If you own or manage a website, security should always be uppermost in your mind. The internet has become the playground of hackers and cyber-criminals. Every website (regardless of content) can be a potential target.
Website owners often make the mistake of believing that their sites offer no real temptation to hackers, but nothing could be further from the truth.
It’s a mistake to assume that hackers are only out to steal financial information and user passwords. Oftentimes, websites are breached so that hackers can create temporary web servers, using them to disseminate spam and viruses without the owner’s knowledge.
This not only compromises the site itself, but puts the site’s visitors at risk.
With hackers intent on finding, and exploiting, known software security issues, it is the responsibility of all website owners and administrators to take proactive steps to secure their sites against possible intrusion.
The following tips should help site owners and managers proactively address their website’s security, keeping them free from intrusion and safe for visitors and clients.
Complex Passwords
Effective website security begins with the assignment and use of strong passwords for both administrators and on-site staff. While this may seem an obvious security tip, it is one that bears repeating.
While most of us recognize the importance of strong passwords, just as many of us are guilty of failing to utilize them to their full potential. The use of complex passwords is critical to the security of any website’s admin area and server integrity.
Another key component of online security is requiring passwords for a website’s regular visitors, and using them to more fully ensure the security of customer accounts.
Ideally, these passwords should be stored as hashed values, to minimize the risk of decryption should a site’s database be breached.
At the very least, all passwords should be encrypted using the latest industry standards to protect both the site and its visitors.
-
Safely Storing User Passwords — Hashing vs Encryption: an introduction to the importance of user passwords, potential vulnerabilities of encryption, and the use of hashing for safer data storage.
-
How to Create a Password Protected Website: a basic guide to password protecting a website for enhanced customer and site security.
Software Updates and Patches
A common tactic among hackers is using automated scripts to find and exploit a website’s security deficiencies.
To compound the issue, word spreads quickly through the hacker community, and once a vulnerability is discovered in a website’s operational software hackers of every stripe will seek to exploit it.
Software updates that are pushed out by programmers and developers are meant to keep ahead of the hacker curve, fixing bugs and vulnerabilities before they can become widely exploited by cyber-criminals.
Regular software updates are critical to the security of any website, and should always be at the forefront of site maintenance. Web managers using third party software should pay particular attention to updates and security patches, installing them promptly upon release.
Website’s running under a managed hosting solution should be regularly updated by the hosting service, but it is still the responsibility of the site owner and manager to ensure that software updates are applied in a timely and effective manner.
Never just assume that your site is up to date, double check with the hosting service provider.
-
Why Security Updates Are Vital: from Norton and Symantec comes this short article on the importance of tending to the latest software updates and security patches in the maintenance of a secure website.
-
Website Security and Maintenance — What You Need to Know: a basic guide to maintaining a secure website through regular software updates and security patches.
Themes and Plugins
With the advent of user friendly content management systems, it’s easier than ever to create and launch an enterprise class website.
To extend the performance and flexibility of these sites developers have all but flooded the market with themes and plugins designed to deliver a more desirable user experience.
However, it is important to be careful when installing any theme or plugin, and to only use those produced by reputable developers.
Hackers have been known to seed plugins with exploitable code or malicious content. Research any plugins you are considering, and read the industry reviews, before installing.
-
How to Detect Malicious Code in Free WordPress Themes and Plugins: this simple guide explains some of the risks associated with free themes and plugins, and how to determine if they pose a threat to your website.
Limit Login Attempts
Hackers have been known to breach sites through brute force, using a standard login form to gain access to a user’s account.
Installing a simple plugin that limits the number of login attempts from a specific IP address can help to reduce this risk. Too many failed attempts and the hacker is locked out of the system.
Of course, you don’t want to lockout regular users, and the majority of these plugins allow for a simple error message that contains prompts to help the user remember their login information.
Again, it’s important to tread carefully here, and to be circumspect with the prompts you use. Too much information in a login error message can tip a smart hacker off, and allow them to crack the user’s login info.
-
Blocking Brute Force Attacks: this short tutorial discusses the use of brute force attacks in hacking a website, and the steps webmasters can take to reduce that risk by limiting login attempts and creating hacker-proof error messages.
File Uploads
Allowing users to upload files to a website has become a fairly common practice, but it does pose a definite security risk.
While allowing users to upload documents and photos helps to create a more interactive website, it also opens the door to hackers.
Cyber-criminals can use the opportunity to upload files that contain viruses and malware.
To protect your site against attacks via file uploads you should place strict limits on the types of files allowed, and utilize client or server side validation techniques to ensure that only approve file forms are accepted.
Effective antivirus software should also be in place to scan all files as they are uploaded to the site.
-
File Upload Security Best Practices: a short primer on the risks associated with file uploads and the steps web managers can take to keep their site’s secure.
-
Why File Upload Forms Are a Major Security Risk: an in depth look at the risks of user file uploads, with examples of infected code and suggestions for risk aversion.
