Coming from an IT background, way back in the late 1990’s I was trained to perform basic server security checks. Despite the fact that in digital marketing we are often confronted with web security issues, I rarely felt the need to revive this old skillset, as I believed website security was not my problem. Over the years my thinking has evolved, and I’ve come to realise that online security is something we as digital marketers need to take an active interest in. We need to be able to advise clients on best practices to ensure their websites are as secure as they can be. The evolution of my perspective can be traced back to several occurances where hacked websites resulted in dramatic traffic implications. Both times a lapse in security caused a website to be manually penalised by Google. The first instance dates back to 2011 when a client website was suddenly hit by a manual penalty. We were baffled until we discovered that a previous domain this client had used, and which still 301-redirected to the current site, had been compromised and now served cloaked redirects to Googlebot. The second instance was a recent one, and I wrote about it in detail right here on State of Digital. Both these events have a lot in common: a hacker injected malware to serve specific content to Googlebot for the purpose of SEO spam, which was quickly detected and interpreted by Google as attempts at cloaking. Both resulted in manual Google penalties, which were fortunately lifted in short order once we filed the appropriate reconsideration requests. The key lesson is a simple one: don’t rely on Google to accurately detect malware. A hacked website can have devastating repercussions; stolen information, compromised databases, or the entire site de-indexed from Google. As such, I believe every SEO worth their salt needs to take some measure of ownership of site security. If a client has resources in place that look after web security, great. But this is rarely the case. Most clients will never even consider website security as an issue that needs to be addressed. And many SEOs and digital marketers also see it as a remote concern that’s not part of their remit. We need to change this. We need to get informed about web security, and advise our clients on appropriate actions. This is, in my opinion, not optional. For many of you, web security concerns are far outside your comfort zone. That’s okay, don’t worry. I’m going to give you some tools and methods for performing basic website security checks, and point you towards further resources that can help you develop your skillset and come to grips with the rudimentary basics of online security.
Phases of a Hack
First we need to have a rudimentary understanding of how hackers operate. A typical hacking attempt will have five distinct phases:
- Reconnaissance: in this phase the hacker will gather as much information as possible about the website.
- Scanning: the hacker will attempt to find weaknesses in the site by scanning for vulnerabilities
- Gaining Access: exploiting a weakness, the hacker will attempt to gain access to the site.
- Maintaining Access: once access has been achieved, the hacker will ensure they’ll be able to keep coming back to the site.
- Covering Tracks: the hacker will try to cover their tracks and ensure they remain undetected.
Explaining how to defend yourself from all phases of a hack is beyond the scope of this article – not to mention beyond the scope of my limited skills and knowledge – so in this post I’ll focus on the first two phases: Reconnaissance and Scanning. I’ll show you a few methods that hackers – and you – can use to gather information about a website and spot potential vulnerabilities that can be exploited. The best defence against hacks is to make these initial phases difficult; leaving as little information as possible out there about your website and IT infrastructure, so that hackers will have a hard time finding ways to get in. This will discourage the average hacker and prevent the vast majority of website hacks.
Server & CMS Versions
The first basic reconnaisance most hackers will start with is finding out what software your website runs on. Software is continuously updated to patch security vulnerabilities, so if your website runs on an outdated version of a particular platform, this will make life much easier for any hacker wanting to get in. This is arguably also the easiest piece of information to uncover – there are many different ways in which you can find out what software a website runs on. I use a plugin called Wappalyzer that shows me exactly what software a site I’m visiting is using: You can also use an online scanner like WhatWeb or BuiltWith to find out what software powers any given website. When you’ve gathered this information, you should check what the latest version of these software packages is. If your website uses the latest version, that’s fine. But if you run on an older version of a given software package, it would be wise to check if there have been any serious security vulnerabilities patched in the versions between yours and the most recent one. In my example, my website runs on the newest version of WordPress, but the PHP version is out of date. Updating to a newer PHP version is, however, not a simple task, as it’s likely to cause my entire site to stop working. PHP is a bit of a bugger anyway, as there are many different forks of the software available, and a higher version number is by no means an indication of a ‘better’ version.
Small websites often reside on shared hosting servers. This means the website is hosted on a server that also hosts multiple other websites. As a result, your website’s security is only as good as the most poorly secured website on that shared hosting server; if hackers can get in to one website, they are likely to access the entire server and compromise all websites hosted on it. To find out if your site is hosted on a shared server, you can use a tool like SpyOnWeb. Just input your website’s domain, and you’ll quickly get an overview of all other domains that are associated with that IP address. If these are domains that aren’t yours, your website will be part of a shared hosting server. Simply put, a shared hosting is like putting your website’s security in the hands of the least capable webmaster that shares this hosting with you. For me, it’s not a risk I’m willing to take. Dedicated hosting is the way to go, so if your site is mission-critical and sits on a shared hosting environment, you need to get that migrated to a dedicated server as soon as possible.
