Website Security for Law Firms

Cybersecurity for boutique legal businesses

At Case Space Media, primarily a content marketing and SEO company, we know your boutique law firm works hard to serve clients and this doesn’t always leave time for things like cybersecurity and website hardening. 

This afterthought of digital security is exactly what hackers are counting on. Small (or no) IT governance, outdated software, and lax policies could make your business a prime target for hackers.

What’s more, cybercrime seems to be changing and adapting in response to the COVID-19 pandemic, according to the Canadian Centre for Cyber Security. The landscape of cybercrime is changing quickly, and with several major breaches in the last year (See: “The biggest hacks, data breaches of 2020”), it’s clear that the problem won’t be going away anytime soon, especially when many people are now working from home.

The Canadian Bar Association also recommends familiarizing oneself with the types of cybersecurity threats organizations face as a key factor in being prepared for a threat, and carrying liability insurance in case of a breach. The proposed Canadian Consumer Protection Act requires security safeguards at the level of protection proportionate to the sensitivity of the information. 

A breach and possible sale of private data, certainly can be costly, time consuming, and present unexpected legal problems. 

Luckily, there are a handful of well-documented changes that legal businesses can do to secure their websites. Read on for strategies that can help make your website safer.

What do you stand to lose?

(And how not to be an easy target)

Image: Law Firms & Legal Business Website Hacked

It goes without saying that a cyberattack could lead to the loss of a company’s web assets, but in the case of law firms and other legal businesses that store private information online, a website hack could have tremendous consequences for clients and staff. 

One such example is the court decision surrounding a cyberattack on a U.S. law firm that resulted in the breach of sensitive information. In this case, the information belonged to a foreign government dissident who was taking refuge in the United States and a client of the law firm. The political harassment resulting from the data breach (and the circumstances under which the breach happened) required that the law firm defend itself against malpractice as a result of this breach.

Sensitive case notes, proprietary company information, and personally identifiable information (PII) are all valuable on the dark web. Not to mention, hackers can use compromised emails stolen from your website to wreak havoc beyond the targeted site, a technique known as leapfrogging. Not only can this ruin your reputation and endanger your contacts, it also leaves your law firm open to huge liability, such as a malpractice lawsuit

Hardening vs. Making a website “unhackable”

Digital security specialists need to account for all possible ways their system could be breached.

In this article, we will outline some of the ways you can reduce your “attack surface” and make your law firm a far less hackable target. Given that WordPress is used by 64.4% of all websites with known Content Management Systems, this article will lean heavily towards WordPress hardening, but we’ve made sure to include tips that will be relevant no matter your website platform.

Image: Website Security Configuration for Law Firms & Legal Businesses

From the bottom up: Hosting, Networks and Web Applications

Before we talk about website security from a front-end development perspective, let’s take a moment to consider your website’s foundation: hosting services, networks and web applications.

Hosting service

A good hosting service is the foundation of your website. If your site is hosted on a server that is riddled with vulnerabilities, your website itself could be vulnerable even if it’s set up well. Even in cases where your law firm is the victim of a crime done to a third-party vendor, your firm may still be liable for failing to keep data safe. 

Finding the right web hosting provider and hosting type (e.g. shared, VPS, or cloud) can be a bit of a process, but is the foundation for a sturdy site. We recommend prioritizing speed, reliability, security, and customer support, while steering clear of outdated software and known vulnerabilities. In particular, make sure your host is using updated versions of PHP and MySQL, two components that are vital to any WordPress site.

Networks

A secure network is also crucial to maintaining a secure site, which means that you should secure any wired or wireless connections you’re using, and be smart when using public Wifi. If you want to get serious about network security, you should consider familiarizing yourself with vulnerability scanners such as nmap and OpenVAS. These can be used to keep hackers out (external scans), as well as to protect your network from internal threats like disgruntled employees or contractors (internal scans).

Web Applications

Web applications (Web apps) are also a significant vector for cyberattacks. We don’t cover them in any detail here because the Open Web Application Security Project has an incredibly thorough approach to this topic. They offer a suite of open-source vulnerability scanning tools, which can be used to secure all sorts of sites. At Case Space Media, we use a variety of tools in our security assessments.

Image: Website Backups for Law Firms & Legal Business

Before you make any changes… back up your files!

Hardening your website for security purposes involves making changes to settings that might affect your site functionality and that may even crash your site. Before enacting any of the changes in this article, we recommend backing up anything and everything. WordPress.org recommends maintaining at least three backups in three different places (in case any become corrupted or lost).

At Case Space Media, we recommend having a few different types of backups, such as two automatic backups from Plug-Ins and a manual backup from something like phpMyAdmin or CLI-WP. Make sure to back up not just your site but your database as well–having incomplete or corrupted backups is like having no backups at all. You might also want to familiarize yourself with rebooting and debugging via your site’s control panel if you haven’t already.

