- April 16, 2018
- Posted by: nebojsa
- Category: Technical
Website Security Checklist
Having a website nowadays on the internet is not the same as it was having it a few years ago. As our technology is always developing in security, hackers are developing new skills and using exploits trying to find vulnerabilities on the other side in our systems. Therefore, we created website security checklist to keep you safe.
In this website security checklist, we will show you best ways how to secure a website and how to tell if a website is secured in the first place. You will learn how to test any website security using our security checklist.
Before we start, let’s see how can we know if we are visiting a secured website.
SSL certificate (secure sockets layer) is number one in our website security checklist. It stands for a protocol that authenticates and encrypts data that is sent between websites and users over the internet. This way data that we send between us is always safe.
Have you ever seen websites without that green padlock on URL, and your device keeps telling you that website is not secured? Have you ever thought what can happen on websites that do not have installed SSL certificate?
Website security checklist will help you in knowing if a website is secured or not, so you can stop using that website or send important data.
SSL certificate encrypts data such as passwords, names, e-mails, credit card details, and all other data you are sending between server, you, and your friends. If a website does not have SSL on it, your credit card details can be stolen in a blink of an eye.
How to Tell if a Website is Secure?
Best way to do this is to go on SSLShopper
Simply enter the name of a website you are curious about and see if they are using real SSL. If you get a report that it looks like this, you do not need to worry about anything. However, if you get a report that website is not using SSL at all, you need to stay away from it, as all your data will be open to anyone out there in the world.
Keep in mind that there are attacks hackers can execute. These attacks will force https (which is a secured encrypted protocol that SSL is using) to become http (non-secured protocol). There are ways hackers can do this and still keep that green padlock on a website telling you it is perfectly safe on the first look, but you are actually in danger. Before you make any payments using any website in the world, always check for several things:
- Check if they are using valid SSL certificate
- Perform website security scan
- Check for reviews from previous buyers
These 3 things will tell you if a website can be trusted. Always be aware that there is nothing better than a website that is using a valid SSL, has no malware detected, and has great reviews from buyers.
Our second website security checklist is about platforms that websites use. Do you know that every third website out there can be hacked in just a few minutes? Think for a second what are the chances that you visited today several
third websites. If those websites are hacked and you left important data on them so are you. So how to secure a website? Before we start, let`s see what do top website platforms businesses and individuals use today.
WordPress is the most popular platform for websites in the world. Other less popular platforms are Shopify and Joomla, following by Drupal, Magneto, and Blogger.
If we want to hack a website, the first thing we need to do is to find out what platform are they using. To do this, the best way is to try several things. By default, WordPress administrator login URL is /wp-admin. That is how webmasters access their backend to run and manage their websites. As we know, more than 60% of websites are on WordPress.
To find out if a website is using WordPress platform, simply enter after the URL /wp-admin if you get to login page one-third of your work is done. In some cases, it may happen that this will redirect you to 404 page or some other page. Try also /wp-login and /wp-login.php. All of these are ways to access admin panel on WordPress.
Next step in our website security checklist is to check for blog posts on a website. Why? Every WordPress website by default has at least 1 published post on any template they use. That post contains the name of Administrator in most scenarios. Webmasters will not change it in many cases, and if they still do, it will display in their blog posts. Now we know login page and admin username.
If their name is hidden from blog posts and you are not able to see authors, simply type in URL /?author=1; this will give you the name of the first author on a website which is always Administrator. Note that this might not work on every website due to new updates of WordPress.
Now once we have a second thing and that is username. All that we need is to setup and launch brute force attack on victim’s website. How do you launch a brute force attack and what is it actually? Brute force is sort of an attack that needs login URL and username. The rest of the job is in this script. This script will try different types of passwords until it finds the correct one. It will send thousands of different login attempts to your website trying to access it. If it returns wrong password, it will continue using other passwords, until eventually, it finds the real one. Machines can find most of your passwords in a blink of an eye.
Here are some statistics of websites attacked by brute force in 2016 [ Statistics from WordFence, top security plugin for WordPress websites]
Our fourth website security checklist is cracking passwords. This can be done using brute force and in several other ways. It depends on a lot of factors. Most passwords are not longer than 8 characters and that is something you need to change. To test how long does it take to crack 8 character password, go to Random-Ize.com
Let’s assume that we are using a password – password1
This is a 9-character password and we can see that it only takes 10 hours to crack it. What are the factors that are important to crack passwords fast? Well, it all comes down to the machine that is executing brute force attack, better the performance of device faster will password get cracked.
To execute these types of attacks, you do not need to be expert in hacking. All that you need is Kali Linux OS and Burp Suite program that will launch these types of attacks. Keep in mind that doing this is illegal and hackers who are doing this are always hiding using bot net, which are devices that were hacked previously; they are making attacks from those machines hiding their real identity. In addition, they can hide using proxies and VPN’s. Finding their identity can be impossible. Reporting this to the police, in most cases will end up with no results at all.