As the most used content management system on the web, WordPress is a prime target for hackers. Chances are at least one of your websites will run on WordPress. Therefore it’s crucial you know how to perform some basic security checks on WordPress sites and can advise your clients about best practices to minimise their risk of being hacked. First of all, the vast majority of WordPress hacks are the result of websites still using standard usernames. If your WordPress site’s main administrator username is ‘admin’ , you run a huge risk right there, so make sure you change the administrator account’s username. Another best practice is to change your WordPress site’s login URL. The standard URL is always /wp-login.php, which will be the default URL used by automated vulnerability scanners. So by changing the standard login URL, you reduce your security risk substantially. The best way to approach WordPress security is to use a plugin like WordFence or Sucuri to help secure your website. These plugins have all kinds of features that will make your WordPress site more secure, so install one of them and work your way through the settings to ensure your WordPress site has at least some basic security features enabled.
If your website doesn’t run on WordPress, that doesn’t mean it won’t get targeted by hackers. Even when you’re using a custom platform that is entirely proprietary, you can still get hacked if you don’t follow basic security best practices. For example, it’s relatively straightforward to find your website’s login URL, which will give a hacker a prime target to focus on. Often a website will have the back-end login folder blocked in the site’s robots.txt, for example:
User-agent: * Disallow: /admin/login.php
As a website’s robots.txt is a publicly viewable file, this is a bit like broadcasting your login folder to any potential miscreant that wants to force their way in to your website. Even when you don’t advertise your login URL in your robots.txt, a simple Google query can still provide a hacker with that information: By performing a ‘site:’ search for URLs with ‘login’ or ‘admin’ in them, a hacker can easily find any login page that has been indexed by Google. So make sure your robots.txt doesn’t give away your login URL, and serve ‘noindex’ robots meta tags on login pages to prevent them from being inadvertently indexed by Google.
In addition to finding login URLs, there’s a whole range of Google queries you can use to find out a lot of interesting things about a website, such as indexed PDF and Office documents, SQL error messages (indicating possible SQL vulnerabilities that can be exploited), log files that have been left on the server for Google to index, configuration files, etc. The Pentest-Tools.com website has a whole section on ‘Google Hacking‘ that generates these Google queries: Make sure you subject your website to every single one of these queries. If you can find potential issues using these Google searches, a hacker can too. In addition to the Google Hacking query generator, Pentest-tools.com also has a range of other free and paid tools that you can use to gather all kinds of useful information, such as a domain’s active subdomains, open TCP ports, SSL vulnerabilities, etc.
Speaking of SSL vulnerabilities, with all the hoohah about switching to HTTPS it’s easy to forget that not all SSL certificates are equal. Many of the cheapest SSL certificates may, on the surface of things, give you that coveted ‘secure’ lock in the browser address bar, but that doesn’t mean it’s actually in any way effective at protecting your website. Recently there have been a few scares around vulnerabilities in SSL, specifically the Heartbleed and DROWN issues. It pays to invest in a higher grade SSL certificate that is up to date and has no known vulnerabilities. I like to use the SSL Labs tool to test the quality of SSL certificates installed on a website, and I always aim for a grade A. Make sure you re-test your SSL certificate regularly, as new vulnerabilities are discovered and added to the test, so you stay up to date with the safety of your website’s HTTPS implementation.
So far we’ve mainly covered basic online web security aspects that will discourage script-kiddies and most automated hacking tools. However, a dedicated hacker will not be so easily brushed off, and there might be many more vulnerabilities hidden in your website. One of the oldest and most popular tools to find website vulnerabilities is the Nikto web scanner. This tool is freely available and will test a website against thousands of known issues and vulnerabilities. You can download and install Nikto yourself. It’ll run on most PCs, as long as you’ve the right Perl software installed, though it’s most often used on Unix/Linux boxes. It’s a command prompt tool which allows you to test a website against a huge array of issues and discover all kinds of information about the site. If you’re not comfortable with command prompts, don’t worry – there are plenty of online tools available that will run a Nikto scan for you, such as Pentest-Tools.com and HackerTarget.com. You can use Nikto’s output to find out if your website is vulnerable to known issues and unpatched exploits.
Down The Rabbit Hole
The above is just a very basic introduction to finding some very common security issues on a website. Cyber security is a hugely complicated field with many different sub-specialities, of which web security is just one. When it comes to learning more about website security, nothing beats talking to real experts on the topic. Chances are there’s a regular cyber security meetup or event nearby where you can make connections. Don’t be afraid to ask questions, that’s the best way to learn. Personally I’ve found local Northern Irish cyber security folks (with Belfast being a bit of a focal point of cyber security businesses in Europe) who attended the recent BelSec meetup to be very friendly and happy to answer questions – though the free flow of beer might have helped. 🙂 You can also keep an eye on OWASP to keep up to date with goings-on in your area. Find your local OWASP chapter and sign up to their mailing list to get notified of new events. SEO has always been about embracing change and adapting to different requirements. This is one of those moments. And who knows, you might actually enjoy it.