Ten tips to keep your website safe

Want to protect your website? This is an overview of 10 essential steps, most of them very easy.

By Friedhelm Weinberg on

You may have heard, GreenNet, which hosts many NGO websites, suffered a massive DDoS attack and as a result, their sites went offline, some for up to a week.

Websites are becoming a key strategic tool for civil society communications, and so its perhaps natural to expect that some repressive governments, or large corporations who do not always like to be criticised in public, will do their best to obstruct these websites, by preventing access to them, incapacitating them at crucial moments like elections, or simply destroying them.

If you think your adversary is not capable of such an attack, maybe that is true. But there are enough hackers and governments, who would help them for a bit of cash or political favours.

So, if you have a website with valuable information, and want to keep it safe and healthy, what can you do? Well actually DDoS attacks are only one part of the story.

We provide 10 tips below which will help make your website a whole lot safer:

  1. Get good, professional webhosting
  2. Use strong passwords
  3. Start using two-factor authentication
  4. Get DDoS protection if you think its likely you’ll get DDoSed
  5. Update your content management system and plugins
  6. Back up your website
  7. Don’t forget to pay the bills
  8. Don’t put all your eggs in the same basket
  9. Make sure responsibilities are clear
  10. Spend some time and thought on this

1. Get good, professional hosting

A good webhost will attempt to mitigate attacks against your site instead of simply shutting you down to prevent damages to their other customers.

If you have a WordPress website, then frankly we recommend to host with WP Engine. They specialize in WordPress and do a very good job at it. On the security side, you get daily backups with one-click restore, careful configuration of your WordPress, login protection, DDOS protection, and if your site gets infected with malware, it is their problem, not yours and they’ll clean it up for you for free. But that’s not all: on the performance side they’ll also speed up your website with excellent caching, your website will load super-fast. Our website is hosted with WP Engine, and many of our partners’ websites are, too. We are fans.

If you are on a budget, then go with a mainstream web host like Dreamhost,  Siteground and Bluehost… in most cases you should be fine. They are much more likely to have the infrastructure and processes in place to survive or mitigate an attack than a small, local, host. Among these we would recommend Hostgator. In addition to DDoS mitigation, they really make it easy to install a WordPress or other site, and have a 24/7 chat support service which is good.

If you can afford to invest more, and wish to get the best hosting there is, then we recommend the Scandinavian-based VirtualRoad.org. It’s a non-profit and they will take very personal care about the security of your website or database, beyond what any commercial provider can possibly provide. In addition to protection against DDoS, hacking and other technical threats, VirtualRoad.org pays close attention to phishing and social engineering attacks, as well as wider vulnerabilities such as legal jurisdictions and data protection. VirtualRoad.org will also provide you with information about attacks against your site, as well as seek to identify attackers as and when possible. If your site is getting harassed all the time, both online and offline, and you’re getting tired of it then it is definitely time to move to the peace and security of VirtualRoad.org.

If  you don’t have a credit card you can use to buy hosting, then just get yourself a free website at WordPress.com, like Indigo Trust does. Indigo Trust is a donor, so they can afford whatever they want, yet they are happy with the simplicity and safety of WordPress.com. WordPress.com hosts 50 million websites, and are very good at doing it very very securely, even offering two-factor authentication. Some of their free themes, like Sight, are very suitable for NGOs, with a nice slider and other features. You can always pay a few dollars later on for a domain name or a premium theme.

If you need more advanced hosting, such as a virtual private server or dedicated server:

  • Bahnhof is also well reputed. They are the famous Swedish hosting company with a datacentre in a cold war nuclear bunker.
  • linode.com also have excellent machines and datacentres with a solid control panel.

If you are hosting sensitive information, like your email or a violations database, then you need to check where your hosting company and its servers are located, and choose a country with strong legal protection and a host like Gandi.net (France) or Rimu (New Zealand) with a good reputation with human rights defenders.

  • If you are a Zimbabwean NGO, then its not such a great idea to host with a Zimbabwe company, or use a .zw domain.  Its not only that your website can be accessed, but also your visitor logs, endangering your fans. You will be better off with a US-based hosting company.
  • If you are a US based NGO offering services to undocumented migrants, then its simply not safe to put an online client database with a US company because they will be required to hand over your data to the government and won’t even be allowed to warn you. You will be better off hosting it at Swedish-based Bahnhof or Virtual Road.

