They Learned It The Hard Way. What About Your Website Security?
posted on April 28, 2017
One of Indonesia’s largest mobile phone network operators got their website hacked on April 28, 2017. Netizens were quick to make screenshots and share them on social media before the company had any chance to take the website down for countermeasures.
Heck, maybe it’s time to think about our own websites.
The web development space nowadays has evolved to a point where anyone without years of learning can get their website up and running. All thanks to a plethora of Content Management Systems (CMS) that are highly extensible with plugins and modules.
However, the ease comes with several side effects. Having a website managed by a standard system with lots of extensions may be convenient, but it also opens up a wide opportunity for attacks.
In addition, many webmasters don’t understand the importance of their website security and how to improve it.
Worry not, we’ve got it all covered here. Here’s 10 things you should do to boost your website security.
1. Keep a lookout for updates
Most hackings nowadays use bots which constantly search for exploitation opportunities, especially for websites with outdated and insecure softwares.
Update your site everytime a new plugin or CMS version comes up to reduce its vulnerability from automated attacks.
Most CMS should have features that notifies you of their latest updates, so make use of those features.
2. Don’t use default CMS settings
One might think “why fix it when it’s not broken?” But the fact is, default settings are very vulnerable to automated attacks for the same reason as above.
An action as simple as changing the default CMS settings can decrease the risk of attacks immensely.
3. Use strong passwords
Here are a few things that make a strong password:
It should be random. Avoid using personal information (such as birth dates or family member names) and try to use a variety of characters.
It should be at least 12 characters long. The longer, the better. One good tip is to use ‘passphrases’ which is basically a combination of three of more words.
Don’t use the same one over and over. Use unique passwords to minimize the damage when any password is compromised. To make things easier, a lot of password management tools are available for the forgetful ones.
4. Host only 1 site in 1 server
Hosting multiple sites in the same location is a common practice, but it’s actually one to steer clear of! Here’s why:
• With each site having its own number of installs, themes and plugins that are potential targets, imagine the chance of a server containing multiple sites being hacked.
• When one site is attacked, the infection can easily spread to your other sites in the same server.
• Not to mention the long and hard cleanup process followed by multiple password changes.
5. Manage user access
For sites with multiple logins, create separate user accounts for every user and grant each account the appropriate clearance according to their role. For example, a writer typically doesn’t need to have access to website settings.
It’s also wise to keep tabs on user logs in order to track any unusual behaviors caused by ‘rogue’ users or compromised accounts.
6. Be careful with plugins
With a virtually unlimited number of plugins available for CMS applications, what might seem like their greatest strength is also their biggest weakness.
Pay attention to last update time. A more recent date shows that the author is still active and more likely to help with any security or technical issues.
Choose from legitimate sources. Look for plugins from experienced developers and keep away from ‘free’ versions of premium plugins, as they are most likely infected with malware.
Look for less number of installs. Attackers will choose a plugin with a larger user base over a similar one with less number of users.
7. Create backups
This should be a general knowledge, but most webmasters don’t do it often enough and next thing they know, months of data and updates are lost. So be sure to create backups frequently and regularly.
It’s also wise not to make backups on your web server since they invariably contain unpatched versions of your CMS and extensions which are publicly available, leaving the door to your server wide open for hackers.
8. Set server rules and options
In most cases, your web server configuration files can be found in the root web directory. These files allow you to execute certain rules in order to improve your website security:
Prevent directory browsing. This disables viewing the contents of every directory and limits the information available to attackers.
Protect sensitive files. CMS configuration files and admin areas are among the most sensitive files stored on the web server that need to be protected.
9. Install SSL
SSL (Secure Sockets Layer) is the standard security technology for encrypt communications between a web server and a browser. It is important to be applied especially on e-commerce websites or any website with form submissions of sensitive user data.
With SSL installed, you can assure your visitors that their information is secure from data interception and theft.
10. Preserve file permissions
Without going into too much detail, a file permission is a series of numbers that specifies what the owners, certain users and public can do to a file.
Most CMS installs’ default configurations have them all correct, so beware of any suggestions to change file permissions to certain numbers since doing so can allow anyone to insert malicious codes or delete your files.
Note that following the steps above does not guarantee that your site is never attacked, but it does a great deal in stopping most automated attacks and decreasing risk factors.
Having said that, a secure website is as good as none if it doesn’t do its job properly. Now that we’ve shared 10 ways to boost your website security, you might also want to read 10 reasons why you should upgrade your website.
Find all articles here. To get a weekly dose of design and business knowledge, scroll down and subscribe once you get there.