Internet security is a fast-moving challenge with new threats found almost every week. Google blacklists close to 10,000 websites a week for malware and flags over 20,000 for phishing. But you don’t have to be one of them. Take proactive steps to repel the threat.
It’s impossible to reduce your risk to zero, but you can drastically reduce it by taking appropriate precautions. Most websites are hacked due to misconfiguration, out-of-date software, and/or bad quality hosting.
Don’t think you’re site is vulnerable? Read my blog post “Your Website is Too Small to be Hacked, Right?”
The following best practices will go a long way in keeping your website safe.
1. Website Backups
As often as possible, routinely make backup copies of your website files and database. Automate this process if possible. Don’t depend on your hosting service to make backups for you. Take ownership of this important job. This is cheap insurance in case a serious problem does affect your website. Many times when disaster strikes it’s easier to restore it from a working backup copy than attempting to find and fix the problem. A backup can be restored in under 30 minutes. Cleaning a hacked website may take hours, even days.
How often you backup depends on how frequently you make changes on your website. E-commerce websites with regular orders should be backed up more often than websites with infrequent content updates.
Don’t store backups on your website’s server. If something unexpected happens to your website, files are deleted or the server goes down, you will have lost your backups as well. Instead, as part of the automated backup process, the backup archive should be transferred off your server to a cloud storage service such as Dropbox or Amazon S3. Dropbox gives you a free account for up to 2GB. With larger websites that may not be enough to keep many backups. Amazon S3 has no limit and their rates are extremely inexpensive, just pennies per month.
2) Use a Secure Web Host
A bad host can ruin even a properly configured and maintained website. Bargain-basement priced hosting services are cheap for a reason. Shared hosting plans may not have ample protection to prevent cross-site contamination. An infected website on your shared server may infect your website. Paying more for quality hosting will actually save you money in the long run.
Sparks Arts provides hosting by SiteGround, one of the premier hosting companies in the world with extensive knowledge of modern content management systems. SiteGround keeps their systems up-to-date with current, supported versions of hosting software like PHP. They proactively deal with security risks by building their own custom protections, and immediately creating their own solution to newly discovered vulnerabilities, unwilling to wait for the affected system developers to fix their own code. With a customer rating of 4.98 out of 5, SiteGround can’t be beat!
3) Set proper file permissions and ownership
Permissions determine who can do what to your files, things like read, write and execute. You don’t want to allow everyone in the world to access and modify your website files.
Default permissions on Apache servers are:
- Folder = 755
- File = 644
- PHP configuration file = 444
Never use 777 - This gives full access to everyone!
4) Install an SSL certificate
Without https, any information sent between your computer and the internet is plain text and could be intercepted and read, including your login username and password. That would sure make it easy for a hacker to take over your website.
Using an SSL certificate forces a secure connection that encrypts all data transferred and cannot be read. With an SSL certificate your website address begins with https:// Most modern browsers now clearly indicate such as site is SECURE.
Starting in January 2017, Google Chrome browser began marking website pages with password or credit card form fields without https:// as NOT SECURE. They also penalize your site if user data input is not transferred securely.
Google plans to extend non-secure warnings to other page types, eventually labeling all http:// pages NOT SECURE. Such a warning will likely scare a lot of website visitors and reduce their trust — another good reason to always use an SSL certificate on your website.
5) Enable search engine friendly URLs
SEF URLs hide your website’s structural information and preventing hackers from knowing what software your website is using.
Default URLs in Joomla! CMS look like this:
Right off, you can see the e-commerce extension Virtuemart is being used. If a hacker is aware of a vulnerability in Virtuemart, they now know to test it in case the installed Virtuemart extension is an older, vulnerable version that hasn’t been updated.
SEF URLs make sense to both humans and search engines because they explain the path to the particular page they point to. SEF URLs change Joomla!’s default page URL to this:
You can make sense of this address and understand the page’s context. But you have no indication of what software is creating this page, and that’s good.
6) Use a Strong Login Usernames and Passwords
Use strong passwords, and don’t use the same password for multiple accounts. If you can pronounce a password it’s not secure.
- Don’t use common words
- Avoid personal information in passwords such as a name or birth date
- Include special characters (*!$#@), numbers, upper and lowercase letters
- Make it long, at least 12 characters
Brute Force Attacks are one of the most common attacks that affect every website. With Brute Force Attacks, a automated bot attempts to log in to your website by using common usernames and passwords. Since this is done by computer scripts it can check thousands of combinations in no time. Even if they don’t find the right username/password, all those attempts use your server resources. The server has to check the submitted information and reply that it’s wrong.
Examples from a security log on one of our websites:
- Reason: Login failure (Username: user -- Password: password)
- Reason: Login failure (Username: root -- Password: password)
- Reason: Login failure (Username: administrator -- Password: password)
- Reason: Login failure (Username: superadmin -- Password: password)
Avoid using default user names like “admin” or “administrator”, or common passwords such as “password1”. Those are the first things a hacker bot will try. These usernames can be hacked in seconds using a simple home computer.
How secure is your password?
A 12-character password like E8f*Ne4^KZE3 would take about 400 years to bruteforce on an average home computer. Increasing the password to 15 characters ( v9%3AMfVc7dRPPu ) increases bruteforce hack time to 3,261 centuries!
I know, I know... how are you ever going to remember a password like this? The good news is you don’t have to. Instead use a free and secure password manager like LastPass to simplify and secure your online experience.
7) Limit the number of backend administrator login accounts
Numerous admin login accounts increase your security risk because they increase the chances for brute force password guessing. You should only have one Super User.
Unless you need your website visitors to be able to create login accounts (such as for e-commerce, or to show certain content only to members), disable new user registration.
8) Install a Web Application FirewallIntalling a quality web application firewall in your website will protect you against the vast majority of common attacks.
- Fight spam
- Bot blocking
- Login protection
- Backdoor protection
- Denial of Service (DDoS) protection
- SQL Injection protections
- File injection protection
- Cross Site Scripting block
- Direct File Inclusion shield
- Uploads scanner
- Blocks brute force attacks
- Hides or rewrites the generator metatag so it’s not obvious what software your website is running
- Full logging of all security exceptions
- Automatic IP ban of repeat offenders
- Email notifications of security exceptions and failed or successful administrator logins
For even stronger protection, use a cloud-based firewall service such as:
9) Password-protect your website’s admin login page
Restricting accesss to your website’s admin backend area will greatly improve security. Adding an extra login password that’s required to even get to your administrator login form will make it much more difficult for hackers, especially brute force attacks that attempt to gain administrator control of your site.
10) Only Use Trusted Plugins and Templates
Make sure the plugins and templates used on your website have no known vulnerabilities, and insure they are actively maintained and fully supported by their developers. Read reviews and recommendations. If a lot of other people are using the plugins and template you’re considering and report good quality and service, there’s a better chance you can depend on them.
11) Remove Unneeded, Unused Files
When building a website, it’s not uncommon for people to install and try different plugins. But if you decide not to use it, be sure to uninstall it. Get it off your website! If it’s unnecessary and not used, delete it. Keep your website lean and clean.
Frequently on existing websites (that we didn’t build) we find extensions that were installed long ago, decided not to use, but never deleted. They are now way out-of-date, making the website vulnerable to attack even though the offending plugin is no longer used on the website.
12) Security audit scan to establish baseline
When your website is launched, use a security audit scan service to establish a results baseline for future comparison. If there are any future exploitation hack attempts, changes from these initial results will likely pinpoint them for investigation.