Improving Your Website Security: Top 10 Tips
It’s a great advantage to have numerous services and tools, especially content management systems such as Drupal, Joomla, and WordPress. Those tools and services allow website owners to build their online presence. However, there are side effects when it comes to using the services. Some website owners aren’t sure how to make there website secure, while some don’t understand the importance of doing so. There are ten steps that are crucial when it comes to protecting yourself online.
Update and Update More! Updating is something that can’t be stressed enough. There are numerous websites that are insecure and outdated. It’s crucial to update your website as soon as the CMS version of a new plugin is available. The majority of hacking that goes on is automated. Some people think it’s okay to update once a month, but it should actually be once a week as bots will be likely to find vulnerability before you fix it. If you use WordPress, there is a plugin called “WP Updates Notifier” – this plugin will send you an email when a core update is available.
When choosing a password, especially for a website, it’s important that you choose a strong password. When choosing a password, you should know there are three key requirements that you should follow:
- LONG Passwords: A password should be at least 12 characters long, and even more is better. The longer the password, the harder it will be for a hacker to get in. They will soon get discouraged after a few trys.
- Complex: Never use something for your password that someone would know. For example, if you have a favorite sports team, color, etc. – your website would be an easy target as your password would be simple to find out. Even passwords that use leetspeak (letters that are switched with characters) are not secure. Hackers are getting more wise when it comes to cracking passwords. Make yours completely off topic of your business and nothing to do with you.
- Unique: Each password you use should be unique. Always change up your passwords and never make them the same for multiple accounts you use.
One Site & Multiple HostingYou may feel that you need to have multiple hosting on your website because you have an “unlimited” web-hosting plan. Unfortunately, this can risk your security. A sever that only has one WordPress install and a theme, with 10 plugins could have potential to be attacked. However, if you have sites on just one server, with multiple WordPress installs, themes, and plugins, you will be a potential target. Once the hacker is on one of the sites, the rest of the sites will follow.
Managing User Access If your site has multiple logins, this will apply to you. Each user should have only the permission they need to get their job done. If someone is only writing a blog on your site for you, then he or she should have the minimum privileges available. Each password should be separate for each user. This will help secure your site against unwanted mistakes.
Default CMS Settings The CMS applications are quite easy to use, but they are also terrible when it comes to the security for the end users. The common attacks when it comes to websites are those that are automated. Most attacks rely on default settings being in use. By simply changing up your default CMS settings, you are one step closer to preventing hackers from impacting your security.
Choosing a SelectionCMS applications have great extensibility. However, they also provide weakness when it comes to the extensibility. There are numerous add-ons, extensions, and plugins that will provide functionality. There are various extensions that offer functionality, but how do you know which one is best? There are three things you can look for:
- Check to see when the extension was updated. If you notice it has been one year or more, then you may want to stay away from it. This will mean that the author isn’t working on it anymore.
- Check out the extension age, as well as how many installs were made. Any extension that was developed by an author will have many installs. It’s better to go with one that has many installs, than one who only has 50-100 installs, as well as partnering with a first-time developer. It’s best to find one that has an experienced developer, so you can be sure you are protected against security attacks.
- Be sure that you only download themes and extensions from trusted sources. There are many sites who will offer a free version. However, those free versions are usually pirated, as well as infected with malware. Always go by trusted sources to avoid this.
Backups It’s crucial to always backup your website. However, even doing a backup of your web server can be a sever security risk. Be sure to use only trusted sources when it comes time to do a backup for your site.
Server Configuration Files Be sure you know all about your web server configuration files. Nginx servers will use nginx.conf, Microsoft IIS servers typically use web.config, and apache web servers will use .htaccess. These are found within the root web directory and they are powerful. If you are unsure of which web server you are using, you can use sitecheck, and then click on the details tab after submitting your site onto it. There are some rules to follow for your web server.
- Preventing Image Hotlinking- This isn’t just for a security measure, it will prevent other websites from displaying images that are hosted on the web server. Your bandwidth allowance will go over the amount of people are hotlinking images from you.
- Prevent Directory Browsing -This will prevent malicious users from seeing the content of the directory on your site. You must limit any information that is available to attackers.
- Protecting Sensitive Files- Be sure to set rules when it comes to protecting folders and files. CMS configuration files ae highly sensitive files on a web server, and they show login details for databases. You must be cautious about this.
Install SSLThis option is up in the air as to whether it provides any significant protection. However, it doesn’t hurt to do it anyways. SSL itself doesn’t protect a website from malicious attacks, or even stop it from malware. However, SSL will encrypt communications between the website and the browser. The encryption itself is important, as it’s known as the middle man of a potential attack.
File PermissionsIt’s important to grant different types of permission. If you want someone only reading a file, you can grant them permission for it. If you want someone to write or execute a file, you can grant them the permission to do so. Never allow anyone to do anything they want to a file. You should always grant permission only where it is needed.