When you're a business owner operating with a lean and mean team, it's hard to know all of the things to be aware of when it comes to your website's security. Unfortunately, there are a multitude of threats on the internet. One of the best ways to be prepared is to regularly scan your website for vulnerabilities. That way the issues can be addressed, updated, and you can be on your way without the hassle or the drama.
At Onsharp, quarterly vulnerability scans are included with our Website Essentials Package. Every 90 days, we scan our customers' websites, address any new vulnerabilities that are found, and rescan until the website receives a passing score. We even offer a free one-time vulnerability scan to help those who aren't yet leveraging our Website Essentials Package to find out what vulnerabilities their website may have that need to be addressed. Read on to see the top threats that we find and address when we run our quarterly scans.
Missing SSL Certificate or SSL Certificate is Installed Incorrectly
This is one of the most common issues we find when it comes to corporate websites. Many sites are either not encrypting their traffic at all or have their certificate configured incorrectly. SSL certificates allow the encryption of personal information and credit card numbers, so it's crucial that you use an SSL certificate and that your certificate is installed correctly to protect your customers and any sensitive data that they may enter on your site.
FTP Access Settings Aren’t Secure
FTP, or file transfer protocol, is used to share files and data. Depending on your industry, there may be compliance standards and regulations that must be met when it comes to sharing information using FTP. If your FTP access settings aren't secure, your data could fall into the wrong hands.
There are Ports Open That Don’t Need to Be
Finding an open port to expose a vulnerability is step 1 in a website hacker's toolkit. If a server port doesn't need to be open, it's best practice to close them. Other than ports 80 (HTTP) and 443 (HTTPS), no other ports typically need to be open to your site. Running routine vulnerability scans ensures that no ports are being accidentally opened to your website through the CMS, plugins, or at the server level.
XSS (Cross Side Scripting)
Cross-Site Scripting (XSS) attacks take place when malicious scripts are injected into trusted websites. Once the script has been executed, it can access cookies, tokens, or other sensitive information.
SQL Injection Vulnerabilities
Similarly to XXS, SQL Injection Vulnerabilities take place when an attacker injects a malicious input into SQL queries. This can allow attackers to access or extract data they should not have access to.
Outdated CMS Installation
An up to date CMS, or content management system, is one of the essential maintenance updates for your website. Your website receives the benefit of new functionalities and fixes for technical issues. Simply put, an updated CMS leads to a more secure website.
Outdated PHP Version
PHP versions are supported for two years after their release date. During that time, bugs and security issues are fixed and released. Ensuring that your website is running on the latest version of PHP will allow your website to run without issues.
Clickjacking occurs when an attacker modifies links on your website so that your customers will end up on a different page than they intended. Attackers can use this to trick your customers into entering secure information by leading them to believe they're on your site.
WordPress User Enumeration
User enumeration occurs when an attacker runs a script against your site to reveal a list of your website's usernames. If any of your users have weak passwords, this could put you at risk.
While it may seem like an overwhelming list to stay on top of, the good news is you only need 1 action item: routinely scan your website for vulnerabilities and fix them quickly when they are found. Find out which areas of your website need improvement by requesting a free one-time vulnerability scan.