Let’s see what happens when we try with: Password123!
We can see that using this password we should not worry at all because nobody would survive this long to see the end result of the hacking attempt. But there is one important thing. Using generic passwords like this are most likely to be hacked within seconds. You may ask why.
Well, the whole process of doing a brute force on your website is by using previously created world list that contains all password combinations. This script is getting those passwords and trying each of them. There are word lists that are designed for these purposes and they will only contain these generic passwords. As much as we love to use the same password for all websites, that should never be done on the Internet. Best way to have strong passwords is to use a different one for each account you have online. This way, losing one of your accounts will not get other accounts in danger in most cases.
Always use a password that is different from your username and e-mail. Your password should contain upper cases, lower cases, numbers, and symbols; it should have more than 10 characters. This way, even if hackers know your login URL and admin name, they will never be able to guess your password, even if using machines.
If you think that you are safe just because you use long passwords, you are wrong. Even if hackers can’t get your password, launching brute force attack on your website will start DDoS attack (disturbed denial of service).
The best way to crash a website is DDoS attack. We rank it on position number five in our website security checklist. It is one of the most popular attacks hackers use to get websites down and disable them completely. In best case scenarios, hackers will slow down your website to get your visitors angry and make them leave and never come back because it took too long to load the page. Your competitors love doing this.
DDoS attack represents the type of attack that sends packets to your website constantly until your server gets overloaded, stops keeping up, sends everything back, and crashes. By doing brute force attacks, hackers can set up a script that can execute 500 or 10.000, or even more login attempts per second. Each attempt will send some data to your server. It will need to respond back by sending information and data. Once the server gets overloaded for long period of time, it will crash, resulting in a website that is not working anymore.
In our website security checklist, we will show you how to secure your websites from these types of attacks.
So far, in our website security checklist, we covered a lot of website security tests and we now have a better view on how to secure a website and how to tell if a website is secured.
- To find out if a website is on WordPress platform, try adding /wp-admin in URL
- If a website responds with 404, it means their website is not using that URL to login
- Go to the homepage of a website, find an image, and right click inspect element
What you want to look for is image path inside of the code. If you spot wp-content, you know that the website is using WordPress platform. To stay safe from these checks, simply rename your file in cPanel to something else. For example, Joomla platform will have /administrator to access admin login page and Shopify will have /admin.
To check if website platform is Joomla, again inspect elements on some images:
We can see that images are stored in the file called Media which is the default name for Joomla CMS. Now that we know it’s Joomla, we know few exploits to access their admin page and opposite. Same goes for Shopify and any other platform.
There are many plugins and apps that can help you secure your website to become impossible to hack or at least to make hacking it so hard that most amateur hackers will stay away from it.
The first thing that you need to do is to change your admin URL login. This way you are safe from brute force attack. Next step will be to enable captcha on login. Yes, we all hate it, but it plays huge security factor on every website. Scripts and these types of attacks can’t work on websites that require captcha. Brute force attacks are useless on these types of websites. Your visitors might find that annoying but that is a step to having secured website today.
To change your URL on WordPress, you can use the plugin called WPS Hide Login. There are also extensions for Joomla and apps for Shopify that will do the work.
Once we enable captcha, next thing is to have a firewall enabled on our website.
Many hosting companies will give you this for free with your hosting package. Make sure to enable it and keep it active always.
Limit Login Attempts + Captcha
Next step in securing your website is limiting failed login attempts. It is perfectly clear if someone makes 100 wrong login attempts that he is trying to hack into that account. If you use WordPress, you can install plugin All in One Security. With it, you can limit failed login attempts to 5-10 only. This way, if a hacker tries to hack any account on the website, their IP will get locked down for the time you enter in the plugin. You can add a day, month or even a year. If a hacker gets many proxies banned and locked, they will not be able to attack you at all.
Again, all these plugins exist on all other top website platforms. In our website security test and checklist, we cover WordPress as it is top CMS platform in the world used by many individuals and businesses.
What are the good things when it comes to cookies?
Have you ever added something to your cart on a website but you had no money to buy it that day? The next day you get your money and you log in to a website and your cart still contains that same products you wanted to buy?
Or, have you ever logged in on Facebook or Instagram without entering the password just by clicking on your profile image? Those are all cookies and websites are using them to identify you and make your life easier. Imagine that you have to login every time you visit Facebook or any other social media whenever you visit it? That would be pretty much time-consuming, right?
Hackers can get into not secured websites and steal your cookies. You think that you are safe with that 2-step authentication or your close friends, recovery e-mail, and 256 characters long password? Wrong!
Stealing Cookies = Losing Online Identity
If a hacker has your cookie, they can inject it in their browser and visit Facebook. Do you know what will happen? Facebook will recognize them as you. Cookies are representing your Internet identity. If someone steals them, they become you. This is something like having all your ID cards and pretending to be you in real life.
