Is a green padlock all you need to keep your site safe?
Five Reasons Why You Don’t Need IT Support
This is the third of a five-part blog series which busts the myths about why you don’t need IT support.
Everyone is told to check websites for the green padlock – this is how they know the site is secure. Whilst SSL (Secure Socket Layers) Certificates are a key part of any website they aren’t the be-all and end-all.
What does an SSL Certificate do?
An SSL Certificate ensures that a website is legitimate and that all data which is transmitted across it is encrypted (scrambled) meaning it is safe to use.
So, for example, if you have a contact form on your website, any information a prospective client fills in will be encrypted before being sent to the server. The server then decrypts this information before storing it in an encrypted (hopefully) database.
What a SSL Certificate doesn’t do?
What a SSL Certificate doesn’t do is protect your website from potential attacks. Such potential attacks can come from far and wide so we’ll only discuss a couple of common examples here.
SQL Injection attacks are usually carried out on insecure website forms, where the form doesn’t differentiate between a legitimate entry (like us saying our name is Mickey Mouse) and malicious code which will delete your entire usernames table such as:
IF EXISTS(SELECT * FROM dbo.Usernames) DROP TABLE dbo.Usernames
Web forms in WordPress and well-coded forms with escape characters won’t cause this issue.
Another example is a form where users are allowed to upload files. Any file ending with .exe, .rpm, .dmg, .sh for example shouldn’t be uploaded by a user onto a web server, unless they serve a particular purpose and are audited regularly.
What Can I Do to Prevent This From Happening?
If your website runs WordPress, it is essential to keep it up to date. If you have access to the servers upon which your website runs, ensure the packages are kept up to date. Plesk and cPanel both offer an anti-virus as extensions which scan documents regularly.
Plesk also has extensions such as Juggernaut Firewall which can block connections from certain countries as well as monitoring connections (just make sure that you allow outbound exceptions for the updaters and your SSL Certificate renewal) otherwise these could expire and lapse without you noticing.
If your WebServer allows, set up emails to be alerted when packages are out of date – this could be several times a day (depending on when the developers release them). If auto-update is a possibility (and you’re not dependent on having a certain version of a package) then enable this feature where available.
Dedicated vs Shared Hosting
Webhosting is cheap nowadays. This is made even cheaper by sharing infrastructure between many clients and hosting several websites on one server. But this relies on every website on that server being honest. You would not be happy to find out that the IP address of your website has been blocked due to another company using the server to send spam/viruses. Also it is possible that if one website on the server has been hit with a virus yours could be too.
Dedicated hosting is more expensive due to having a private server. However with services such as Amazon’s Route 53 and LightSail, this is now becoming a more affordable option.
All SupportWise clients are offered dedicated Web Hosting and management to prevent (or at least mitigate) these concerns. We’ll set up email alerts into our ticketing system so that a technician can react to these as soon as possible.
We also offer a review of websites for our clients (who are happy with their hosting) to keep them up to date.
If you have any concerns or just want to find out more, feel free to give us a call.