Anyone who owns and operates a website needs to consider good practices for security. Even the smallest of websites are often targets for spamming attacks or phishing pages. You should never assume that your site is too small to go unnoticed by the criminal element.
Without proper security, innocent blogs can be turned into weapons for identity theft and eCommerce sites can reveal confidential customer data. All it takes is the smallest of exploits and someone can wreck havoc.
While you may have a good and solid web hosting provider, website security tools are still an important aspect to consider.
In fact, most cybercrime and hacks happen without anyone even knowing. That’s because a lot of these exploits are small and go unnoticed by those who maintain websites.
How to Secure Your Website from Hackers
According to studies, approximately 50 percent of small businesses online have been breached within a 12 month span. This goes to show that no online activity is absolutely void of becoming a target.
Below are some of my website security tips for anyone who maintains online pages. Whether you’re using WordPress, Joomla, Drupal or building the site from scratch in code, security must be a priority. This will protect you as well as your guests.
Perform a Regular Backup of Files and Database
One of the most common tips I give is performing copious backups. Whether you’re adding lines of custom code or performing various updates, it’s always a good idea to have a backup ready in the event something happens. These copies serve to quickly repair the website during a disaster, such as a hacker deleting all of your content.
There are a number of ways you can create backups. Many will use FTP programs like FileZilla to copy all files to your computer. If you’re using WordPress, you can set plugins such as UpdraftPlus to automatically backup files and databases. Just make sure you create these copies regularly.
Never Underestimate the Value of Security Plugins
Approximately 50 percent of surveyed organizations in the US, UK, Germany and Canada have been attacked by ransomware in the past. This doesn’t mean that security plugins are the end of this kind of situation, but it does strengthen the point of placing stronger security on the site.
If you use a content management system such as WordPress, Joomla or Drupal, you should really consider security plugins and modules. Many of these additions are free to use and will keep the site protected from a range of nefarious attacks. From bots to humans, security measures need to be in place.
There are a lot of plugins and modules that act like all-in-one platforms. These often include firewalls, IP blacklisting, login security measures and monitoring features. Some even implement IPv6 compatibility, which many experts believe is the future for online connections because of how vast the Internet of Things has become.
Regularly Scan for Files and Modifications
Some security modules and plugins will come equipped with file scanning ability. This means you can protect the website from unknown file additions and modifications from hackers and bots. For instance, Wordfence for WordPress scans for a variety of malware and backdoor scripts in real-time.
Remember how I said hackers will use your website for phishing? This is often done by adding a file to your website and creating a seemingly legitimate “micro-site” for the purpose of stealing real credentials.
For example, fake PayPal pages are set up on a website to make the user believe he or she is really at PayPal. Once they try to log in, the hacker gains the unsuspecting victim’s credentials. Scanning for these files helps put an end to this type of attack.
Use Complex Usernames and Passwords
Nearly 60 percent of small businesses don’t govern over employee username and passwords. This helps open the doors for attacks from the criminal element.
A brute force attack is when a human or bot will rapidly try to gain access to a site through trial-and-error methods to “guess” the login credentials. Using complex usernames may seem more like a pain to some people, but it will greatly reduce the risk of being hacked.
Complex credentials such as using email addresses as usernames and strong character strings for passwords makes attacks like these far more difficult. If you haven’t already, I would also suggest getting rid of default “admin” logins and create unique administrator credentials. These default accounts are essentially giving hackers half of the information they need to gain access.
Keep Core Files Up to Date
Core files, such as those in WordPress and Joomla, need to be updated regularly. Regardless of the kind of content system you use, the newest versions usually have bug fixes and exploit removals. Remaining with outdated applications only leaves the website open to a myriad of attacks from hackers.
Many of these systems are set to update automatically. However, some third-party software may need to be monitored closely. If a new version of eCommerce, wiki or other content management system is released, you should install it immediately. Otherwise, the site may have a wide open hole to let in the criminal element.
Keep Add-Ons Updated
Core files are not the only parts of a site that need to be updated on a regular basis. Modules, extensions and plugins all need to be maintained as well. Even the best of programmers can leave unsuspecting exploits behind in code. Keeping these additions updated greatly reduces the possibility of being hacked from those issues.
On a side note, it may be a good idea from a design and functionality aspect to keep add-ons updated. Many developers will add new functions and improve others. You may just find a new ability that eliminates the need to use another tool you have installed.
Always Use Good Coding Practices
Whether you’re building a website from scratch or adding lines of code to a content management system, use good coding practices. While there may be shortcuts to deliver a certain visual or function you want to include in the site, it may actually leave you open to attacks.