Application-Layer security

Application-layer security is something all websites should incorporate, whether they’re running WordPress or not. We recommend 1) switching to HTTPS and 2) implementing site-specific security headers.

1. Use HTTPS if you’re ready to get with the protocol

HTTPS stands for Hypertext Transfer Protocol Secure; it is a way of delivering websites that provides security for you and your site visitors. It uses SSL (Secure Socket Layers) to establish a secure connection between a given browser and your hosting server, ensuring that all exchanged information is encrypted. 

In 2018, Google began warning users that a website was “not secure” if they were not HTTPS compliant. This has been shown to create less user trust in your website. In other words, not having HTTPS makes for poor user-experience and less traffic to your site.

In a previous blog post, we talked about the importance of HTTPS as an SEO ranking factor. There are many free and effective ways of transitioning to HTTPS, so if you haven’t made the switch, it’s time to think about moving to https. In fact, newer WordPress versions make it possible for your legal business to make the switch to make the switch to HTTPS in just one click!

We’ve also written an article about how SEO can help your legal business with online visibility… give it a gander!

2. Set the rules with site-specific Security Headers

Security headers are a hugely important but often overlooked part of website security. They can help prevent hacking attacks such as Cross-Site Scripting and Clickjacking, significantly reducing your site’s vulnerability. Here are some examples of security headers you might want to implement on your site.

The Strict-Transport-Security (HSTS) header will force browsers to use the secure HTTPS connection, rather than the more vulnerable HTTP. If you don’t have this header in place, malicious users can still carry out HTTP-centred attacks on your site, regardless of whether you’re running HTTPS.

The Content-Security-Policy (CSP) header protects your website from cross-site-scripting by specifying file origins, among other things. This header is specific to each website! Ask us about how to craft one for your own site.

The X-Frame-Options header can protect against cross-site scripting and other attacks involving HTML iframes; this helps protect against things like clickjacking.

Expect-CT is another header that can prevent site certificate spoofing. CT stands for certificate transparency. It’s a way to say, “this site is legit!”

Other headers include X-Content-Type-Options, Referrer-Policy, Cache-Control, Clear-Site-Data, and Feature-Policy. Security headers are an effective way to increase your website security.

Does your website have security headers installed? You can test your site at securityheaders.com. Keep in mind that certain caching scripts or plug-ins can interfere with security header functionality.

Image: Network Configuration for Law Firms & Legal Business

WordPress Updates and Plug-Ins 

Outdated software of any kind is prone to vulnerabilities. Read on to find out how you can keep your WordPress up to date.

WordPress Core Update

With everything backed up, take a look at which WordPress Core version you’re using. Older versions tend to become vulnerable as hacking methods evolve over time, and new vulnerabilities get discovered. In the words of the WordPress support team, you should always update to the latest version. Here’s a guide for how to find which version you’re running. If yours is not up to date, here are a few different ways you can update your WordPress Core. On that note, you should also update your theme, and avoid pirated themes as they pose a huge security risk.

Newer versions of WordPress also have additional features you might be missing out on, such as the ability to set your Plug-Ins to update automatically, which is usually a good idea! That brings us to our next topic: Plug-Ins.

WordPress Plug-Ins: a hacker’s best friend

“Don’t worry, we’ve got plug-ins!”

 —famous last words.

Plug-ins are a software component that add a specific feature to a computer program, like an SEO plug in that analyzes how well your site is optimized for search. WordPress has more than 50,000 active plug-ins to tailor your website to your needs (partly why it’s so popular), with a great deal of them devoted to security… but which ones are right for you? While reviewing available options, ratings and ease of use are certainly valuable, it’s worth examining the actual security features that each plug-in offers. From our experience, we’ve found that no one plug-in is a perfect solution, and that combining various security plug-ins is often your best bet. With that being said, plug-in security is not a numbers game! Having more plug-ins not only makes your website bulkier and harder to troubleshoot when something goes wrong. It also increases your attack surface, especially if there are known vulnerabilities for your plug-ins or if they’re out of date. 

Whatever choice you make, keep in mind that security plug-ins need to be configured! In that sense, the real danger is in the false sense of security of having them on your site but not set up properly. There’s also a real danger in security plug-ins crashing your site or locking you out!

Image: Prevent Data Breach for Law Firms & Legal Businesses

Log-in & user security tips

Next, we’re going to look at how to stop hackers from logging into your website with a few simple tips around log-ins and users.

1. Hide your log-in page

In order for hackers to get into your site with stolen credentials or brute-force attacks , they first need to find your log-in portal. If your home page has a link to your log-in, you’ve basically hand-delivered them one of the most vulnerable pages of your site. Likewise, if your log-in portal is found at the WordPress default of example.com/wp-admin, it’s too easy to discover. Move it somewhere memorable but private, like example.com/whatever-you-want to keep it out of the public eye. Ask us how!

