This article focused on the website security issues and challenges developers face. You can find out what are the main challenges web professionals face in 2020 and during the time of crisis.
A wide range of attacks has been targeting businesses, health organizations, and governments. Attacks were launched to spread malware, host phishing pages, steal credit card details, and more.
We wanted to know if web professionals who build and manage websites have witnessed the increased amount of malicious traffic and if it has affected their businesses in any way.
We ran a survey to understand if the global crisis and an increased amount of cyber threats affect web professionals and website security as a whole.
This website security report includes analysis from 338 responses of digital agencies and freelancers from all over the world.
The responses to the website security survey were collected from several mastermind groups of digital agency owners and web developers. Little less than half of the respondents were incorporated digital agencies.
Over half of the respondents were freelance web professionals. The remaining 6% of the respondents were website owners, business owners, bloggers, and non-governmental organizations.
About 80% of freelancers that participated in our website security survey stated that they are responsible for less than 20 sites. On the other hand 44% of digital agencies that participated stated that they are responsible for over 20 sites.
Most of the respondents (72%) have more than 6 websites in their portfolio.
Little less than thirty percent of respondents are managing 1-5 websites and 19% have about 21-50 sites in their portfolio. About 8% of respondents have 50-100+ sites and 90% of them are digital agencies.
Agencies don’t just have more demanding customers, they also have more challenges and website security issues to maintain and secure a larger amount of websites the customers keep them responsible for.
Agencies and freelancers who participated in the survey use a variety of content management systems and coding languages to build websites for their customers. The most popular CMS among 80% of the respondents is WordPress.
When comparing freelancers and digital agencies, the data showed that 81% of freelancers use WordPress for their web development projects. The number was slightly smaller amongst digital agencies, 79% of agencies use WordPress as their main CMS when building websites for their customers.
The top content management systems mentioned by both freelancers and digital agencies were WordPress, Magento, Drupal, and Joomla.
The responses showed that security is a big concern among both digital agencies and freelancers. Two hundred forty-three (243) respondents in the survey stated that they are increasingly worried about website security.
More than 73% of digital agencies and freelancers are increasingly worried about website security. This number was slightly higher (75%) among WordPress users.
The data revealed that while agencies and web professionals are both increasingly worried and have challenges with website security – only a little less than half of them (45%) take proper measures to protect the sites they are responsible for.
Over half of the respondents stated that while they are concerned about their sites’ security, they also see the concern being justified due to an increased number of attacks targeted to their sites.
Close to 43% of the respondents have seen an increase in attacks targeted to the websites they are responsible for. Surprisingly there were 30 respondents who have no insights if the attacks have increased or not.
When attacks are detected, it does not mean they were successful. We at Patchstack see millions of attacks targeted to the websites we protect. These attacks are blocked, logged, and monitored in real-time to make sure the malicious traffic will be rejected.
One reason for the increased attacks could be linked to a large number of vulnerabilities disclosed in popular WordPress plugins. For example, in the first 5 months of 2020, we have seen over 200 vulnerabilities that have affected more than 40 million websites.
The vast majority of these vulnerabilities were found in third-party code such as plugins, themes, and other dependencies.
We also discovered that 25% of the responders have seen a hacked website in the past month prior to participating in the survey. This gives us a good understanding of the magnitude of the problem.
Websites are infected with malware and used to run further attacks against other websites and businesses. Hacked websites are often used to direct traffic to malicious sites, to steal credit card information and in some cases to even infect the visitor’s computers.
Additionally, hosting phishing pages on hacked websites has become an increasingly popular tactic to steal credentials of third-party services.
While gaining access to one small website might not be too valuable, exploiting a popular plugin can give the attacker access to hundreds of thousands or even to millions of sites with a single coordinated attack.
While web professionals say that they are increasingly worried about website security – they are also becoming more security-aware.
We asked the participants of this survey if they have a web application firewall protecting their sites and the results showed that over half of the digital agencies (57%) have a firewall installed on most or all of the sites they manage.
Freelancers take security seriously too – 53% of the freelancers participating in the survey have a firewall installed on most or all sites they manage.
