Your website is more than just a brochure, it is your shop window on the Internet, the digital face of your brand, the most important part of your online image. So, if your site gets hacked it can massively damage your brand and your business prospects – possible even fatally.
The 13 steps outlined on this page are designed to ensure that your site is, as far as possible secure against hackers – or at least makes your site so difficult a target that they are likely to skip over to the next one.
Implement these steps and your site will be safer that 99.99% of the others on the web.
Lockdown login access
One of the most common methods of attacking a site is to use a “brute force attack” this is where the hacker uses an automated system to use thousands and in some cases millions of username and password combinations to try and find one that allows them access to your site. These first four recommendations are designed to ensure this will not be successful:
1. Long complex passwords
Use passwords that are at least 12 characters long and use a random mixture of numbers, letters (both lower and upper case) and other symbols. Many systems will include a password generator, but a lot of those only provide 8 character passwords and have limited character sets. Whilst this is fine again most brute-force attacks around today it is probably not going to be enough against the hackers of tomorrow and I recommend that you stay ahead of the game by stepping up to 12 characters or more – in fact I use 16 characters for my passwords.
And remember your web hosting has a number of usernames and passwords for different parts of the system including:
- FTP access to the server
- Cpanel access (possibly WHM as well)
- CMS administrator login
- Possibly telnet – though I strongly recommend shutting that down
- Email – SMTP, IMAP & POP3 on multiple ports
- Your database access
- And more.
… So make sure they are all secure and all different!
2. Don’t use ‘admin’ as a login name
Not just that – don’t use administrator, manager, setup or any other username that is likely to be easily guessed. The name of the people who are featured in the content of the website should also be avoided as well. Choose something that will not be easily guessed (admin123 is also easy to guess) – try being inventive.
3. Login lockdown
Ensure your site administration system has the ability to lock out a user for a set period of time (as little as 1 minute is enough) if they type the wrong password three times in a row. This will prevent the automated systems rapidly trying multiple username and password combination making it very hard for them to get in – even if they have weeks or months to go at it.
4. Move The Administrator Login Away From The Default
If you want to find out which Content Management System (CMS) a site is using, all you need to do is go to the default URL for the administrator login. For WordPress that is www.yourdomain.com/wp-admin for other CMS it will be something else. So to slow down most hackers and make many of them simply move on to some other site – change the default administrator login URL to something abstract.
Stay Up To Date With Everything
With modern CMS it is possible to create extremely powerful, exquisitely styled websites for a fraction of the money it once cost, but they come at a different kind of price …
The CMS is made up of dozens, possibly hundreds of pieces of software plugged together and interacting to provide the services you use. These pieces of software have probably each been written by different programmers who usually have not seen and in many cases don’t even know about the other pieces of software you are adding to your site. This means that you can sometimes have unforeseen results when they interact – the most common name for this is “bugs”, and with anything that is highly complex, you are bound to get some.
The good news is these bugs usually get found and fixed relatively quickly and updates released.
5. Make sure your site is up-to-date with all the latest releases.
This includes updates to the CMS, the theme (that creates the look and feel of the site) and the plugins (that add extra functionality). They all interact so it is important to ensure that they are all up to date.
Often when you first get a server to host your website on it is provided in a way that allows you to do virtually anything you could possibly want – which is great right? – wrong!
6. Block unused ports
The chances are that you will only need a fraction of the functions that a server can provide, so you should shut down all the services that are not needed to run your site.
For example – if your email is not hosted on the same server as your website then you can simply shut down external email access. You may still want to have the email server running for your contact-us form to work, but it is highly unlike that your server needs to have inbound email to the website, so block the email ports you’re not using.
If you are using cpanel to control your site then you may not need FTP to be open to the world – or you could firewall access so that only you have access.
Another powerful option is to set up VPN access to the server – this adds a very secure level of access control over that of port blocking and still allows you to be able to use FTP without opening it up to the world.
7. Change The Default Database Prefix
Other hackers will attempt to directly access the website database. Instead of hacking into the administrator login they access the database directly and add the malware and rogue data directly into the site content. One simple way to prevent this is to change the default database prefix. For example the database prefix for WordPress is normally ‘wp_’, all you need to do is make it something else and the automated systems will fail to gain access.
A lot of the hacks that are out there rely on the fact that most websites do not encrypt the data they send between the website and the database. This allows them to send plain text commands in an attempt to find bugs in your CMS.
8. Use SSL Encryption Between The Website And The Database
Using SSL to encrypt users information in transit to the database ensures that it cannot be read in transit and prevents a hacker trying to look like a user by sending database commands directly. Encryption ensure only the right people can create or access the information.
Firewalls & Security Software
There are lots of potential risks when it comes to people attacking your website, many of which you cannot even imaging at the time you build it, but fortunately there are very clever techie types who have seen just about all the existing hacks and know how to stop most of them even before they get to your site. These are the people that write firewalls and security software.
9. Server Level Firewall
You need to have a firewall on the server that will monitor and block known attacks before they get to your site. This is something that your hosting company can usually help you with and is something that will make a massive different to the security of your site.
10. Application Level Firewall
Your CMS is a web application, there are lots of them available, including WordPress, Joomla, Druple, Magento and many others. Many of these applications need to be open to the world so that site visitors and you can access them, but they also should be protected from hackers by using a dedicated application firewall. You should ensure that you get a good one that is being regularly updated and is trusted by a lot of people – avoid ones that have few downloads and are rarely updated.
11. Server Scanning Software
With the right application firewall this may well be included, but not all application firewalls include server scanning to detect malware and unexpected file changes. Having a scanner on the server will tell you if there have been changes to files or new files added to the site and will scan the files for known malware signatures – so that if someone still manages to get past your security you can get it fixed fast.
12. Secure Your PC
Make sure every piece of hardware that is connected to your network is scanned for viruses and that every PC on your network has anti-virus software installed. If your PC is compromised then every other computer you have access to is at risk – and that includes your web server.
Secure Your Data
Your website is the data it is made from. When your site is hacked the hacker will almost certainly corrupt most of the pages on your site, the database and install additional files that will allow him back in if you remove the corruption.
13. Backup Automatically & Regularly
Make sure you have a regular automated backup of your site that you can go back to – and not just the last backup, ensure that you can select from a series of backups. This is to ensure that if a hacker gets in and causes corruption, then you can restore a backup of your site as it was before the hack-attack happened, even if you don’t realise for a few days.
Also hard drives – even modern SSD drives – will fail, so ensure your backup is on a different server and therefore safe from to a hardware failure on your web server.
Implementing these 13 steps will protect your site from 99.99% of hackers and make it one of the most secure sites out there. But, if you are not sure how to implement these recommendations and you are dedicated to protecting your brand and business, then you can get us to build your site security for you. Get in touch today to find out more about how we can help you. http://cherrypitsolutions.com/contact-us