Assess Your Database Security With This 4-Step Checklist

February 7, 2020 in Database Security

With content management systems like WordPress powering a large portion of the websites online, it’s even easier for first-time website owners to build a sleek, professional site for their online business. Dynamic CMS sites are often powered by a database, which is a critical component to secure. This is where your customers’ information is stored. Any time a site visitor clicks an image, fills out a contact form, or makes a purchase on your website, that information is stored in the database.

As a digital storage room full of important customer information, a database is invaluable to your online business. It drives conversions and is the backbone of how you deliver meaningful content that keeps your visitors coming back — but it’s also valuable to cybercriminals. That’s why your small business should make database security a top priority in 2020.

This database security assessment checklist can be your go-to list for ensuring your data stays protected:

1. Encrypt. In order to create an encrypted layer between your server and visitors’ browsers, we recommend employing a Secure Sockets Layer. You can think of an SSL like a bodyguard: It protects your data as it moves from place to place. For example, if a customer makes a purchase and submits a payment, the SSL will ensure that cybercriminals cannot easily read important information, such as credit card numbers, while it’s en route to its destination.

SSL certificates are a basic measure all websites should take to protect customer data. In fact, some popular browsers will actually tell users a website is unsecured if it doesn’t have an SSL. Visitors should be able to recognize whether a site has an SSL because a small lock appears next to the URL in the browser, and the URL will start with “https” rather than “http.”

Along with encrypting data in transit, you’ll want to make sure any data stored in your database is encrypted, which is a critical step if you collect personal identifiable information such as names, addresses, Social Security numbers, etc. That way, if cybercriminals do gain access, they won’t be able to read the data.

2. Sanitize input fields. In an attack known as an SQL injection — often stylized as SQLi — cybercriminals can infect your website and database by entering modified queries into input fields. This tricks the database into allowing an attacker unauthorized access to the sensitive data collected on your website.

In the “SiteLock 2019 Website Security Report,” we found that 6% of the 6 million websites we evaluated had SQLi vulnerabilities. You can prevent these vulnerabilities by sanitizing input fields or validating that data is in the proper form before it can be submitted through the field.

Predefining what a user can input will ensure that site visitors are only able to submit expected content into input fields. For example, in a field requesting the visitor’s phone number, you should allow only numbers, hyphens, and parentheses. That way, if a cybercriminal enters malicious code into the field, the server will read it in plain text only. As a website owner, you can improve database security by regularly sanitizing all input fields on your website or reach out to a website developer who can implement the necessary changes.

3. Install a scanner and firewall. An automated website scanner can scan your website files and database to detect and remove any spam content or malware before it spreads. Scanners can also look for outdated code in your CMS and automatically patch the outdated code to close any security vulnerabilities that could lead to a data breach.

A web application firewall helps deflect malware and malicious bots before ever hitting your site. A properly configured WAF creates a defensive perimeter against common types of attacks such as SQLi attacks. A cybersecurity provider can help you configure a WAF and automated scanner to your specific website and database.

4. Perform updates and backups. Cybercriminals often exploit known security weaknesses found in outdated CMS code such as CMS core files, plugins, and themes. It’s critical to check and perform updates as new versions are released, as these updates are designed to fix specific security vulnerabilities. Incorporating updates into your website maintenance routine is an easy way to improve your database security. Additionally, delete any plugins you don’t use regularly — you’re more likely to overlook updates on website elements you don’t use.

After performing software updates, the next step is backing up your website files and database to ensure you always have an up-to-date version of your website stored. Access to working backups will help in critical situations (e.g., if your site files are corrupted from a bad update that breaks your site or, most importantly, after a website attack). As a best practice, ensure to store a current backup of your website’s content off-site. For instance, you can use an offline storage option or a convenient backup service that can quickly restore your site.

Backing up current versions of your site gives you instant leverage if attackers try to exploit your website data by deploying a ransomware attack. During a ransomware attack, cybercriminals take over your website data and demand a ransom to return it. If you’ve backed up your most important files, this attack will be a misspent effort on the cybercriminal’s end. Most importantly, you won’t have to pay the ransom to have your information returned.

Any company doing business online should keep database security top of mind. This means implementing a comprehensive security solution that can find, fix, and block critical threats to your database. Your customers trust you to keep their information secure, and showing them that you take their privacy and protection seriously will only make you a more trusted vendor in their eyes. Use the steps above as a database security assessment checklist to ensure you’re doing everything you can to protect your customers’ valuable data.

Monique Becenti is a product and channel marketing specialist at SiteLock, a cloud-based website security provider currently protecting more than 16 million websites globally. Monique is passionate about improving the customer experience for all. SiteLock’s combination of dedicated research and developmental efforts, aggressive product road maps, and access to a massive global data set make the company a leading innovator in web security.

Latest Articles
Follow SiteLock