In our previous article Why Your Business Needs A Professional Website we explained the benefits and value of a well designed website for your business. In this article we discuss how you can secure your website and keep it safe from attack.
You can stop malicious attacks on your website by applying the following preventative measures:
1. Use a secure reputable web hosting company
A good hosting company should provide:
- network and platform level security
- DDoS protection (infrastructure security)
- routine backups
- technical support
Take a moment to study the service provider’s reputation in the market. Reviews posted by users of hosting services provide great insight about their quality standards and trustworthiness.
2. Own your domain name
Make sure you are the legal owner of your domain name. Whoever is the legal owner of your domain name has total control over it. You do not want to find yourself in a situation where someone can hold your domain name hostage when you want to move to a new service provider.
CONTENT MANAGEMENT SYSTEM (CMS)
3. Choose a portable content management system to avoid lock-in
We recommend using an open source content management system. Many people use WordPress on top of PHP, which will run on just about anything. This means all you need to do to change your hosting provider is load a copy of your website on another provider’s service and point your domain name to that provider. No need to rebuild the whole website again.
4. Use reputable software
Make sure the software that you install on your website is trustworthy and safe. Use reputable developers and download from their official websites. Exercise extreme caution if you’re downloading software from a developer you’ve never heard of.
5. Keep software up to date
Software updates are important because they often include critical patches to security holes. Updates also contain important changes to improve the performance and stability of the applications that run on your website. Keeping software up to date protects your website against many of the harmful malware attacks that take advantage of software vulnerabilities.
6. Keep your website clean
Every database, file, plugin and application running on your website creates potential points of entry for hackers. Minimise these access points by deleting any databases and software applications not in use.
7. Limit the number of users
Protect your website by keeping the number of users limited to only those that really need access and regularly review your user list to remove or suspend inactive user accounts.
8. Separate user accounts
Each user should have their own unique user account/profile. By having separate accounts for every user, you can keep track of each user’s activity on the website by reviewing user and change logs.
9. Sensible user access
User access should be set to the lowest level required for the user to perform their duties. In the event the user requires temporary additional access to perform a specific task, the additional access should be removed as soon as the task is completed.
10. Avoid obvious user names
Try to avoid using default or obvious user names such as admin, the name of your website or your own name. They are too easy to guess. Your user name is part of your login credentials and using predictable user names makes it easier for hackers to gain access to your website.
11. Enforce a strong password policy
Force all users to use strong passwords. Improve your password strength by adding uppercase and lowercase letters, numbers, and special characters. Many people opt for long passphrases since these are nearly impossible for hackers to predict but easier to remember than a string of random numbers and letters.
Remember to change your password regularly and don’t repeat previously used passwords.
12. Use two factor authentication
Two-factor authentication increases security when logging in by requiring a unique code in addition to a username and password. The code is generated for one-time-use by an app and sent to a device/smartphone via SMS.
SECURITY TOOLS AND SOFTWARE
13. Encrypt login pages / SSL encryption
Implementing a Secure Socket Layer (SSL) certificate is a smart way to secure the admin panel of your website. This ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection.
SSL encryption will secure sensitive information such as login credentials, credit card details, etc. It will also improve your ranking as search engines encourage encryption.
14. Web application firewall (WAF)
A web application firewall filters, monitors, and blocks traffic to and from a web application. A WAF is differentiated from a regular firewall because it is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting web traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.
15. Virus/malware protection
Antivirus programs are more efficient and effective on the classic types of online threats (worms, virus, trojan, keyloggers), while antimalware can detect and remove new and sophisticated malware strains and strengthen security. For better protection, you’ll need to use both antivirus and antimalware programs.
16. Use anti-automation tools/techniques
An automated threat is a type of computer security threat to a computer network or web application, characterised by the malicious use of automated tools such as Internet bots. Automated threats are popular on the internet as they can complete large amounts of repetitive tasks with almost no cost to execute.
Anti-automation tools attempt to block these bots by adding steps that are designed only to be performed by a human, for example using ReCaptcha on a contact form.
17. Change default system settings
By changing certain default settings in your content management system you can improve the security of your website by making it difficult for hackers to locate and access sensitive files. This process of securing your system is referred to as hardening.
You could, for example, set your CMS settings to:
- disallow file editing
- disable directory listing
- restrict directory permissions
- disable PHP error reporting
In order to keep your website secure you should inspect your site regularly to detect any threats or vulnerabilities.
18. Scan website for vulnerabilities
There are many security testing tools available that can assist with scanning your website for vulnerabilities. Proper security scans will check your website for any known malware, website errors, out-of-date software, etc., allowing you to keep your website up to date and as secure as possible.
20. Monitor malicious activity
By monitoring your website for malicious activity you can stay on top of any new threats to your website and address them proactively.
19. Perform full website security audits
Perform a full audit of all your website security tools and techniques to ensure that you have the best protection for your website. You can research reputable on-line resources for the latest updates or consider consulting a website security expert to conduct and audit, identify any weaknesses and recommend enhancements.
Make sure you can recover your website should it suffer an attack.
21. Backup regularly
Most importantly backup, backup, backup! In case your website is breached, becomes inaccessible or data is lost, you will need to restore your website to a point before the event. Therefore, you should schedule regular backups of your website database and all theme, plugin, uploads, and core files. Also perform manual backups before making any big changes to your website so that you can restore in case something goes wrong.
Although websites are at a major risk of being hacked, the methods we discussed above can help deter attackers from targeting your website. Therefore, it’s important to conduct a full website security audit to determine the current state of your website’s security so you know the next steps to take.
If you’re feeling a bit overwhelmed by the above processes, or just don’t have the extra time to implement them, please contact us. We can help get you on the right path to protecting your website from becoming the target of a cyber attack.