How we keep your site secure

blog-image

Web Security

Introduction

Cyber security is an area which greatly interest’s me and I spend a very large portion of my free time researching it.

There was only a limited amount I could say on the home page due to space, therefore, for those who are interested, I would like to go into more detail here.

This post will go into relative detail, sorry if its boring for some :)

Why not wordpress?

Dangers with wordpress

Wordpress is the most used website builder in the world. This does not mean you should use it!

Wordpress is used as it is:

  • Easy
  • Quick
  • Does not require users to use the command line
  • Pretty much a drag and drop GUI

However… wordpress uses PHP, and most of its functionality is based around using plugins.

Now there is nothing specifically wrong with this. However, when you consider that PHP performs operations server-side and can be vunerable to SQL-Injections (When a user enters a value into an input box which is not validated, end therefore passed to SQL as a command) this introduces a host of problems.

You essentially have to trust every plugin you install does not have SQL vunrabilities, which happens a lot more than you think. If a vunrability is discovered in a plugin, and the plugin is now un-maintained, or, you don’t know about the vunrability and therefore don’t update a plugin, or you just don’t update your plugins. Then it is trivial for a hacker to find the current plugin version, search for a known vunrability, and perform it.

All of this makes wordpress a ticking time bomb in terms of security. If it wasn’t bad enough already, you also have to trust that the plugins themselves, or any libraries that they use, aren’t malware.

Consequences

The consequences of having your site breached like this are large, here are some examples.

  • If your customer data falls into the wrong hands, you could be breaching GDPR, which has its own set of consequences.

  • The hacker could display anything on your webpage, this could severly damage your brand image and dissuade potential, or existing customers from your business.

  • Best case scenario: Your website will be down until you can get on your server and re-install wordpress.

Personal experiences

This is not an uncommon event. When I was 14 I used wordpress to create a technology reviews website. This was temporarly hacked using the methods I describe above, and the hacker placed their name where the site previously was. This was not an issue for me, as my site had below 30k views per year and no user data so wasn’t exactly large, and I closely monitored the site and simply restored it from a backup very quickly after it being hacked. However for a business, and if the hacker had been more malicious than simply replacing the site with their name (e.g. if they redirected it to a fake clone of the website controlled by them), then this could be catastrophic. It could even result in the hacker gaining customers credit card details if they sent users to a clone of the website and a user purchased something through the site.

How do we ensure this does’t happen?

We dont use wordpress!

We instead create sites statically. Meaning that we do not use PHP, and instead, create the site in pure HTML5 (HTML, CSS, JS). This makes development more advanced than the likes of wordpress, as there are no graphical interfaces to guide development, however, it is far more secure, and also results in a much faster and responsive website too.

This means that any processing we do do, we do client side, instead of server side. Meaning that it is completely impossible for the website to be hacked from a user visiting it, as to the user, it is read-only.

The only attack vectors for a static site are by trying to gain access to the server it runs on, or to crack the SSH keys. This is also nearly impossible if you set your server up correctly, this model would mean only e.g. nation states being able to compromise your website, not your average hacker.