About 17% of the participants don’t protect any of their websites with a firewall and 8% of participants have no overview of the security of their site and do not know if they have a firewall installed or not.
At the same time, almost one-third of the participants (29%) who don’t use a firewall to protect their sites but are concerned about their website security has witnessed hacked sites in the past months.
The data shows a direct correlation between the unprotected websites that are not protected by a web application firewall and a chance of witnessing a hacked website.
Website security is a challenge for many, especially for those who are responsible for more than one website. To help, we wanted to know what are the most widespread challenges that agencies and freelancers face when dealing with the security of their websites.
We asked the participants to explain their challenges in detail which gave insights into more than five hundred different challenges which we sorted into 10 main categories.
Most popular challenges faced when dealing with website security:
The biggest category of challenges was the lack of knowledge. The second was a selection of different tasks and problems that freelancers and agencies have problems with, which did not fit any of the remaining 9 categories. Others consisted of attack prevention, plugin vulnerabilities, client education, and more.
The results of the website security report showed that the biggest challenge for digital agencies and freelancers is the lack of knowledge.
Respondents mentioned the lack of knowledge on how to secure a site and how to keep it protected. They struggle with the complexity of security tools and the installation process can be daunting. Additionally, many find it hard to understand if a given security solution really works or not.
Many freelancers mentioned that they don’t know the steps required to secure the websites and digital agencies, on the other hand, highlighted the complexity of finding the right tool for the job.
1) Always think about security as an ongoing process, not something you can just install and forget.
2) High quality and responsive customer support often overweigh the technical advancement of the product.
3) Look at what the security companies do, not what their marketing claims. Their own security research is a good thing to start with.
When looking at all the existing solutions, one could divide these tools into three main categories: reactive, proactive, and a combination of both.
The reactive security tool is something that helps you deal with the consequences of an attack. A good example is a malware scanner. A malware scanner in its essence is to locate already injected malicious code on the site.
The proactive security tool is something that helps you prevent the attacks. A good example is a vulnerability scanner and a web application firewall. It allows you to address the potential security issues to avoid malware infections and breaches in the first place.
The first layer would be the security awareness itself, keep yourself up to date with the information regarding the latest threats, and make sure you have a proper overview of what is happening on your website. Also take time to carefully choose reliable and trusted service providers for your cloud hosting requirements and for the development stack you use (plugins/themes, etc.).
The second layer would be your first line of defense. Modern attacks are largely automated, so it’s important for you to automate protection as well. Set up a vulnerability monitoring solution and a managed web application firewall that can provide necessary protection against threats such as 0-day and 1-day vulnerabilities.
Your third layer should include proper logging, malware scanner, and a reliable backup solution. If one of the first two layers fails, your third layer of defense should be able to detect anomalies and allow you to act fast and efficiently.
1) Options to keep up with threats: Patchstack vulnerability databse, Hackbusters, NVD
2) Options to prevent attacks: ModSec, Cloudflare, Patchstack
2) Options for remediation: AI-Bolit, Sitecheck, URLscan
Over 40 respondents of the website security survey stated that their main challenge is blocking and preventing attacks targeted to their websites. See a few examples of mentioned challenges below:
There are different types of firewalls to choose from and the technical differences usually have various pros and cons which efficiency can vary in different scenarios. There are two main types of firewalls on the market: cloud-based WAFs and endpoint WAFs.
A cloud-based web application firewall is like a middle-man between your site and the visitor. When a visitor enters your domain name into the browser, the connection goes to the cloud-based firewall provider servers, where it’s analyzed.
If the visitor does not pose any risk to the site, the traffic is forwarded to the actual website (or to the cached version of the site).
Endpoint web application firewall (endpoint WAF) runs within the application or in the server itself. It’s often aware of the environment such as the software used inside the website and understands how it’s built.
Endpoint WAF has an internal overview of how the software is behaving and understands who are the visitors by their permissions and if they are authenticated or not. Just like a cloud-based WAF, it blocks attacks and filters unwanted traffic.
What does managed WAF mean? New threats are discovered on a daily basis. Threat intelligence is a critical element that differentiates very good WAF solutions from the average.