SSL Security Certificates
SSL (Secure Sockets Layer) is a popular security protocol that establishes an encrypted connection between a web server and a client.
This ensures that all data passed between a given website and its server or database remains protected from man-in-the-middle attacks.
SSL certification has quickly become an industry standard, and is critical to sites that routinely handle sensitive data.
-
What Is SSL and Why Is It Important?: a detailed introduction to SSL and its use in creating a secure internet environment for users and webmasters.
-
The Importance of SSL and Why You Need It: a basic overview of SSL technology and its value for website owners and visitors.
Protecting a Website’s Directories
A website’s directory files can be used by hackers to spot, and exploit, vulnerabilities in a site’s underlying code or structure.
To reduce the risk it is important to restrict access to those directory files. This can be accomplished in two ways, either be disabling access to the site’s directories or requiring password authentication before they can be accessed.
Most CMS platforms allow web managers to disable their site’s directories by simply adding a line of code to the .htaccess file. If the site’s directories must be available to certain users, password protecting those directories is always recommended.
-
How to Disable Directory Browsing in WordPress: this simple tutorial explains the risks of directory browsing, and how to disable the function in WordPress-based websites.
-
Password Protect a Directory with .htaccess: this basic guide explains how to password protect a website’s directory using the .htaccess file.
Using Security Plugins
While websites built on WordPress and other popular content management systems provide a basic level of security, they can all benefit from the use of specific security plugins.
Typically these plugins will be bundled with a firewall and will scan user posts and uploads for viruses and malware, blocking them when appropriate.
The more full-featured plugins will also scan the website’s core, theme and plugins for malicious code, and will create a log of attempted brute force attacks on the site.
-
Top 10 Security Plugins to Stop Hackers: a review of the latest WordPress security plugins, as of 2016, and their effectiveness in stopping hackers and maintaining site security.
-
10 Security Extensions to Protect Joomla Website: a selection of security tools for the Joomla! CMS.
-
15 + Modules for Making Your Drupal Website Secure: tools to help harden a Drupal CMS install.
Reviewing Site Logs
A large part of avoiding hackers is understanding your website’s performance and traffic history.
Regularly reviewing the site’s logs allows webmasters to track their website’s traffic and ranking history.
Unusual traffic or rankings may indicate that a site has been compromised, which can give webmasters the opportunity to address the issue before any damage can be done.
-
A Log Review Process for Detecting Security Issues: a step by step guide to developing a routine log review strategy for enhancing a website’s security profile.
Keeping Regular Backups
Backing up a website to the cloud may not deter hackers and cyber-criminals, but it does provide a course of action should a site become compromised.
Any amount of downtime can seriously impact a website’s ranking, authority, and revenue stream.
By making and keeping regular backups it becomes easier to restore a website should it be breached or infected with malicious code, allowing websites to recover more quickly and completely from an attack.
-
How to Create a Website Backup Strategy: this brief tutorial covers the importance of regular backups for website security, with tips on how to create an effective recovery plan.
-
22 Cloud Storage Solutions for Small Business: Business News Daily provides this short review of the most effective and affordable cloud-based backup solutions for small business owners.
General Advice
A large part of keeping a website secure is being knowledgeable about new and emerging security threats.
In addition to the tips outlined here, it is important for all webmasters and website owners to keep up to date on security concerns, and to take what steps they can to keep their sites safe and compliant with the latest security features.
The following articles and tutorials should help to give web managers a deeper insight into website security.
-
15 Ways to Protect Your Ecommerce Site from Hacking and Fraud: focusing on the security concerns of ecommerce websites, this short guide covers some of the most effective ways to protect a site from hackers and cyber-criminals.
-
Tips for Keeping Your Web Application or Website Secure: this comprehensive tutorial, prepared by the University of Michigan’s IT department, discusses potential vulnerabilities in the coding of websites and web applications.
-
How to Keep Your Website Secure: this short article covers the basics of website security, with an emphasis on how to recognize a potential threat and how to determine of your site has been compromised.
Conclusion
While it may never be possible to totally eliminate all of the online threats posed by hackers and cyber-criminals, it is possible to significantly reduce those risks by taking proactive steps to keep your site, your data, and your visitors safe.
Website security is the primary responsibility of all website owners, and it should be uppermost in the minds of all web managers and IT professionals.
A secure website not only protects the site and its visitors, it also projects the trust and authority necessary to establish a successful and long lasting internet presence.
Further Reading and Resources
We have more guides, tutorials, and infogragphics related to website development and management:
-
How to Make a Website: take a step back and determine the best way to set up a website. There are options beside CMSs.
-
Google Rankings: Understand, Diagnose, and Fix: what good is a website if no one knows about it? Learn all about getting the Google ranking you deserve.
-
The Ultimate List of Webmaster Tools A-Z: find all the tools you need to make managing your site easy.
Ultimate Guide to Web Hosting
Check out our Ultimate Guide to Web Hosting.
It will explain everything you need to know in order to make an informed choice.
