Having a website has become very easy due to the availability of various tools and services for web development. Content management systems (CMS’s) like WordPress, Joomla!, Drupal, Magento, and host of other tools, plugins allow business owners to build an online presence very easily. The CMS’s highly flexible/customizable architecture, a wide range of plugins, and various ready to use modules have reduced the need to spend the time to learn web development basics before able to build a functional website.
The process of designing an online business or personal website is great. However, as all good this comes with some bad side, there are some negative points in this process also. You can find many webmasters who actually do not know how to make their website secure. There is a big misunderstanding when it comes to the necessity of securing the website, and exactly whose responsibility it is to secure
let’s see what some basic steps that are absolutely necessary for the website owner to keep their website secure:-
Numerous websites are being compromised every day due to outdated scripts.
It is important to update your website as soon as a new version of plugin or CMS is available. These updates might contain security update or patches to plug vulnerability. Most of the attacks are automated. Bots are constantly scanning sites for any open exploitation opportunities. It is not enough to update the site and plugins monthly or weekly because bots are very likely to find a loophole before you patch it.
If you are using WordPress for your website you can use WP Update Notifier. It mails you every time when an update for plugin or WordPress core is available
In order to recover an infected website, we need to log into the client’s site or hosting server by using their admin user credentials. It is quite shocking how insecure root passwords most of the website owners use. With logins like admin/root, you are actually not having any security at all. There are lots of breached passwords database available online. Hackers combine these with dictionary word lists to generate lists of potential passwords, and if by chance the password you use on your website is in those lists, it is just a matter of time to get your website hacked.
Our tips for you to have a strong password are:
- Never ever reuse your password. Every single password must be unique. A password manager can help you on this regard.
- Don’t have small passwords. Always use longer passwords. The longer the password is, the longer it will take to crack.
- Use random passwords. If you can easily speak and remember your password, it means it is not strong enough and in this case, using regular character replacement (i.e. replacing letter O with number 0) is certainly not enough.
One Site = One Container!!
It is quite a common practice that people host many websites on a single server, especially if one has an unmetered web-hosting plan. But, this is one of the worst security practices you can commonly observe. Hosting multiple websites in the same server/location creates a large attack surface for the hackers.
You need to know that cross website contamination is a common phenomenon. It’s when a website is negatively affected by other websites within the same server due to poor isolation or account configuration. Once an attacker successfully injects exploit on one site, the infection can spread to all other sites on the same server.
You must change the default CMS config!!
Most of the popular CMS applications can a little bit tricky from a security view for the end user. As the most common attacks on websites are entirely automated. So most of these attacks have to rely on users who have only default settings.
So you can avoid a large number of attacks simply by not using the default settings of the CMS.
The CMS applications can also pose one of the biggest weakness in web security. Plugins, add-ons, and extensions can provide lots of functionality. But, you don’t know which one is safe to install?
Here are some points we recommend when deciding which extensions to install:
- Last update of the extension: If the last update was more than six months ago, it is quite obvious that the developer has stopped working on it. Always use extensions that are regularly being developed/updated, because it indicates that the developer is working to plug any holes that might cause an infiltration.
- The number of installs: An extension with a few numbers of installs is released by a first-time developer. Experienced developers have a better idea about the latest security practices, at the same time they are less likely to damage their brand reputation by inserting malicious codes.
- Legitimate sources: Always use plugins, extensions, and themes from legitimate sources only. Never use nulled scripts as they are normally filled with malware or security breaches.
Having a website backed up in regular intervals is crucial for restoring it after a major attack. But it shouldn’t be considered as an alternative to implementing a proper website security solution, a backup can help recover damaged files. But it is a very helpful practice to get the website backed up every time there is any change in it and get the backup downloaded into your local system.
Server Configuration Files!!
Get familiar to hosting server configuration files:
- Apache web servers use .htaccess
- Nginx servers use nginx.conf
- Microsoft IIS servers use web.config
These files found in the root directory. These configuration files are very powerful. They assist to execute server rules required for website security.
You can research about the below-mentioned rules and add to your web server:
- Prevent directory browsing: Minimizing the information available to attackers is always a good security precaution.
- Prevent image hot-linking: If other websites start hotlinking images from your server, the bandwidth of your hosting plan might get finished just to display images for someone else’s website.
- Protect sensitive files: CMS configuration files are the most sensitive files as they contain the database login details in plain text. You can also restrict PHP execution in directories that allow uploads.
Always Use SSL!!
SSL or Secure Sockets Layer is the standard security technology used to establish an encrypted link between a web server and a browser.
There are lots of misleading information about SSL on the web. Let’s get it clear that SSL does nothing to protect the website against malicious attacks and cannot stop it from spreading malware.
At the End!!
If you follow these simple basic steps your website security will obviously get increased. These steps alone will not guarantee that your site will never get hacked, but practicing them will prevent the majority of automated attacks, reducing your overall risk. It will also help to make you a better webmaster/site operator.
If you want professional help on website security we can help you with that. Get in touch if you want your site managed by professionals.