Finally, think of getting DNS hosting, as DNS is often the target of a DDoS or a social engineering attack. Your DNS provider hoes not have to be your webhost. Some very wise choices in the field include EasyDNS and DNSMadeEasy.

2. Use strong passwords

It’s no use to have a strong walls for your house if you leave the front door open, is it?

This means to have strong passwords for not only your website CMS, but also your webhost’s admin panel, your webhost’s billing area, and other digital services you may use… Facebook, Mailchimp and Twitter in particular.

If you think this password –  k1araj0hns0n –  is strong, then you need to scare yourself by reading this article on Ars Technica. You’ll enjoy it.

You’ll find some good advice on how to choose a password that’s easy to remember and difficult to guess here at Security in a Box. It’s important to note that you should not use passwords over and over again – if it’s cracked or lost once, you are at immense risk. Also, the best passwords are random or rather long phrases. But how to remember all of this? Maybe a password manager is the solution, and one that saves you headaches and hours recovering passwords you have forgotten.

Check out keepass.info and read the Security in a Box for a guide on how to install and configure it.

Also make sure that your host offers control panel access over an SSL (https) connection. This way, the password will be protected by an encrypted protocol when it is sent from your computer to the server during login (what use would there be for a strong password that everyone can see?).

How are passwords managed at your NGO? Do you have a list of all digital services? How is it protected, and who has access to this list? If the website administrator is on holidays, then how will you log in to add content or pay a hosting bill?

Potentially the solution is to spread the risk, and do not trust one person with all the passwords. That’s how we do it at HURIDOCS.

3. Start using two-factor authentication

Surprisingly, a very common way of hacking into your website and other digital services, is via your PC. Yes, by tricking you into installing a malevolent piece of software like a keylogger that tracks every keystroke you make. Your attacker can then harvest all your passwords quite easily and enter not only your CMS, but all your private online accounts.

Some of these keyloggers, such as the infamous Finfisher which is increasingly used by repressive regimes to spy on civil society organisations, are very hard for normal anti-virus programs to detect.

So a good protection is to start using two-factor authentication, meaning a system like Google Authenticator and Authy which have smartphone apps for IOS, Android and Blackberry. These give you a second password valid only for that session, in addition to your normal password.

Two factor authentication is also available for your account at Facebook and Hotmail. Using these services would have saved Wired reporter Matt Honan a lot of trouble.

If not all your staff have a smartphone, you can give them a YubiKey (USB stick, open source) to provide you with a password that’s unique to each session. A Yubikey costs 20 USD.

Many of you are starting to use Google Authenticator to log into your gmail or Google Apps or Dropbox. But you can also use it to log into your website safely. WordPress has plugins for Google Authenticator, Authy and Yubico, yet another reason to love this CMS. There are modules for Drupal as well. This shows that open source CMS like WordPress and Drupal give you the edge over everything homecooked – you can rely on the community to help you out and stay up to speed.

4. Get DDoS protection

Even if you have a good webhost, it will do you no harm to connect your site to a specialist DDoS protection service, if you feel that you may become victim of such an attack.

If you are on a budget, eQualit.ie provides a very ingenious and free service for NGOs called Deflect. Its protection will take 99% of traffic destined for your website on their infrastructure, combining various botnet identification and mitigation technology. You can join in a matter of hours and you don’t have to move hosting. The service is free for NGOs and other non-profit civil society and media initiatives. You can sign up here.

Or you can also use a commercial service like Cloudflare, who have a free entry-level plans although you’ll have to pay 200 USD per month for a high level protection. You may want to start with the free plan and upgrade once you get hit.

If you are using Virtual Road, there is no real need to extra DDoS protection as its what they specialise in. However, they can now offer a dual protection package together with Deflect.

Refer to this excellent guide recently published by the Open Internet Project called My Website’s Down for help in choosing the right DDoS mitigation package for you.

