Using these 10 simple steps to increase website security can save you time and money
Are you concerned about your website's security?
Well, you should be. This post should not be just scanned, it should be read through, implemented and shared! (Share by clicking one of the buttons on your left)
More and more websites are created by business owners to create content and sell their products, on content management systems like WordPress, Joomla, Drupal, etc.
I also recommend building a website if you look at my article taking your offline business online - you will find the best steps to follow.
These websites comes with easy to use plugins, modules and extensions which makes it easier than ever before to get a website up and running without years of learning experience.
Need to know how to setup your website, read the following articles:
reading struggling with blogging? important questions to ask yourself will also help in gaining more insight after you started a website.
It is great for businesses to be able to create websites, but when the webmasters do not understand how to make sure their websites are secure and understanding the importance of securing their website - the effects can be sad, costly and very unfortunate.
In this article I share with you the 10 simple steps to increase web security that all webmasters and website owners have to do to keep their website secure.
Step 1 to increase website security - Update!
This is one of the most important steps to secure your website.
Countless websites are being compromised every day because of outdated and insecure software.
It is incredibly important to update your website as soon as a new plugin or content management system update is available. If you are using WordPress, make sure that you are using the latest version.
As much as you can add some automated responses to social media, in just the same way is hacking automated as well.
The bots constantly scan every site they can, looking for exploitation opportunities. It is not good enough to update once a month or once a week, because bots are likely to find a vulnerability before you patch it up by updating.
If you are not running a website firewall like CloudProxy (by Sucuri), you will need to update as soon as updates are released.
Wordfence also has a paid version which you can use to increase security.
Step 2 to increase website security – Passwords
Using weak or regular passwords is not going to protect your website. The most popular user name to try to use as the user of a website is either the name of the person who writes on the website or admin. If you use the password admin together with the user admin it is extremely dangerous.
If your password appears in the list of most common passwords, your site is guaranteed to be hacked at some stage.
But, if your password is not on the list of most common passwords, it does not mean that you can relax completely, because there is a general misconception about strong passwords. WP Engine has written an interesting article about research they've done that debunks many of the myths surrounding passwords.
Your password should contain the following 3 key requirements: complex, long and unique
Passwords should be random.
Do not let someone hack your account just because they could find out your birth date or favorite sports team.
Password-cracking programs can guess millions of passwords in minutes.
If you have real words in your password, it isn’t random.
Thinking you are clever for using leetspeak (letters replaced with characters L1K3 TH15)?
Even these are not as secure as a completely random string of characters.
Check out this article about the history of the password.
Passwords should be 12+ characters long.
Some people may insist that passwords should be longer, this is debatable, but online login systems should limit the number of failed login attempts.
With a limit on the number of failed login attempts, 12 character passwords can easily stop anyone from guessing your password in just a few attempts, but the longer the password, the better.
If you use wordpress (when you are logged in), you can go to Wordfence and choose options. Here you can see how many login attempts you allow as well as how your security is set up. You can read more about setting up Wordfence options here.
Note: Although LastPass changed some things around, like the star sign is now 3 white dots in a red block and some of the pages when you sign on might have changed a bit, it's still amazing.
Do not reuse passwords!
Every single password you have should be unique.
This simple rule dramatically limits the impact of any password being compromised.
If for instance if someone found your FTP password this should not enable them to log in to your email or internet banking account.
Apparently we are not as unique as we think, so if you can randomly generate the password it will be better.
I am certain the question popping up into your head right now is "but how am I supposed to remember 10 random passwords which are all 12 characters long?"
Well, I've got good news for you, you don't have too. You can go to LastPass and download it for free.
After you chose download free, you get a screen where you choose what you use, eg: Windows and Chrome or Firefox, etc.
The following pictures are guidelines of what to expect:
When you reach the LastPass page, you can choose to Download Free (or go directly for the pro paid version if you wish)
After you clicked on Download Free, you land on the Recommended page, but you know which program you use, so choose Windows, Mac, Linux, etc.
Click on the download button and run, but you must close all programs running in your browser before you can continue. (But if you forget, they'll tell you to close them)
Now you can find your browser and click on the red download button for the browser you use.
After you clicked on the Download button, you must choose to run the program and after it is installed you get the Create or Log In message, you will choose create new account (except if you already had an account)
After you chose create a new account, you have to add your email address, choose a master password, confirm your password and put in a master password reminder - this is what they must send you (to your email address) if you forget your password.