A large amount of data is often used to teach machine learning algorithms and managed web application firewall providers invest heavily in vulnerability research to feed your firewall with the latest information about the emerging threats. In short, they manage and update the firewall rules for you.
Which one to choose? The truth is, you should use both. Cloud WAF for reducing bot traffic and preventing DDoS attacks, and endpoint WAF for protecting the website from more sophisticated and direct hacking attempts.
1) Read a good overview of the pros, cons, and differences between the endpoint and cloud WAF.
2) A good idea is to have both, network and in-app level web application firewalls.
3) If you don’t have a security professional in the team, look for a managed web application firewall.
The majority of participants mentioned that their biggest challenge is plugin vulnerabilities. We understand this very well and this is also why we at Patchstack, are focused just on that. Security vulnerabilities related to WordPress and to its plugins and themes are a very good example.
A very worrisome fact about website security statistics: 98% of WordPress vulnerabilities are related to plugins.
Anyone can create a new plugin and add it to the WordPress repository. While this is very convenient, it raises many concerns, since the skills of the plugin developers vary. For the majority of WordPress users, it's hard to tell which of the plugins are written poorly and which ones are not.
If you have the necessary skills then you could audit the code, but vulnerabilities can also be introduced with plugin updates which many struggle updating, let alone audit each and every change.
Many people don't even have an overview of all the dependencies such as plugins, themes, and third-party code their website relies on. Before one can benefit from vulnerability monitoring, it would help to know what to monitor.
Security solutions such as Patchstack will detect all the different plugins within the website and will then analyze if any pose a threat to the security of the website. Receiving such information automatically and as quickly as possible is critical for being able to address issues in time.
In many cases, we have witnessed large-scale attacks against vulnerabilities the same day the developer released a fix. It's a matter of days if not hours to address the vulnerabilities and doing so manually (especially with many sites and dependencies) can be an extremely difficult task.
1) Try to use as few dependencies (plugins/themes) as possible.
2) Monitor the security of your dependencies (Patchstack vulnerability database, Snyk).
3) Use a managed web application firewall that provides virtual patches to the software you use (Sucuri, Wordfence, Patchstack).
Updates are a problem many digital agencies and freelancers have trouble with. In this survey, we had 22 respondents that said it is one of their main challenges.
There were two main problems that web professionals are facing. The most popular was about third-party plugin updates and how to keep them protected. The second main problem was how to keep everything up to date without breaking the site.
Many plugins receive regular updates. These updates often include new features, bug fixes, or security fixes which are important to keep your sites safe. When it comes to security updates, you should always update the software whenever such updates are available.
When we talk about other updates like new features or core updates, it is advised to wait a few days because some major updates might break your site.
If you wait a few days, you can keep an eye on forums and see if anyone else has any issues with the latest update. This allows you to make sure the update will be beneficial, not a time-consuming nightmare.
Updates still, even with forum monitoring and research, need to go hand-in-hand with backups. If you have regular backups and perform a backup before updating your site, you can restore your site from a backup if the site still breaks.
A big part of the respondents stated that their main challenge is to educate their clients about security. The website security issues were not only about if website security is needed, but also the dangers of installing nulled plugins, old and outdated plugins, and more.
The majority of clients don't understand why their small website is targeted by hackers and therefore they can't understand the importance of securing their websites. The hard conversation about explaining the extra costs for security was also mentioned several times.
Another issue with client education was about malware removal and hacked sites. Freelancers and agencies have problems explaining why the site is hacked, who would do that, and why the developer is not responsible. In addition to that, how to tell the angry client that a service like malware removal is for an extra cost.
Without the up-front discussion about the potential risks of having a website - the reputation of an agency or a freelancer can later suffer.
One of the best things you can do is educate your clients. It builds trust. When your client has several options to choose from, he or she will most definitely choose the option that has educated them the most.
So first thing when either selling care plans or up-selling security to your client is to prepare some content (or use content previously prepared by a security company), videos, or documents to address the most frequent questions, such as "why would anyone want to hack my small website?".