If you do want to code your own website, I would suggest you spend some time learning the ins and outs of the platform. There are a number of well-developed areas on the Internet to educate yourself. For instance, W3 Schools is full of valuable information for implementing code on your site.
Only Use Scripts from Trusted Sources
There are a number of scripts scattered around the Internet to use. These snippets of code have potential to add functionality and form to your pages. However, they can also be methods of distributing exploitable content. Unless you scour through each line yourself, it’s difficult to determine what you’re actually putting into your site.
Using scripts from trusted sources is always a good way to go when looking to add some functionality. Start by searching Google for complaints regarding the developer or the company offering the snippet. If there is one thing you can be sure of is that people will take to forums if a company has bad practices.
Correctly Assign Roles and Permissions
User roles in systems like WordPress, Joomla and Drupal determine what a visitor can do on the website. If these are set incorrectly, a vindictive individual can cause a great deal of damage. That’s why it’s important to make sure roles and permissions are set correctly. This is especially true if you create custom rules for these roles.
By default, content management systems have a pretty good handle when governing registered users. It’s when you start adding plugins or extensions to expand the website when roles can become askew. Periodically check to make sure those with certain permissions remain where they are in the hierarchy.
The most cited source for compromises within security is that of employees. Whether it’s intentional or not, it’s the human element that plays such a big role in security holes. Keeping an eye on who can do what on the website and within the organization can be vital for protecting digital assets.
Only Use Tested and Verified Modules or Plugins
A lot of people will find so-called “perfect” add-ons to a website from third-party developers. Unfortunately, these can also lead to compromising the integrity of the site. With a simple install, you could inadvertently hand over administrative control to the developer without realizing.
I’m not saying that every third-party add-on should be avoided. On the contrary, there are a vast number of excellent developers on the Internet. However, you should always research the source before installing anything. Going through official channels to install add-ons is a good place to start. For instance, plugins offered directly from WordPress.org are often the most stable and reliable.
Monitor Google Analytics for Odd Site Behavior
Google Analytics is more than just a tool to watch how many people visit the site. It can also be a tool to identify questionable activity. For instance, a large amount of traffic to a page you can’t identify or through keywords that are not your own could be cause for alarm.
A boost in traffic to an unknown page may result from a phishing site built into your file structure. This is one of the reasons why having file scanning mentioned above is ideal. If left unchecked, your site may begin to perform poorly in search engines because of bad practices.
Phishing attacks are the leading cause of data breaches making up more than 55 percent of overall attacks. This made 2016 the eighth consecutive year this type of attack was rated number one.
Use a Secure Sockets Layer
Secure Sockets Layer, or SSL, encrypts the transmission of data from your webpages to the visitor. This makes it nearly impossible for anyone to steal information during transit. It creates a direct pipeline of data that protects you as well as the recipient. Although these often require small yearly fees to maintain, they are surely worth the investment.
Using the SSL certification will also play into search engine optimization practices. This is because engines like Google hold secure websites in a higher standard because of being safe and secure for visitors.
Even though 86 percent of Chief Information Officers state stealing certificate keys for encryption will be the next big thing for hackers, SSL is still a viable method for protecting the website.
Keep an Eye on Folder and File Permissions
If you suspect something wrong with the operations of your site, you may want to consider checking the permissions of files and folders. This limits what other people can do such as read, write or execute. Many experts say that files should never be fully open to the public. It gives hackers an opportunity to gain control over the site for various purposes.
File and folder permissions can be accessed by either using FTP applications like FileZilla or using cPanel’s File Manager. Each element of your site will have permissions attached and you can easily change the numbers around to suit your needs. However, it can be dangerous if you don’t know what you’re doing. I’d suggest consulting with tech support or learning more about permissions before changing numbers around.
Staying Current with Trends
One of the best ways to keep the site secure is by keeping up with current trends. Signing up for security newsletters, reading about recent hack attempts and following social profiles of cyber security companies should be part of your monthly or weekly routine. The best prevention of any problem is knowledge.
Tools like Netvibes can keep you in the loop regardless of what content is created about security. That’s because these platforms let you customize looking for specific keywords in search engines, social media, specific RSS feeds, websites and other online content. It’s like getting all of the online news from around the globe in one dashboard.
Always Secure Your Website
Learning how to secure your website from hackers should be part of any development strategy. After all, attacks have potential to undo everything you’ve built into your website. I cannot stress enough how important utilizing website security tips is for continued online operation. Plug up the holes before hackers try to crawl through them.