2. Use strong passwords

Please DO NOT set your password to password. As silly as it is, password is the single most popular password on the internet. Even today, hackers use it to get into all sorts of things. Okay, maybe you’re smarter than that… but is your password in the top 25 passwords? How about the top one million? Hackers use passwords lists like this all the time to automate password spraying attacks, and reuse leaked credentials in password stuffing. Both types of attacks (and many others) can be mitigated with the following steps:

  • Make a password policy for your law firm.
  • Refer to existing guidelines such as NIST or the equivalent for Canada or your own country. 
  • Reset any accounts that are known to be part of breached credentials. Tools such as haveibeenpwned.com can help you see whether your credentials are out there, but remember that absence of evidence is not evidence of absence.
  • Use unique passwords for every service or website each staff uses (i.e. don’t reuse your existing passwords).
  • Don’t write your password on a sticky note on your workstation. We wish we were kidding.

3. Be smart about your usernames

In a way, usernames are just as important as passwords; they make up the other half of any log-in credential and are thus an asset you should protect. WordPress comes with a default username Admin. If you haven’t deleted this user, you’ve made hackers’ challenge 50% easier: all they have to do is guess the password. Likewise, if any of your usernames match your post authors, brute force attacks are that much more likely to succeed.

4. Monitor and limit user activity

How many log-in attempts is too many? If someone hasn’t gotten the right password after 10 tries, that someone is probably a robot (or needs their morning coffee!). Setting limits for log-in attempts is an easy way to cut down on brute force attacks. Just make sure you’ve got safeguards in place so you don’t end up with everyone locked out.

Monitoring user log-ins with an activity log is another valuable way to see if there’s anything fishy happening on your site. Activity logs can be set up and checked regularly. On that note, you should consider automatically logging off idle users after a certain amount of time; it makes things like session hijacking less likely.

Lastly, be smart about the roles you assign to your page users. Does everybody need to have Admin privileges? Probably not. We recommend giving users the minimum site privileges for their needs. Think of it as not only protecting your site, but also as protecting them from the liability associated with higher roles.

5. Other tips and tricks

Brute force attacks are not usually done by hand; they’re done by automated scripts and bots. And you know what bots really don’t like? Captchas! As annoying as it is to answer a math problem or click on some traffic lights every time you log in, it is less inconvenient than having your site compromised. Honeypots are also a useful tool; they’re basically a box that only bots can see, so anything that’s entered into them voids the log-in attempt. Lastly, consider using Multi-factor Authentication whenever possible. Let us know if you need a hand setting up any of these features.

More WordPress hardening tips

The list of things you can do to harden WordPress is extensive. Here are a handful more things you can do:

Install a Firewall | Make use of a CDN | Change your database prefix from “WP” to something else | Harden Your .htaccess and wp-config.php files | Check file permissions in your control panel | Disable WordPress Dashboard theme and plugin editing | Disable PHP Execution in Untrusted Folders | Disable PHP Error Display | Disable directory listing | Password-protect directories | Move the wp-config.php file to a non-WWW directory |Change Your WordPress Security SALT Keys | Disable hotlinking | Deny access based on IP or an IP range | Check for Authority and Intent in any PHP actions | Add nonces in forms | Protect site from script injections | Protect WordPress Against Malicious URL Requests | Disable XML-RPC | Remove the WordPress Version Number.

Image: Website Hardening for Law Firms & Legal Businesses

Conclusion.

We hope this article has helped to get you inspired for running a secure website. At Case Space Media, we can help law firms like yours move towards a stronger presence online, focusing on content and digital marketing, all while recognizing the unique needs of boutique law firms. Get in touch to find out more.

Further Reading:

American Bar Association – Cybersecurity

Brian Lovin’s “Security Checklist”

Channel Futures – Why Hackers Target SMBs

CLIO – 2021 Law Firm Data Security Guide

Google – Web Security (for developers)

Government of Canada – Safeguarding personal information

Government of Canada – Security of online government services

Lexology – Law Firm Malpractice Decision Teaches Cybersecurity Lessons

Mozilla – Intro to HTTP

Netsparker – 5 Steps to Improving Your Cybersecurity Posture

Sucuri – How to Choose a WordPress Security Plugin

Sucuri – How to Secure Your WordPress Site

Tactical Tech – Holistic Security

The 15 biggest data breaches of the 21st century

Threatpost – 5 Cybersecurity Gaffes and Fixes Mid-Size Businesses Face

WordPress -Hardening-wordpress

WP White Security – Hacking WordPress via Man-in-the-Middle attacks

ZDNet – Web hosting provider shuts down after cyberattack

Disclaimer:

DISCLAIMER: Hacking and cybercrime are a part of the online landscape. This article is provided for informational purposes, and any information within or via its links is to be used at your own risk. We cannot accept responsibility for any losses to your site, business, employees, clients, etc. as a result of any advice followed from this article or its links. Please be aware that this article is not meant as a one-stop shop for making your website unhackable. Hacking methods are changing all the time, and this article does not cover all of the ways a site can be hacked. Please be sure to consult with a security expert for a full site audit or when implementing any changes to your website.