The smart consumer will opt to buy from the company that’s educated him on the issue and presented him with multiple solutions. That company’s selflessness has built trust — and its ability to teach him has bought his loyalty in the future.
1) Talk about security as early as possible. This can be seen as an added value and shows responsibility.
2) Add security as a dedicated section to the handbook which you provide to your customer.
2) Include security awareness within a newsletter. You can find monthly summaries from security blogs.
It should never be a goal by itself to find the cheapest option. If the website is important enough to have been built in the first place, it is generating revenue, representing a business, or collecting important data - the cost of security is usually a fraction of what you would lose after a security incident.
The heavy research and development these companies do for building an outstanding product, and to keep the security of your website one step ahead from hackers requires significant investment.
The cost of a security service often reflects also on the quality of support and on the responsibility the company takes.
Once you have a list of potential solutions, take a look at the reviews about their support and product. Since security is very research-intensive, don't forget to look if the company is doing its own security research to stay ahead of malicious actors.
1) Show the data. The probability of a breach is high and the cost of remediation is always higher than prevention.
2) Additional responsibility is often taken by the security company to provide rapid reaction. See this.
3) Introduce customers to multiple comparable solutions.
It's no surprise that people use bad passwords. Passwords are hard to remember. When it comes to security, experts advise using unique passwords for each account online, which does not make remembering passwords any bit easier.
The top 5 most frequently used passwords (source):
Hopefully, your password is not on that list. A good way to have strong passwords is by using a password management tool. With a password management tool, you can start using complex randomly generated passwords to make sure they are unique.
Firstly – you won’t remember every password you have. A very bad practice is to use one password in more than one account. To use a password is a bad idea anyway – but we’ll go there later.
With password management tools you can easily access all your passwords from one place with one master key.
Secondly – use passphrases or even better, generate a random key with your password management program.
Thirdly – the master key. Instead of using a password, use a passphrase, which is much longer in length. Use some numbers and upper and lowercase letters. And to make it clear – by passphrase you should consider generating a short sentence, but make sure, it’s something you’ll remember.
For second layer protection, you should add two-factor authentication (2FA), also called multiple-factor or multiple-step verification to your important accounts. Two-factor authentication is an authentication mechanism to double-check that your identity is legitimate.
It is something that will keep your accounts more secure and offers you an extra layer of protection, besides passwords. It’s hard for cybercriminals to get the second authentication factor (which is often your smartphone) and it will drastically reduce their chances of success.
2FA is a must-have for:
For example, you can see how to add 2FA to your website administrator accounts here.
People often make mistakes without realizing how the mistake can affect the organization or a company. Human mistakes were the cause of 21% of data breaches in 2018 according to the 2019 Data Breach Investigations Report made by Verizon.
Despite all the security tools, firewalls, checklists, and tweaks you make to your website, there is always a possibility that your site ends up hacked because of a simple human mistake.
What are the common mistakes people do:
Phishing and other types of scams are often executed very professionally and can sometimes trick even seasoned security professionals. Unfortunately, humans can't be patched and there is no firewall that can prevent well-crafted social engineering attacks. What can be done is to regularly keep up to date with threats and educate people on cyber hygiene.
Here is an example of a scam targeted to scare website owners to pay ransom for their hacked website.
1) Keep yourself up to date - a good source is Hackbusters.
2) Keep in mind that if something looks too good to be true, it probably is.
3) Double-check who sent you the email. If something looks off, ask advice from a tech-savvy friend.
The global crisis has accelerated the digitalization of society and businesses continue to move online. Digital agencies and web professionals who are in the front line by providing web development and IT services are becoming increasingly worried about security.
The number of attacks is growing and even the smallest websites are hit by automated hacking tools. While businesses move online and E-commerce is growing rapidly, criminals find new ways to make money by luring people into elaborate scams or straight away infect websites with various malware and to steal credit card details of online shoppers.
The biggest and most mentioned website security issues seem to be the heavy use of third-party code which also counts for the majority of security vulnerabilities in the most popular content management system, WordPress.
On the other hand, web professionals are becoming increasingly aware of security risks and more companies are providing help with security services, tools, and support.
Now, it's time to educate the end-users and customers and share this website security report with them.