How to Secure Your Website
When you create a website, you have a goal in mind. That goal may be to educate, sell something, or offer a service. Its purpose could also be to tell the world about you, to sell yourself.
When the Web was born and people began creating websites, all sites were “static.” Static sites require someone knowledgeable to take your concepts and put together your website in Hyper Text Markup Language (HTML).
A markup language tells a program what a section of text means. For example, you can use the HTML <b>bold</>
, which tells a program that you intend for this piece of text, the word "bold," to appear in bold when it is displayed.
This meant there was lots of work for web designers. The positive side of all of this work was that the only way to change your website was for your developer to access the server hosting your site and edit the HTML for you.
It was very safe, very secure, and very unchanging.
The negative side of creating a website in HTML is that it is very much unchanging. You have no ability to make changes to your own site. You must have somebody familiar with HTML and with access to the server to make any changes.
As an example, consider the amount of effort it would take to add an announcement for a company conference later in the year. Your developer would have to create the announcement, and then insert it into your website.
It was too much effort for developers and not enough control for businesses and individuals. In response, developers created Content Management Systems (CMS). A CMS is a dynamic website. A dynamic website creates HTML at the time you visit and sends it to your browser.
The simplest example of dynamic content is a line at the top of your website, saying, “Today is Friday, the 13th of January, 2023.” This may seem simple when looked at through the lens of modern websites which are highly dynamic, but at the time, something as simple as a date that changed automatically would have developers jumping up and down with excitement.
Content Management System
Drupal is a CMS. The developers at Twel create custom modules and provide extra features on top of a base Drupal install. However, most of the content comes from the Drupal CMS.
When you visit your Drupal website, the software queries a database which tells it how to piece together content from different parts of the file system and database.
For simplicity, the "file system" is just like the disk drive on your computer, except it is located on the web server. The database is a program that stores data that can be quickly retrieved, stored, or modified.
Every CMS requires an administrator or "admin." The admin is the person that has the ability to log into your website and modify the content on the file system or within the database. In order to do this, the CMS has to know that the person accessing your website is authenticated and authorized to make changes.
Let's take a simple example. You have created a page where the admin can make changes. You've called it http://www.mysite.com/secret_admin_page
.
In order for the admin to make changes they have to go to the "secret_admin_page" which nobody else knows about. Your site is authenticating the admin because only the admin knows that page. Having authenticated the admin, your site authorizes them to make any changes they want through the admin pages.
This works great until somehow that URL escapes into the wild. We know of one website that was seeing about a 2-week delay between the time they renamed the secret admin page before it started showing up in web searches.
This type of security is called "Security by Obscurity" and it is bad. For many years, some operating systems thought they were secure because everything about the operating system was obscured. This led to the operating system being horribly abused as the black hats found their way into the operating system time and time again.
Since we can't use security by obscurity, we move to a model of authentication that is much better. A person can be authenticated by very few methods.
- Something they know
- Something they have
- Something about them
- Someplace they are
Something they know is usually a username and password pair. If they never share that information, only they should have that information.
The simplest form of something they have is a key. Your car knows you are the "owner" because you have the key to unlock and start your car. Even the dumb locks on your house have that ability. Only you should have your house key.
Your fingerprint, retinal pattern, and DNA are all something about you. You become the key to gaining access. A trusted biometric reader is required to test you. Unfortunately, many of the biometric readers are easy to spoof.
If you are in the war room in the basement of the White House, then you are part of the small group of people that are authorized to be in that location. When you attempt to log in from the war room you are using someplace you are to authenticate.
At University if you could gain access to the machine room you could sit down at the console and had full access to the computer. Again, authentication via where you are.
These methods can be used individually or grouped.
Now we can authenticate you. You visit your website at http://www.mysite.com/admin/
where it asks for your user name and password. We very carefully don't display your password so the person looking over your shoulder doesn't get to read it.
Now the CMS knows who you are. It checks to see what you are authorized to do and allows you to proceed. If you are "admin" then you can do many things. If you are only a visitor, you can't do much of anything.
We have "secured" your site.
That is, until somebody gets your user name and password pair. The number of people that still use very weak passwords is huge. A survey done in 2022 showed that the most popular passwords still included "password", and "secret". This means that if somebody guesses the username it is easy to guess the password and gain entrance.
We can improve on this slightly by limiting the locations that can access the admin pages to a limited set of IP addresses. A website could be set up so that admin can only access the admin pages by connecting from a computer in the corporate offices. Or even a small number of computers within the corporate offices.
This secures your site more adequately, but not yet completely.
Multi Factor Authentication (MFA)
MFA is a method of adding "something you have" to the authentication process. In the best case, we would use a physical token like a YubiKey. Because not everybody has these, we use text messages and email instead.
When you attempt to log into a site with MFA, the site will send an email to your registered email address. To complete your authentication, you have to prove you have access to your email.
If you've lost control of your email address then this provides no extra security at all.
Some sites will send a text (SMS) message to the phone number you have registered. This will contain a number that you have to provide back to the site in order to complete your login procedure.
This is somewhat secure but has such significant weaknesses that there are now 'bots that will allow a script kiddie1 to spoof SMS messages from many different websites, allowing them to break into your accounts.
Here we have a story of an Australian woman who lost her life savings to a scammer that used SMS messages and a very proper English accent to spoof a call coming from her bank.
With a token, this is much less of an issue. The site has to authenticate to the token and only then does the token authenticate back to the site. This is much more secure.
User Information and Security
The above discusses how to protect your site from being accessed and modified by the black hats. The question remains, what about your users?
If you have any users, there are some legal requirements to protect their Personal Identifiable Information (PII).
In the European Union they have the General Data Protection Regulation (GDPR). It defines PII and how it must be protected, as well as what rights your users might have to their own PII stored on your website.
If you are not a part of the EU, you might think that the GDPR doesn't apply to you. In a legal sense it does not. The issue is that EU governments have the right to block access to your website if you do not follow the GDPR.
The main gist is that you have to protect PII and allow your users the ability to delete PII on request. Talk to your Twel representative to get a more thorough understanding of what GDPR compliance means to you.
Regardless, this means that you must provide protection for PII. This is good business sense.
That means that you have to use proper means of authentication for all of your users. The type of data you are storing changes the requirements for protecting PII from unauthorized dissemination or access. In some cases, failure to properly protect PII, even in non-EU countries, can expose you to legal penalties.
In our next article we move from securing your credentials to securing access to the site and the data stored on your site.
1 an unskilled individual who uses scripts or programs developed by others, primarily for malicious purposes. (https://en.wikipedia.org/wiki/Script_kiddie)