Website Security: MeetUP
I’d just left the Tampa Bay PHP Developers/Freelancers Meetup group at Kaiser University in Tampa, (June 2016), and I was very disappointed. The topic of the night was website security – “Web Security, Php, Mysql, Html, Etc. Block Hackers, Protect Your Site Correctly” (copied from their email).
The website security advice given, was mostly either outdated or just plain wrong, and certainly nowhere near comprehensive. They were recommending using PHP functions like “Magic Quotes”, and similar weak, outdated functions that have been replaced by newer, much stronger functions that will be automatically updated in the future – yet the new functions weren’t even mentioned, except by me – for which I was “rewarded” with a request to leave!
Even the PHP.NET website says not to use “Magic Quotes”. When I tried to gently correct the speaker with newer, more accurate information, he opined that the subject of web security was moot to developers since it is up to the visitors of his clients’ websites to protect themselves from malware that could come from those websites – that web security wasn’t his or his clients’ responsibility. He went on to justify his line of reasoning(?) by suggesting that it would cost five thousand dollars to pen test and “guarantee” a website’s security!
No, nobody can guarantee website security. Everything is hackable at some level, but for all reasonable, practical purposes, we can adequately secure our customers’ websites from pretty much all but top-echelon hackers, and state actors. And it doesn’t have to cost five big ones. Nor would it necessarily require pen tests, but you could easily run pen tests with free software, so I”m not sure where the five grand comes in – but I”m interested! 🙂
Shucks, I’ll pen test the typical small business website security for a measly hundred bucks!
Web developers mostly use CMS frameworks nowadays, so basic website security and security updates are taken care of to a degree. Plug-ins and custom themes however, need to be inspected because most web developers either have the mind-set, like that MeetUp speaker, that web security isn’t really a web developer’s responsibility, or they’re just plain not-trained in web security, or both.
Even those website security-conscious developers who do feel responsible, well they’re professional “web developers” not “web security analysts”, and their ability to protect websites from actual attacks is likely to be inadequate.
So what’s the solution? Start with the simple stuff –
- Password protect your admin folder (server-side)
- Prevent direct access to all admin scripts
- Fight brute-force attacks with 15+ random character passwords
- Fight brute-force attacks with login attempt-limiting plugins
- Never trust user input
- Since plugin developers often ignore this rule, use care in choosing plugins
- Use SSL to encrypt logins (Let”s Encrypt SSL is free!)
- Consider Cloudflare (free) to protect against DOS and other attacks
- Schedule regular, off-server, cycled backups of both files and database
These are off the top of my head, and before brewing my second cup of coffee, so there are certainly more things you can, and should do. I’ll follow up with an article specifically for WordPress users.
To be fair, some of these items were discussed that night – the .htaccess, backups and passwords, if I remember correctly.
In any business where you are the expert and your clients can’t be expected to understand the technicalities, you have an added responsibility to that client and to his customers to use your knowledge to protect them. I hope the web developer community will wake up someday and adapt that philosophy.
As for that MeetUp group, why waste time going to a meeting where the speaker is ill-informed and spreading misinformation along with a predatory philosophy? There are much better PHP, Website & WordPress Meetup groups to attend in the Tampa / St. Petersburg area and I’ve always learned and enjoyed going to all of them until this group.
Whenever you hear someone talking about using predatory practices on clients, you need to speak up and explain that if we’re not on the same team as our clients, we’re going to earn the kind of reputation that used car dealers and aluminum siding salesmen have – and we’re going to deserve it!