Click on I agree to the Terms of Service and Privacy Statement after you read them and agree with them and click on create account.
The next screen you get is quite scary, you know how you just click on "remember password", because you know you can't remember it, LastPass gives you a number of your passwords (or all of them) that are stored insecurely on your computer. The passwords are blocked with stars, but if you wish to, you can choose reveal passwords.
LastPass will install in the top line (toolbar) of your browser, but if it doesn't or it is taking longer than expected, you have the option to choose the "enable extension".
In the toolbar of your browser, you now click on the lastpass icon - as this arrow will indicate.
In case you are not sure, I've added an arrow for you to see what it looks like.When you click on the LastPass icon, a dropdown will appear where your email address will be inserted and you put in your Master Password. You can also choose your preference, like remember email, remember password or show vault after log in. Then click on the Log In button.
When you are logged in, your dashboard looks approximately like the one below, depending on your passwords, you can find your sites that has passwords under the folders.
Go check your mail inbox, you received an email from LastPass, explaining to you exactly what you should do now.
Just for interest sake, when you click on the LastPass icon you have the option to generate a secure password. This is the option you use when you are creating yet another password and don't have a clue what you can use.
When you click on "Generate Secure Password", you receive a unique password that you can copy and click on the "Use Password" button to use it.
And that is it, use LastPass to remember and secure your passwords. (;-)This is where you think: "this was so helpful - I must share it", now you click on the share with Twitter, Facebook or whatever you choose on your left side ;-)). If you don't find the one you would prefer, click on the "crown" and you will see many more options to share)
But you don't stop here, because remember, you must still look at Step 3 to 10 and read the part at the bottom of this point.
These smart tools store all your passwords in encrypted format.
They generate random passwords for you at the click of a button.
With password managers like these it is easier to use strong passwords than to try to memorize a couple of decent passwords.
Or like I used to have a book with all my passwords in - believe me, when you need them urgently, they are not in the book, they are hiding - you only find them afterwards.
They are very helpful, but these password managers can present challenges and a possible weak point: in the past LastPass announced a compromise - but as soon as they know about it, you will know and they will do their best to protect your passwords.
Step 3 to increase website security – One Site = One Container
You have an ‘unlimited’ web hosting plan and figure why not host your numerous sites on a single server, I can understand the temptation.
But unfortunately this is one of the worst security practices commonly seen. Hosting many sites in the same location leaves you vulnerable to attacks.
For instance, your server containing one site may have a single WordPress installation with a theme and 10-15 plugins that can be targeted by an attacker. If you host 5 sites on a single server, you might have 2 WordPress installs and 3 Joomla installs, which adds up to 5 themes with 50-75 plugins that can be targeted by the attacker.
The sad thing is, once the attacker found a gap in one site, the infection can spread very easily through all your sites - the result can be that all your sites get hacked at the same time which makes your cleanup process time consuming and difficult. The infected sites can continue to reinfect one another in an endless loop.
After you did the cleanup and it was successful, you will have a bigger task when you have to reset all your passwords. Instead of just one site to reset, you have a number of them to reset. You must reset every single password on every single website which are hosted on the same server. You must reset your CMS systems, databases and your FTP (File Transfer Protocol) users for all your websites. If you don't do it (or resetting one of your passwords) the websites can be reinfected again and you are back to square one.
Step 4 to increase website security – Sensible User Access
Only if your site has multiple logins this rule will apply to you.
Every user must have the appropriate permission they need to do their job. For instance if they require escalated permissions only for a moment, grant it, but then reduce it as soon as their job is finished.
For instance, you have a friend (or someone who emailed you) who wants to write a guest post for you. You must make sure their account does not have full administrator privileges. Their account should only be allowed to create new posts and edit their own posts, because there is absolutely no reason for them to be able to change your website settings.
When you carefully define their access they will be limited, this will eliminate any mistakes they could make, it reduces compromising your account and it will protect damage done by users whose only purpose is to harm your site.
Be careful that you don't overlook the part of user management which is accountability and monitoring.
If you have different people sharing a user account and something unwanted and unexpected is changed on your website, how will you find the person on your team who was responsible for it if you let everyone do everything? (Or anyone do anything?)
When you have separate user accounts for each user, YOU can keep an eye on every user's behavior by reviewing their logs and you will know the usual behavior like when and where they usually access the website. Then you can spot when something is abnormal and contact that specific user and confirm whether or not their account might have been compromised.
Step 5 to increase website security – Change the Default CMS Settings!
Although the CMS applications we are using these days are allot easier to use (even without allot of HTML and CSS knowledge), the security for you as the end user is horrific.
You must remember that the most common attacks against websites are automated and because of that - they rely on you using the default settings.
You can avoid a huge number of attacks when you change the default settings when you install your CMS (WordPress, Joomla, Drupal, etc)
For instance, some CMS applications are changeable by you, the user - this allows you to install whatever extensions you want.
There are some settings you should look at adjusting.
Like the control of comments, users as well as the visibility of your user information.
Later in this article, I am talking about file permissions, which is another example of a default setting that should be adjusted.
Normally it is easier to change these default settings when you install your CMS, but you can change them later on if you did not do it.
Step 6 to increase website security – Extension Selection
With the CMS applications available today, there comes good news and bad news when it comes to all the extensions.
You may not realize that together with this beautiful extensibility comes the biggest weakness.
You have a huge number of plugins, add-ons and extensions to choose from, which provides virtually any functionality you can imagine and want to add to your site.
But the reality of this is with these same massive number of extensions comes danger, because there are so many multiple extensions that offer similar functionalities.
When you have to choose, how do you know which one to install?
The following tips are some of the points you can keep in mind the next time you want to install a plugin, add-on or extension. Ask yourself these questions:
1. When was the extension last updated?
When the last update on the extension has been done more than a year ago, you should become concerned. This normally means that the developer has stopped working on it all-together.
It is safer to use extensions that are actively being developed, because this is an indication that the developer will be willing to implement a fix if there would arise any security issues that are discovered and reported. (Again be sure to signup for Wordfence emails so that you can know where and when there are vulnerabilities)
And besides this fact, if the extension is not supported by the developer any more, why should you risk using it on your website? What are the chances that it will stop working?
2. What is the age of the extension and how many were downloaded and installed?
Someone who is an established developer and who has allot of installs will be more trustworthy than on who has less than 100 downloads and was released by a first-time developer.
Especially when the extension has been around for many years and still only has a few downloads and installs, the red lights should come on. People talk and tell each other when they are not happy with something. (Although I think it is better to contact the developer first before you start smearing their name all over the web - they might not know what is wrong and actually have your best interests at heart).
An experienced developer will be much more likely to have knowledge of the best security practices and the chances of them trying to damage their reputation by inserting malicious codes into their extensions are very slim if not completely out of the question. They've invested allot of time and money into their projects and will do their best to protect them.
3. Are the sources legitimate?
This is incredibly important! You must only download extensions and themes form legitimate sources.
On the internet, you will find many sites that offer "free" versions of programs that you normally only get when you pay for them. (A good example will be if you found a free download of Adobe Photoshop - the original Adobe Photoshop is expensive, why would they release a free version?)
If you read this article by Dennis Sinegubko about how fake jQuery scripts affected many users (after an investigation done), you will realize how important it is to be sure that you don't use pirated "free" versions. This article will also show you how they do it if you don't understand the fundamentals that your website is built on.
These websites that gives the free versions of premium extensions does not have your wallet in mind and trying to save you money, their main and only purpose is to infect as many websites as possible with their malware.
Step 7 to increase website security – Backups
In the digital era we live in, not backing up your website can be as catastrophic as not backing up your home videos and photos.
Read this article called Backups the forgotten website pillar for more insight on backups and how important it is to backup your website.
When you have a Sucuri Account, you have a backup plan.
Other options are - your webhost does the backups at certain points of time, but these might not be enough.
If you want to learn more about creating reliable and secure backups for your website, you should read how to create a website backup strategy.
Step 8 to increase website security – Server Configuration Files
Although this point is not at the top, it's one of the most important: You must know your web server configuration files.
- Apache web servers use the .htaccessfile,
- Microsoft IIS servers use web.config and
- Nginx servers use nginx.conf
You'll find these files in the root web directory and these files are very powerful.
What does these files do?
they allow you to execute server rules, including directives that improve your website security.
If you're not sure which web server you use, you can run your website through Sitecheck by Sucuri and click the Website Details tab.
Here are some rules recommended for you to research and add for your particular web server:
- Prevent directory browsing: Prevent directory browsing, prevents malicious users form viewing the contents of every directory on your website. When you limit the information that is available to attackers, you are taking a very useful precaution.
- Prevent image hotlinking: This isn't exactly a security precaution, but it does prevent other websites from displaying the images that are hosted on your web server. When other people start hotlinking images from your server, the bandwidth allowance of your hosting plan might get used up quickly and that by displaying images for someone else's website.
- Protect sensitive files: The most sensitive files stored on the web server are your CMS configuration files, because they contain the database login details in plain text. This is why setting rules to protect certain files and folders is necessary. There are other locations that you can lock down like admin areas. Also restrict PHP execution in directories that hold images and allow uploads.
In your web server configuration file, there are many more rules and options that you can look into. You can search for the name of your CMS, your web server and security, but keep in mind that sadly, there are some people online who post bad information strictly with malicious intent, therefore you must confirm your findings are legitimate before implementing anything.
Step 9 to increase website security – Install SSL
Read this article about Increasing google rankings, because it is also about SSL.
When you install SSL it will not solve all your security issues.
SSL does nothing to protect your site against any malicious attacks or stop it from distributing malware.
SSL encrypts communications between two points, which are the website and the browser.
This encryption is important to prevent anyone from being able to intercept that traffic. This is know as a Man in the Middle (MITM) attack.
SSL is important for E-Commerce website security and websites that accepts form submissions with sensitive user data or Personally Identifiable Information (PII).
SSL certificates protects your visitor's information. When your visitor's information is protected, you are protected from the fines that come with being found non-compliant with PCI DSS
SSL is especially important for E-Commerce website security and any website that accepts form submissions with sensitive user data or Personally Identifiable Information (PII). The SSL certificate protects your visitors information in transit, which in turn protects you from the fines that come along with being found non-compliant with PCI DSS (Security Standards Council link to download PDF). To find out more you can visit the Official PCI Security Standards Council website.
Step 10 to increase website security – File Permissions
What does file permissions do?
They define the who can do what to a file.
Every file has 3 permissions and every permission is represented by a number:
- 4 = Read: View the file contents.
- 2 = Write: Change the file contents.
- 1 = Execute: Run the program file or script.
To allow multiple permissions you must add the numbers together, for example:
Allow read (4) and write (2) - the user permission will be set to (6) (4+2=6)
To allow the user to read (4), write (2) and execute (1) - the user permission will be set to (7) (4+2+1=7)
Then there are 3 user types:
- Owner - This will normally be the creator of the file, but it can be changed. Just one user can be the owner.
- Group - Every file is assigned to a group and every user who is part of that group will get permission.
- Public - Everyone else.
For instance, if you want the owner to have read and write access, but the group to only have read access and the public to have no access, the file's permissions settings should be as follows:
When you view the file permissions, it will be shown as 640.
The folders have the same permissions structure, but with one difference. The execute flag allows you to make the directory your working directory - leave this "on".
The good news is that most CMS installations already have the permissions correctly configured by default, but (even like with the book I bought that helped me to start blogging) everywhere people are advising you to change the file permission to 666 or the folder permissions to 777.
This will fix permissions errors, but from a security perspective this is dangerous.
If your file permission is set to 666 or folder permission to 777, you are allowing anyone to insert malicious code or delete your files!
With these 10 simple steps to increase website security, you can dramatically increase the security of your website.
These steps alone will not guarantee that your site is never hacked, implementing them will stop a majority of automated attacks, which will reduce the overall risk to your site.
When you are aware of these issues and you understand them, you are provided with valuable insight into how the technology works. This will help you to be a better web master or site operator.
At this stage, Kaspersky is known as the best online protection currently available.
An additional module for antivirus protection of traffic passing through the proxy server and the mail gateway of Traffic Inspector.
Traffic Inspector Anti-Virus is powered by Kaspersky and provides treatment of the infected files, blocks harmful programs and warns users of potentially dangerous content.
It has automatic and manual updating, reports about infected objects, and all this is shown in the interface of the Traffic Inspector management console.
Over to you
Found this helpful, SHARE!
And feel free to leave your comments below (at the bottom of this page) and share your concerns about website security or even if you have a story to share about website security.