opinion

Bits and Bytes: How to Shield Your Site From Online Attacks

Bits and Bytes: How to Shield Your Site From Online Attacks

Nobody wants to get hacked. Every week brings more articles about how to personally stay safe from online dangers. Much of this advice overlooks the importance of keeping your websites and systems secure. Sure, hundreds of security firms will sell you high-priced consulting for how to defend your systems against state-level attackers. However, a few simple tips and good habits will protect your sites and online presence against the vast majority of threats from real-world attackers, affecting most webmasters and site operators.

As with any online service, the most critical thing you can do to protect your sites is to use good passwords with your hosting providers. Using a hard to guess password is essential, but with a critical service like your hosting provider, it is also good to use a unique password. You should also never share the same password between your hosting provider and any other service. If you have ever used the same password for multiple providers, you should consider checking with "Have I Been Pwned" or "Dehashed" to see if your account has been compromised in a data breach. "Have I Been Pwned" is an excellent, free service that aggregates the data contained in many data breaches and makes it easy and free to determine if a particular email address has been compromised. If so, it’s time to change your hosting password (and the rest of them, too)!

Many successful attacks start by compromising an internal control panel or tool. Such systems are rich pickings for attackers because they often have extensive access to your systems.

Even with a unique and robust password (one with a lot of annoying capitalization and special characters), turning on two-factor authentication makes a considerable improvement to security for your hosting accounts.

Two-factor authentication requires a second piece of information (in addition to your password) to allow you to log in. Even if your password is somehow compromised, an attacker would physically need access to your second-factor to log in. We strongly recommend that you use a second-factor that's generated on your mobile phone via an Authenticator app, rather than choosing to use SMS messages. Why? Because an attacker can trick the phone company into granting access to your phone number, allowing them to receive your SMS messages. Conversely, an authenticator app would require physically stealing your phone, an impractical hurdle for an online attack outside of a Hollywood-style “Mission Impossible” heist (but we can all dream that we are that important, can't we?)

It may seem that all of these extra layers of protection are overkill (and super annoying), but remember that your web hosting account provides a very high profile attack target. An attacker who manages to compromise your hosting account successfully would be able to wreak a significant amount of havoc with your sites and data. Much like a home security sign in your front yard, attackers prefer a soft target, so it’s worth the extra effort.

At MojoHost, for example, we proactively reach out to our customers if we get a request that seems suspicious, to try and independently verify any significant changes that seem suspicious. It's also a good idea to request a similar policy from any other providers you work with since not all companies provide a hands-on approach in the age of automation.

In addition to these protections to your infrastructure provider account, it is also essential to be mindful of internal tools that you and your tech team may install on your systems. For example, perhaps you have installed a tool to collect performance data or analyze logs (to see trends or make managing your sites easier). There are many tools that every webmaster needs, but many of them have lower levels of security than software with which your visitors interact. Many successful attacks start not with the public part of a website, but by compromising an internal control panel or tool. Such systems are rich pickings for attackers because they often have extensive access to your systems precisely to enable complex and in-depth management tasks or data analysis.

We recommend customers keep a list of all management and analysis tools and periodically ensure they are up to date. We also recommend adding extra security to each of these tools via a more complex and integrated login system for owners and their staff.

Some people say that you don't need to secure these systems if your administrative URLs are hard to guess: this is awful advice. With the advent of wide-scale online crawling, you should assume that any URL, no matter how complicated, will probably be discovered by automated bots and scanners. A hard to guess URL can undoubtedly help increase the difficulty of attacking your systems, but it's no substitute for real security via a secure login. We've made it our policy to help set up good additional security layers on your internal systems and tools systems to ensure that your online services are powerfully defended.

In addition to these measures, you should also consider scanning all of your incoming requests for attacks and hide your servers' IP addresses. Such systems are called Web-Application Firewalls (or WAF). A WAF takes the security benefits of a firewall and moves it to remote data centers worldwide, making sure that bad traffic is filtered long before it even gets to your server.

A WAF can do all sorts of things that a standard firewall can do, such as blocking IP addresses or allowing access to certain parts of your site only to trusted administrators. Since it is the WAF IP address that becomes publicly visible to the public internet, your server's actual direct IP address is hidden.

As a result, anyone who wants to launch a DDoS attack or even scan your server has no idea what server to attack. The actual IP addresses of your server are only known to the WAF provider, and that protection alone significantly decreases the number of attacks. In effect, of all the hard work the WAF does, your servers experience lower CPU load, and your website only sees the "good" traffic.

However, a WAF can also do a lot more. With a distributed product (like our MojoShield), we are continually learning from the attacks seen across our network. This intelligence provides a sort of "herd immunity," where your website is better protected from the newest attacks without it happening to you directly.

Following the three simple steps of using good passwords, enabling two-factor authentication and protecting your server via a WAF will result in a highly secure web hosting setup.

Brad Mitchell is the famed founder of MojoHost, which has won numerous XBIZ Awards for Web Host of the Year and earned many loyal clients for nearly two decades. Known for his dapper style and charismatic wit, Mitchell is a regular fixture at trade shows, where he frequently shares hard-won wisdom while striking profitable deals. Contact him at brad@mojohost.com.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Why Cyber Insurance Is Crucial for Adult Businesses

From streaming services and interactive platforms to ecommerce and virtual reality experiences, the adult industry has long stood at the forefront of online innovation. However, the same technology-forward approach that has enabled adult businesses to deliver unique and personalized content to consumers worldwide also exposes them to myriad risks.

Corey D. Silverstein ·
opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
Show More