So how do you stay secured against this and how to secure website?
Using WordPress platform and All in One migration plugin you can secure your cookies. Also, using incognito mode from your browser will keep you safe as that mode does not store cookies. Therefore, your online identity can’t be stolen.
Using Tor browser can also help you in securing yourself. Tor does not store cookies and is always hiding behind proxies. This way, your identity will remain safer than when using other browsers.
Website Security Checklist Plugins
As mentioned at the beginning of our article, as our technology develops, hackers also develop their skills. By using these popular platforms, hackers know a lot of exploits that can be used by this day to get access on your website or devices.
If you use WordPress, you will have a file that is called XML-RPC in your files on cPanel. A good hacker will know that when abusing that file they can get both your admin name and the password to your website. To stay secured against these types of attacks, make sure to install plugin XMLRPX and disable it. This way you are one step closer to having your website secured. [Before you install the plugin, make sure it is compatible with your theme; if not, it could break your theme]. Always create a backup of your website.
If you are don’t create backups of your website, you can end up with a huge problem. Imagine all your effort that you put in your website getting erased. And you don’t have a copy of your website that you can bring back? Hackers do this most of the time. They will wipe all your data. If you don’t have a backup, you are done.
How many times you where at a checkout for your domain and you saw domain privacy recommended but you just skipped it because you think it’s okay for people to have access to your address and number?
Don’t you think it’s scary enough already? Imagine running a business in New York and your competitors want to get you out of the game. Companies will do such things; they will pay thousands of dollars to hackers just to ruin your business. This is a cheap price to pay for them.
Stealing Your Online Identity – Domain Privacy Matters!
How can a hacker find your real address and phone number with an e-mail?
If you did not purchase domain privacy, a hacker can just go on Icaan.org , enter your domain name and find all details about you. Our website security checklist will help you in next steps.
They can get your e-mail and find you on social media. Facebook disabled search by e-mail and phone number a month ago but there are many other platforms they can use to check your identity using these details. In addition, the last thing they can try to do and that will work for sure is to visit you. Do no think they will not. Hacking is not done only in front of computers; hacking also includes social engineering. Hackers are great in social engineering and they know how your mind works. Before they meet you, they will do a deep analysis of you. They will know your work habits, friends, and places you visit. It is very easy to approach a stranger with such information and make friendship. Their end goal is to destroy you.
Well, they will not come straight to your house. All they need is to be close to your WiFI outside. Using proper devices, they can spoof for devices that have connection on your router.
To achieve it, they will only need a 5$ WiFi USB adapter that supports several injections and payloads. All that they need to do is to configure and enable monitor mode on such devices. They will start monitoring your devices that have a connection to the router.
They do not even need a password for it. Again, to stay safe in general use WPA2 encryption with a long password.
Man In The Middle Attack
Next steps hacker can execute:
- Launch deauth attack. Your devices will lose connection for some period of time.
- Setup fake access point [Man in the middle attack ]
- This way when they stop the deauth attack, you will not connect to your router. Instead, you will connect to their device that will act as a router.
- You will connect to them as they will act as router aka [Man in the middle attack]
By doing it and acting as router they can see all data that you are sending on the Internet. Just by using Wireshark program, they can see all your cookies. They can see your own websites, profiles, credit card details, simply put – anything you send online is visible. To stay safe and not allow hackers to get inside of our network, you will need to set whitelist for your devices. What is a whitelist?
Almost any router has that feature and you can grab your MAC address from devices that have a connection to the internet and add them in there. To access it, you will need to type your default router IP. Once hackers try to gain access to your WiFi, they will get blocked because their MAC address is not listed in there. Doing this will get most of the hackers out of the game. Still, they can spoof for your devices, find their MAC address, and change their MAC address to match one of your devices. When they run deauth attack for those devices, they can get in as you. Simply put, you can’t be safe online but taking extra steps in security helps a lot.
Injections – Payloads
The last thing on our website security checklist are injections and payloads. Another thing hackers can do is to inject payloads in your browser. Have you ever seen all those pop-ups on websites, click here, download, critical update click here? They can create a payload that will send notification inside of your browser to download flash player, even an update for antivirus. Such an irony, isn’t it? If you click on such pop-ups, they will be inside of your device. Giving access to devices will get them connected to the website. It is just a matter of time before they get in. Best antivirus program against hackers is Avast. Getting bypass against Avast is hard as it can detect almost any type of attack.
To have your own websites secured, you need to know how can hackers get into it in the first place. By knowing different ways of gaining access to your website you will start changing your habits.
We hope that you can use our website security checklist to secure yourself and your websites more. To have a protected website you need to know how to protect yourself in the first place. Use these 18 steps from our website security checklist to stay safe online and keep your data and website protected all the time. To secure your website fully, contact us.