
RC: HTTPS/encryption has also been a hot topic, and something Google has encouraged. Why does it make your site more secure? Is it more for consumer to feel safe, or does it have true benefits?
JM: That’s a loaded question! (laughs) The short answer for this is that it encrypts all traffic being sent between the client and the server/website. It definitely makes the consumer feel safer, but I only see true benefits of an SSL with websites where transactions are taking place.
RC: The last of the notable topics is comment moderation. What should you be careful of and how can you block spam comments?
JM: Comment moderation is a double edged sword. Sometimes comments are good, sometimes they’re bad. Good comments can be indicative of an active, credible website, but bad comments can be a vessel for hackers. I definitely recommend moderating comments yourself and/or with something like aksimet to avoid vulnerabilities.
Network Admin Work-webFEAT Hosting
RC: As a network admin what are some recent improvements you’ve made to ramp up security, and are you planning to integrate anything else?
JM: We’ve closed ports that are not critical to functionality at the network perimeter. We more strictly monitor traffic/bandwidth, and we’ve gradually added SIEM. Soon we’ll have the ability to have unique IP’s and encryption for all clients. Also, we’ll have AI based IPS/IDS to better handle the flood of traffic, as well as adding AV at the entry point of the network.
RC: WHOA! (laughs) What separates webFEAT Hosting from a large, low-cost provider?
JM: Low cost providers are wysiwg (what you see is what you get), or you get what you pay for. You generally don’t have a specific rep that is familiar with your website, they don’t maintain it, and if something comes up it could take a while to be resolved (and be costly.) With webFEAT Hosting, you’ll be talking to me, Cory, or Rob. We’re always proactively monitoring your website, implementing security measures, and if something goes wrong we will resolve it quickly.
RC: As always, I learned so much from talking with you. Thank you!!! Is there anything else you think should be mentioned?
JM: A lot of people think they’re okay, and they get really comfortable in their existing situations. There has never been a more important time to double check and be safe. Have a specialist take a look at your site to make sure everything is in check. It takes one problem to really blow things up. This isn’t something most people can do themselves! It takes a lot of trial and error, and troubleshooting to find holes (vulnerabilities.) Consider it to be like a plumber finding the source of a clog. They may find part of the clog, but need to make sure the entire problem is resolved, and the plumbing line is maintained in the future. The same goes for a website where you search for that vulnerability, eliminate it and any others completely, and then maintain it. Make sure you work with a hosting provider that keeps you safe for the long-term good of your business.
Also published on Medium.