According to a recent post by Sucuri, the increased number of tools and applications which enable individuals and companies to set up their own website might be a great thing, but the downfall is that many people don’t know how to make their websites secure – in fact many webmasters aren’t aware of the importance of keeping their website secure.
So what are the top 10 ways all webmasters should be ensuring their website security?
1. Regular Updates
When a new plugin or CMS version becomes available, your site must be updated at once. Hacking bots are automated and constantly look for vulnerabilities in websites. If you don’t want you website to be hacked, keep it up to date.
2. Password Security
Sucuri notes that many webmasters have passwords that are ridiculously easy to crack using password-cracking programmes. Any password that contains a real word is more likely to be guessed than a password that is created from a truly random combination of letters, numbers and symbols.
The solution? Ensure your password is unique, long and complex.
- Unique – don’t use the same password for different programmes or accounts. If a hacker finds your website password, it shouldn’t give them access to your email or your online banking.
- Long – at least 12 characters
- Complex – only a random string of characters will do
Of course it will be almost impossible to remember a complicated, random 12 character password – and Sucuri recommend you use a password manager such as “LastPass” (online) or “KeePass 2″ (offline).
3. One Website per Server
When you have a web hosting plan that enables you to host many websites on one server, it is tempting to do so. But Sucuri points out that a if a hacker gets access to one of the sites, the infection will spread to the others very easily. Furthermore, the clean-up operation becomes more complicated as the infected sites keep on reinfecting one another as you try to weed out the virus.
Best security advice? One website per server.
4. Manage User Access
Invariably you will need to give several users access to your website. But make sure each has their own user access, with the appropriate minimal level of access that they require to perform their job. This not only reduces the impact of any compromised accounts, it also enables you to monitor what the users are doing when they access your site.
5. Alter Default CMS Settings
When installing your CMS make sure you change the default settings. This will help protect against attacks which look for the default settings being used. Even if you didn’t change them during the installation procedure, you can change them at a later date.
6. Choose Extensions Carefully
There are so many extensions and plugins available but you need to choose which you opt for carefully. Sucuri recommends the following key points to help choose your extensions with security in mind:
- Download from a legitimate source: many sites offering free extensions which seem too good to be true often are – these extensions are likely to be infected with malware.
- Check Date of Updates: if the extension hasn’t been updated in over a year, it’s unlikely you’ll get support from the author if there are security issues. Choose an extension that is currently supported by the author.
- Experience of Developer: an experienced developer is more likely to know about best security practices and will ensure their extensions are safe to maintain their own reputation
7. Backups
It’s not enough to backup your website – you need to make secure backups. Don’t store your backups on your web server as they often contain unpatched versions of your CMS which can give hackers the server access they want.
8. Server Configuration Files
By accessing your server configuration files, you can set server rules which will improve your website security. Sucuri recommends adding the following rules for your web server as a minimum:
- Prevent directory browsing – this stops hackers seeing the directory contents on your website
- Protect sensitive files – you need to put some locations on lock down eg. CMS configuration files (as they contain the database login information) and other administration areas.
9. Use a SSL Certificate
Particularly important for e-commerce websites, the SSL Certificate encrypts data between the browser and website server meaning the data is protected from the Man in the Middle attack. However Sucuri notes that SSL does not protect your website from hackers, nor does it stop it distributing malware – but it does protect visitor information and ensure you won’t get fined.
10. File Permissioons
There are 3 file permissions available: read, write and execute, and each permission is represented by a number. On installation, most CMSs have the permissions correctly configured so it’s not something you normally need to worry about.
However there is a lot of bad advice circulating around the internet – if you’re trying to find help about how to fix permission errors, people may advise you to change the file permission to 666, or folder permission to 777 – yes it will fix the errors but this is terrible security advice – these codes leave your site wide open to malware.
Conclusion – webmasters need to be aware that websites are being continually searched by automated bots looking for a way in to cause havoc. But by following the recommendations from Sucuri, their website security will be dramatically improved.