5. Update your CMS and plugins

Open source content management systems like WordPress or Drupal or Joomla are great and most of us already use them. But because they are so popular, they also attract a lot of attention from hackers who exploit vulnerabilities to inject malicious code into your site.

This is why it is important to keep your CMS software up to date, and also your plugins and themes. Is someone in your organisation in charge of checking regularly, if everything is up to date? Often CMS will actually tell you when you need to update, but because no one is in charge, no one ever does it or at least not systematically.

If you do not keep your CMS up to date, sooner or later you will get hacked! Malicious code will be inserted into your website! Lots of nasty Viagra spam hidden here and there! And then you will have to pay an expert to clean up the mess! And in the meantime your webhost may close you down or Google may blacklist you!

6. Backup your website

Remember this: your backup plan is your website’s life insurance.

Imagine that your website gets destroyed. Without a backup, you will lose everything. With a backup, it will only be a temporary inconvenience.

You may think that your webhost has you probably backed up so you don’t need to worry, right? Wrong! Read the extract from the Bluehost Terms of Service:

For its own operational efficiencies and purposes, Bluehost from time to time backs up data on its servers, but is under no obligation or duty to Subscriber to do so under these Terms. IT IS SOLELY SUBSCRIBER’S DUTY AND RESPONSIBILITY TO BACKUP SUBSCRIBER’S FILES AND DATA ON BLUEHOST SERVERS.

You will find similar wording in most hosting providers’s terms of service: backup is your responsibility!

WordPress has plugins that allow you to automatically send a full backup to a Dropbox or Gmail account which is very handy. A good plugin will not only backup the mysql database, but also your photos and other attachments, and your theme files. Similar options exist for other open source content management systems. But they have one thing in common: you need some techie knowledge to restore a backup.

Really good hosts like WP Engine provide daily backups with one-click restore, but even they recommend to download a copy of the backup every month or so, just to be on the safe side.

If you use WordPress, a very good option is to sign up for a Vaultpress backup. This makes hourly backups and only costs  5 USD per month for the starter plan. And they also have one-click restore. Vaultpress is the Mercedes-Benz backup service for WordPress, and we love it.

Bottom line: always back up your website, at least once a month, and keep this backup in another location.

7. Don’t forget to pay the bills

OK, this is not directly related to security, but you will be surprised how many NGOs lose their domain name or are temporarily suspended simply because nobody remembers to pay the hosting bill. Who is formally in charge of this at your NGO? When is the next bill due?

A good hosting and DNS provider should let you know ahead of time when your bill is due, and most do. But to which email address do the reminders get sent to?

It takes 20 minutes to check and set this right.

8. Don’t put all your eggs in the same basket

Most of us make intensive use of Mailchimp, Facebook and Twitter to broadcast information. If you run your own mailserver, it also makes sense to have it seperately from the websites – so email goes on while the website is shut down.

Spread the risk and make it a harder challenge for your adversary. If our websites are indeed hacked despite all the measures above, we shall at least have other open channels with which to communicate.

9. Make sure responsibilities are clear

It is not only about the security tools and services, but also about the processes inside your organisation to manage security. Who is responsible for what, and who is going to check if it gets done. If there is no pilot in your plane,  your have little use for a radar. Discuss website security internally and clarify responsibilities within the team.

10. Be prepared to spend a little…

As you’ve seen from the above, there are very good things you can do to protect yourself.

If you are on a budget, you can use affordable but great Hostgator hosting and combine it with free Deflect DDoS protection, and a free backup plugin to a free Dropbox or gmail account, and free Google Authenticator to protect your login. Strong passwords are also free. This can work for some, it’s actually a pretty ingenious combination of measures that will give you a lot for low cost.

Or you can outsource (almost) all of this hassle and just contact Virtual Road. This will be better for those who have other issues to worry about. This will of course cost more.

Or you can do nothing and hope for the best. Lightning will always strike in the next valley!

So the real bottom line, is that it is not so much about spending money. It’s more that you need to spend a bit of time and give some thought to your website’s security, read up a bit, ask some techie friends, maybe make a few changes to how your team handles things. So ultimately it depends on how much your website is worth to you.


Posted in: