When it comes to managing your website, nothing is more important than security
There is so much to say on this topic, so we have picked a handful of topics to discuss in this article. If you are looking to understand and improve security, this is a good place to start, including some of the things that you can personally do.
The first lesson in security is knowing that the security landscape is constantly changing, and that you should never consider yourself 100% secure. Even if you are doing everything right, you should always have a backup plan.
Preparing For A Rainy Day With Backups
- Daily Server Backups – We do full incremental daily backups of the whole network.
- Remote Website Backups – We also perform a weekly backup, usually on a Sunday evening, of your specific website
- PC Backups – We recommend backing up your work regularly, whether you are on a Windows, Mac or Linux machine. With over 20,000 new malware viruses hitting the internet every day, it is better to stay up to date with OS updates, anti-virus updates and anti-malware updates along with a backup to fallback to in the event that something untoward happens to your computing environment.
Securing Your Internet Activity
Good security starts in your own home. Not only does your website need to be secure as possible, but so do the methods in which you connect to it. Connecting to your website Dashboard in an insecure manner will put everything at risk.
- Use A Secure Network At Home – If you are using Wifi at your home or office, then I would suggest setting up a private WPA2 network with a strong, randomly-generated name and network passphrase. For additional protection, you can employ “security through obscurity” methods such as enabling MAC Address Filtering.
- Use An Encrypted VPN Connection Over Public Wifi – Generally speaking, it’s best to never log in to a sensitive area such as your WordPress Dashboard when connected to the internet over public Wifi. If you are using your laptop or phone over a public network, always run your connection through an encrypted VPN and make sure that you are signing in to your website over SSL. You can purchase a VPN from StrongVPN.com.
Securing Your Personal Computer
Your network is secure, but what about your physical computer? It’s incredibly important to keep your computer clean of spyware, malware and viruses.
- Virus Protection and Firewall – There is no sense in having secure passwords if your computer can be easily infected with malware that can access your sensitive information and spy on your internet activity. Be sure that your computer is running trusted Anti-Virus, Firewall and Malware software. I have had good success with Kaspersky and Malware Bytes. Both should be configured to automatically update and scan your computer daily.
Securing Your Online Accounts
You can be doing everything right, but still get hacked from a brute force attack because your password is weak. You can also have a strong password, but still get hacked because you stored it insecurely.
- Password Generation – Every login you use should have a unique, randomised password with at least 8 characters. Your password should include capital letters, numbers and special characters.
- Store Your Passwords Securely – If you have 20 randomised secure passwords, how do you remember them? If you plan on storing your passwords somewhere that you can reference, do so in a secure manner. If you are using OSX, try creating a new Authentication keychain and make a new secure note set to automatically log out after 5 minutes. If you are using Windows, try creating a secure OneNote file set to automatically log off after 5 minutes as well. You might also try using online services such as LastPass, or you could also encrypt your own files using an encryption software such as Truecrypt.
- Reset Your Passwords Regularly – Your passwords should be changed on a regular basis. It’s best to set up a reminder on your calendar to reset all of your passwords every month or two.
Avoid Phishing & Social Engineering Schemes
Sometimes getting hacked has nothing to do with your website or your computer, but with your insecure communications. These types of attacks are often called phishing or social engineering scams. The “Nigerian Prince Scam” is the classic example of a phishing scheme.
Be Wary Of Phishing Attempts – Commonly, phishing attacks come in through email. An easy attack on such a website would be to pose as an employee from a company, warning you about an issue with your website installation and requesting your Login details so that they can fix it. Don’t fall for it! No respectable company will randomly request your login credentials. Phishing attacks will often send out mass emails like this to potential targets, hoping that a few people fall for their trickery.
What We Do To Secure Your Website
I bet you were wondering when we were finally going to talk about what we do to harden your Website! There are many good practices we have implemented, some of which are described here for your understanding.
- Updating The Overall Framework – One of the most important things we can do is keep your software up to date. Whenever there is a new version of any of the frameworks we use, we update them as soon as possible. We also publish the programmes we have updates for each month so you can see what improvements are happening in the background.
- Change Admin Username – It is surprising how many attempts we get each month with people/computers trying to log on with the admin username. Changing it to something unusual makes brute force attacks much less likely to succeed.
- Local Brute Force Protection – If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that websites are acutely susceptible by default as the system doesn’t care how many attempts a user makes to login. It will always let you try again. However we have enabled login limits to ban the host user from attempting to login again after the specified bad login threshold has been reached.
- Network Brute Force Protection – Network brute force protection takes this a step further by banning users who have tried to break into other sites from breaking into yours. The network protection will automatically report the IP addresses of failed login attempts to our security partner and will block them for a length of time necessary to protect your site based on the number of other sites that have seen a similar attack.
- Daily Malware Scans – Ideally you won’t get hacked if you are running your website securely, but as mentioned in the beginning of this article, it’s impossible to be 100% sure. Running daily malware scans help to notify us if a hacker is in the vicinity by detecting suspicious code on the front end.
- Hiding The Login Area – Having an unusual URL for logging into your site makes it harder to find by automated robot-attacks.
- Strong Passwords – This may frustrate you sometimes but the frustrations may be worth it in the long run. We have enforced a long password across the network. Did You know? Over 90% of user passwords fall into only 100 common passwords and that 98% of user passwords fall into only 1000 common passwords! We reduce the likely hood of your site being broken into because you favour a password in the list of top 1000 passwords.
- Protecting System Files – We prevent public access to specific files, these files can give away important information on your site and serve no purpose to the public once your website has been successfully installed.
- Disable Directory Browsing – We prevent users from seeing a list of files in a directory when no index file is present.
- Suspicious Query Strings – We filter out strings that look suspicious a these are very often signs of someone trying to gain access to your site.
- Non-English Character Filtering – Being as we serve typically English speaking countries there is no reason why non-English characters should be used when typing anything related to your site.
- Long URL Strings – We limit the number of characters that can be sent in the URL as Hackers often take advantage of long URLs to try to inject information into your database.
- Disabling PHP in Uploads – We disable PHP execution in the uploads directory. This will prevent uploading of malicious scripts to uploads.
- Disable Login Error Messages – This may frustrate our users from time to time as there is no information as to what has gone wrong. That could be better than providing a Hacker with information they need to try a different type of attack.
These are some of the security steps we take to protect your site and provide a backup in the event something goes wrong. Remember the opening statement in this article though! Doing everything right is not a guarantee of total and ultimate protection, it just makes it harder for someone trying to do you harm. Why not take a moment to change that password again!